[Question] mbed TLS instead of OpenSSL

[silverkorn]

Just elevating the question since I haven't seen any issues about this:
Would mbed TLS library could be a good alternative/replacement of OpenSSL (Apache 2.0 vs OpenSSL license, backed by ARM, cross-platform, small footprint, etc.)?

[bnoordhuis]

A TLS library would need to have feature parity with OpenSSL in order to be a viable replacement, and that's a tall order. And just feature parity isn't good enough to justify switching, it would have to be significantly better.

Take FIPS compliance. Personal opinion notwithstanding, a lot of people think it's important and OpenSSL is the only open-source library that can credibly claim to support it.

[silverkorn]

Take FIPS compliance. Personal opinion notwithstanding, a lot of people think it's important and OpenSSL is the only open-source library that can credibly claim to support it.

https://tls.mbed.org/standard-compliance

Be aware that mbed TLS is the rebranded PolarSSL with Apache 2.0 as the new available license since later in 2015. (Previously GPLv2 or Proprietary only)

At any time you can close this issue, it was more about verifying if it could be used instead of OpenSSL with it's quite robust reputation and features/compatibilities.

[bnoordhuis]

Hope I answered your question. I'll close the issue.

[silverkorn]

I was showing that mbed TLS had a good potential (FIPS compliance and mature (maintained since 2006)) but I can understand the heavy migration to it.
Thank you.

[bnoordhuis]

Correct me if I'm wrong but I don't think polarssl / mbed claims FIPS compliance: https://tls.mbed.org/kb/generic/is-mbedtls-fips-certified

mbed TLS is not FIPS certified as a library at this moment.

(The situation with openssl w.r.t. FIPS is complicated too but at least it has a FIPS mode.)

[silverkorn]

Hmm... Indeed, not at the moment. My bad.

[yorkie]

Just share: porting mbedTLS on ShadowNode(low-end Node.js runtime) is 80% done on clients, see https://github.com/Rokid/shadow-node/blob/master/src/modules/iotjs_module_tls.c :)

[silverkorn]

Interesting!
Thanks for the notice