Other PDF SDKs promise a lot - then break. Laggy scrolling, poor mobile UX, tons of bugs, and lack of support cost you endless frustrations. Nutrient’s SDK handles billion-page workloads - so you don’t have to debug PDFs. Used by ~1 billion end users in more than 150 different countries. Learn more →
Top 23 C TLS Projects
-
Project mention: Okta Bcrypt incident lessons for designing better APIs | news.ycombinator.com | 2025-02-05
In Node, you would commonly reach for the builtin core "node:crypto" module to run cryptographic functionality like this. I wondered why that wasn't used here, but bcryptjs was. After digging into it a little, node doesn't ship with core support for bcrypt, because it's not supported by OpenSSL.
The node crypto module is essentially an API that offloads crypto work to OpenSSL. If we dig into OpenSSL, they won't support bcrypt. Bcrypt won't be supported by OpenSSL because of reasons to do with standardisation. https://github.com/openssl/openssl/issues/5323
Since bcrypt is not a "standardised" algorithm, it makes me wonder why Okta used it, at all?
I remember in uni studying cryptography for application development and even then, back in 2013, it was used and recommended, but not standardised. it says a lot that 12 years on it still hasn't been.
-
CodeRabbit
CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
-
Before diving into the specifics of Nginx and Traefik, let’s quickly define what a reverse proxy is. A reverse proxy sits between the client (browser or other services) and your backend services (web servers or applications). It handles incoming requests, routes them to the appropriate backend service, and forwards the response to the client. Reverse proxies are typically used for:
-
ecapture
Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
Project mention: Httptap: View HTTP/HTTPS requests made by any Linux program | news.ycombinator.com | 2025-02-03I believe that's how https://github.com/gojue/ecapture works. I don't know the details, but it seems to work!
-
SoftEther
Cross-platform multi-protocol VPN software. Pull requests are welcome. The stable version is available at https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.
-
mbedTLS
An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
-
-
Project mention: OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011 | news.ycombinator.com | 2024-07-30
I started writing s2n the day after Heartbleed and the first lines of code were for the stuffer interface. A stuffer is a buffer for stuff, and it's like Java buffered I/O for C. You can get a flavor from reading the header: https://github.com/aws/s2n-tls/blob/main/stuffer/s2n_stuffer...
The implementation is incredibly simple. Treat all blocks of memory as blob with a known size and then read/write into those blobs with a cursor to track progress and bounds checks on every access. Fence all serialization/deserialization through a safe low level interface. Not only do you get memory safety (which we later proved using formal reasoning) ... but when you're parsing message formats it lends itself to a declarative coding style that makes it very clear what the structure is. You can also do lifecycle things, like erasing sensitive memory with zeroes when you're done with it, making sure things don't show up in core dumps, etc. BoringSSL introduced a Crypto_bytes API that also did some of this plus bounds checking, and retrofit it into OpenSSL.
OpenSSL on the other hand is a horrific mash up of raw pointer arithmetic, ad-hoc parsers interleaved with business logic and control flow. I could never keep it straight, and it always scared me to review.
-
Nutrient
Nutrient – The #1 PDF SDK Library, trusted by 10K+ developers. Other PDF SDKs promise a lot - then break. Laggy scrolling, poor mobile UX, tons of bugs, and lack of support cost you endless frustrations. Nutrient’s SDK handles billion-page workloads - so you don’t have to debug PDFs. Used by ~1 billion end users in more than 150 different countries.
-
Kore
An easy to use, scalable and secure web application framework for writing web APIs in C or Python. || This is a read-only mirror, please see https://kore.io/mail and https://kore.io/source for information on how to contribute via the mailing lists.
-
wolfssl
The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
Project mention: Embedded TLS Library for Applications, Devices, and the Cloud | news.ycombinator.com | 2024-12-29 -
-
LibreSSL
LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to [email protected] are welcome.
-
-
-
-
netxduo
Eclipse ThreadX - NetXDuo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications
For those looking for options like LwIP, consider NetXDuo [1] and its counterparts ThreadX, FileX, LevelX, and UsbX (I use TinyUSB instead).
It has been one of the top commercial RTOS network stacks for, I think, 20 years. It moved hands a couple of times and now is supported by the Eclipse Foundation and is MIT-licensed. I'd use it over LwIP.
[1] https://github.com/eclipse-threadx/netxduo
-
Project mention: Ssldump – (de-facto repository gathering patches around the cyberspace) | news.ycombinator.com | 2024-08-21
-
-
-
Project mention: Merecat Httpd – A Tiny (~140 KiB) Web Server with HTTPS and PHP Support | news.ycombinator.com | 2024-10-13
-
Project mention: Show HN: High performance ja3 and http2 fingerprint for Nginx | news.ycombinator.com | 2024-02-23
-
disco-c
A tiny C cryptographic library to encrypt sessions, authenticate messages, sign, hash, etc. based only on SHA-3 and Curve25519
-
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
C TLS discussion
C TLS related posts
-
The QUIC API OpenSSL will not provide
-
Embedded TLS Library for Applications, Devices, and the Cloud
-
Pkdns: DNS server resolving via mainline DHT
-
Rustls Outperforms OpenSSL and BoringSSL
-
OpenSSL 3.4.0
-
How to set up TCP/UDP transparent proxy with iptables
-
Improve post-2038 compatibility of time_t usage
-
A note from our sponsor - Nutrient
www.nutrient.io | 14 Feb 2025
Index
What are some of the best open-source TLS projects in C? This list will help you:
# | Project | Stars |
---|---|---|
1 | OpenSSL | 26,660 |
2 | Nginx | 25,992 |
3 | ecapture | 13,895 |
4 | SoftEther | 11,989 |
5 | mbedTLS | 5,695 |
6 | GmSSL | 5,373 |
7 | s2n | 4,564 |
8 | Kore | 3,716 |
9 | wolfssl | 2,402 |
10 | sslsplit | 1,780 |
11 | LibreSSL | 1,380 |
12 | proftpd | 544 |
13 | KadNode | 427 |
14 | tls-scan | 304 |
15 | netxduo | 260 |
16 | ssldump | 246 |
17 | openssl | 241 |
18 | SSLClient | 163 |
19 | merecat | 158 |
20 | nginx-ssl-fingerprint | 159 |
21 | disco-c | 66 |
22 | snif | 15 |
23 | tls-curious | 1 |