s2n
OpenSSL
Our great sponsors
s2n | OpenSSL | |
---|---|---|
9 | 147 | |
4,441 | 23,945 | |
0.2% | 1.5% | |
9.4 | 9.9 | |
6 days ago | 6 days ago | |
C | C | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
s2n
-
S2n-TLS – A C99 implementation of the TLS/SSL protocol
It seems to support multiple options but requires you pick at least one of them. https://github.com/aws/s2n-tls/blob/main/docs/BUILD.md#build...
-
OpenSSL 1.1.1 End of Life
I think GnuTLS is probably the second most popular TLS library, after openssl.
I'll also mentions s2n and rustls-ffi for completeness as C libraries, though the former isn't widely used, and the latter is very experimental still. https://github.com/aws/s2n-tls and https://github.com/rustls/rustls-ffi respectively.
-
I want XAES-256-GCM/11
I've seen operating on unauthenticated plaintext enough times to list it as my own pet peeve with AES-GCM. But it's a problem for chunked messages too. A few years ago we released a SCRAM mode that makes very minimal changes to AES-GCM so that it mathematically can't operate on unauthenticated plaintext. https://github.com/aws/s2n-tls/tree/main/scram
-
Golang is evil on shitty networks
> The documentation is kind of vague, but apparently you have to re-enable it regularly.[3]
This is correct. And in the end it means more or less that setting the socket option is more of a way of sending an explicit ACK from userspace than a real setting.
It's not great for common use-cases, because making userspace care about ACKs will obviously degrade efficiency (more syscalls).
However it can make sense for some use-cases. E.g. I saw the s2n TLS library using QUICKACK to avoid the TLS handshake being stuck [1]. Maybe also worthwhile to be set in some specific RPC scenarios where the server might not immediately send a response on receiving the request, and where the client could send additional frames (e.g. gRPC client side streaming, or in pipelined HTTP requests if the server would really process those in parallel and not just let them sit in socket buffers).
[1] https://github.com/aws/s2n-tls/blob/46c47a71e637cabc312ce843...
-
S2n-QUIC (Rust implementation of QUIC)
It looks like by default s2n-quic uses this TLS implementation, which is not based on the ring crate (though it is written in C)
-
LibreSSL Languishes on Linux
Amazon has its own TLS implementation: https://github.com/awslabs/s2n
I would be interested in the other SSL implementations:
- https://github.com/awslabs/s2n
- https://boringssl.googlesource.com/boringssl
Are these subpar implementations or there are other reasons not to use these?
OpenSSL
-
Encrypted Client Hello – the last puzzle piece to privacy
If I'm understanding the draft correctly, I think the webserver you're hosting your sites on would need it implemented as it requires private keys and ECH configuration. In the example of nginx since it uses openssl, openssl would need to implement it. I found an issue on their Github but it's still open: https://github.com/openssl/openssl/issues/7482
- eBPF Practical Tutorial: Capturing SSL/TLS Plain Text Data Using uprobe
- I am looking for a troubled/bad open source codebase
-
What is the process of applying an AES Layer to file, like a text file?
Source code: https://github.com/openssl/openssl/blob/master/crypto/aes/aes_core.c
-
OpenSSL 1.1.1 End of Life Approaching
Ah, I see, OpenSSL is licensed under apache[1], so they can distribute patches under non-OSS licenses. I thought it was GPL for some reason.
-
How to clone the stable version of OpenSSL 3.1?
thanks, and what is the reason git clone -b openssl-3.1 https://github.com/openssl/openssl cloned the 3.1.0-dev and not just 3.1.0? Because that's just how they named the branch - 3.1, and not 3.1.0?
-
Can't install powershell on my mac 10.13
==> Downloading https://github.com/openssl/openssl/commit/96f1dbea67247b79b1e7b3
-
Rusted
I understand that it looks that way, especially since I just noticed you're a C++ developer who's been trying to learn it recently. But really, when on one hand you have a critical CVE caused by one wrong byte of C source code and on the other hand you have net zero memory-related CVEs in ~1.5 million lines of Rust code compared to 1 CVE per 1k SLOC in their C++ codebase, there's no denial that Rust simply does have the safety advantage for that kind of low level development. Heck, as I always say, memory safety is not a new concept at all, garbage-collected languages have had it for several decades now. But garbage-collected languages weren't fit for projects like the Linux kernel or drivers (at least I assume that is the case), which is why such a thing is exciting and good news in the first place.
-
Instagram Is Disabling Its NFT Features
Here's OpenSSL calling cryptography crypto since 1998: https://github.com/openssl/openssl/commits/master?after=9313...
And libgcrypt in 2000: https://github.com/gpg/libgcrypt/commit/bf2fc9201cfa96cd70ef...
Totally normal and not cringy at all.
What are some alternatives?
GnuTLS - GnuTLS
Crypto++ - free C++ class library of cryptographic schemes
mbedTLS - An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
libsodium - A modern, portable, easy to use crypto library.
LibreSSL - LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to [email protected] are welcome.
cfssl - CFSSL: Cloudflare's PKI and TLS toolkit
Botan - Cryptography Toolkit
easy-rsa - easy-rsa - Simple shell based CA utility
LibTomCrypt - LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.
Bcrypt - Modern(-ish) password hashing for your software and your servers
GnuPG - Mirror of git://git.gnupg.org/gnupg.git — master branch contains no changes from upstream.
gnupg - Patches to GnuPG smartcard support (bigger keys, better error handling)