InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now. Learn more →
Top 18 C SSL Projects
-
Project mention: I no longer have an old-school cert on my HTTPS site | news.ycombinator.com | 2025-05-23
> I don't really buy this explanation. It's a very large unsigned number. Everyone knows this.
Everyone knows that an RSA modulus is a very large unsigned number yes. Not everyone knows that every number is unsigned.
> Is there some arbitrary precision library in use that forces large integers to be signed?
OpenSSL's own BN (BigNum) library, which tests if the high bit is set in the input (line 482):
https://github.com/openssl/openssl/blob/a0d1af6574ae6a0e3872...
> Even if it were signed, or had the MSB set, it wouldn't change any of the bits, so the key would still be the same. So why would we care about the sign?
Because the encoding doesn't care about the context. RFC 3279 specifies that the modulus and exponent are encoded as INTEGERs:
https://datatracker.ietf.org/doc/html/rfc3279#section-2.3.1
... and INTEGERs are signed:
https://learn.microsoft.com/en-us/windows/win32/seccertenrol...
Integer values are encoded into a TLV triplet that begins with a Tag
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
ecapture
Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
Project mention: Show HN: Using eBPF to see through encryption without a proxy | news.ycombinator.com | 2025-05-08 -
⚡️ https://github.com/tsl0922/ttyd
-
mbedTLS
An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
> How much code actually uses unions this way?
I see this change caused Mbed-TLS to start failing its test suite when compiled with GCC 15: https://github.com/Mbed-TLS/mbedtls/issues/9814 (kinda scary since it's a security library). Hopefully other projects with less rigorous test suites aren't using {0} in that way. The Github issue mentions that Clang tried a similar optimization a while ago and backed it out after user complaints, so maybe the same thing will happen with GCC.
-
-
Project mention: OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011 | news.ycombinator.com | 2024-07-30
I started writing s2n the day after Heartbleed and the first lines of code were for the stuffer interface. A stuffer is a buffer for stuff, and it's like Java buffered I/O for C. You can get a flavor from reading the header: https://github.com/aws/s2n-tls/blob/main/stuffer/s2n_stuffer...
The implementation is incredibly simple. Treat all blocks of memory as blob with a known size and then read/write into those blobs with a cursor to track progress and bounds checks on every access. Fence all serialization/deserialization through a safe low level interface. Not only do you get memory safety (which we later proved using formal reasoning) ... but when you're parsing message formats it lends itself to a declarative coding style that makes it very clear what the structure is. You can also do lifecycle things, like erasing sensitive memory with zeroes when you're done with it, making sure things don't show up in core dumps, etc. BoringSSL introduced a Crypto_bytes API that also did some of this plus bounds checking, and retrofit it into OpenSSL.
OpenSSL on the other hand is a horrific mash up of raw pointer arithmetic, ad-hoc parsers interleaved with business logic and control flow. I could never keep it straight, and it always scared me to review.
-
wolfssl
The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
You may be talking about that, but I'm not. I was talking about the task-specific memory footprint. I didn't say anything at all about the rest of the computer.
And even that wasn't meant to be taken literally. I kind of thought that was obvious[1].
But in the end, OK, you're right. You probably could fit the banking app logic in 64K, but you'd have to rely on the OS to provide things like crypto, the network stack, and the I/O. So the machine as a whole would need more than that to get the job done. And the UI would be pretty bad if you stuffed even the app part into 64k.
No problem fitting it all into megabytes, though. Definitely no need for it to be gigabytes. I challenge you to explain what needs to be there that would make the entire system, OS, app, and all, need even one gigabyte of RAM to run even a very pretty, featureful banking app. Or even a quarter of a gigabyte.
By the way, you can put TLS itself in less than 64k (see for example https://github.com/wolfSSL/wolfssl). But you have to profile it way down, maybe to the point of leaving out X.509, so you don't really have "full on" TLS. On the other hand, a lot of the footprint is because the TLS protocol itself is bloated and overcomplicated, and no, that bloat doesn't improve the security.
[1]: ... and I mean, if we're going to get pedantic like that, nobody can write an SSL implementation with modern ciphers for any computer, because modern ciphers weren't introduced into the protocol until after it was renamed TLS. Actual SSL isn't something anybody should be using now. Even TLS 1.1 isn't.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
-
LibreSSL
LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to [email protected] are welcome.
-
Project mention: USockets: Miniscule C library for cross-platform eventing, networking and crypto | news.ycombinator.com | 2025-06-05
-
-
-
-
Project mention: Merecat Httpd – A Tiny (~140 KiB) Web Server with HTTPS and PHP Support | news.ycombinator.com | 2024-10-13
-
-
lua-eco
🐛Lua-eco is a Lua interpreter with a built-in event loop for scheduling lightweight coroutines automatically, enabling efficient concurrency in Lua. Build high-performance, scalable applications.
-
tls-ca-manage
Multi-level Certificate Authority Management tool, front-end tool to OpenSSL, written in bash shell.
Project mention: Lets Encrypt Ending TLS Client Authentication Certificate Support in 2026 | news.ycombinator.com | 2025-05-17Yes. But I like my own certificate tool better.
Problem is OpenSSH 3.1 broke CLI syntax, so that needs fixing.
Used JetBrain with Bash plugin.
https://github.com/egberts/tls-ca-manage
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
C SSL discussion
C SSL related posts
-
USockets: Miniscule C library for cross-platform eventing, networking and crypto
-
I can't pay rent because devs just don't care
-
GCC, the GNU Compiler Collection 15.1 released
-
OpenSSL 3.5 [LTS] Released
-
The QUIC API OpenSSL will not provide
-
Embedded TLS Library for Applications, Devices, and the Cloud
-
Rustls Outperforms OpenSSL and BoringSSL
-
A note from our sponsor - InfluxDB
www.influxdata.com | 13 Jun 2025
Index
What are some of the best open-source SSL projects in C? This list will help you:
# | Project | Stars |
---|---|---|
1 | OpenSSL | 27,535 |
2 | ecapture | 14,369 |
3 | ttyd | 9,285 |
4 | mbedTLS | 5,935 |
5 | GmSSL | 5,569 |
6 | s2n | 4,598 |
7 | wolfssl | 2,521 |
8 | sslsplit | 1,797 |
9 | LibreSSL | 1,408 |
10 | uSockets | 1,361 |
11 | tls-scan | 315 |
12 | iwnet | 178 |
13 | nginx-ssl-fingerprint | 178 |
14 | merecat | 167 |
15 | openssl_examples | 114 |
16 | lua-eco | 85 |
17 | tls-ca-manage | 42 |
18 | snif | 15 |