Table of contents of the article:
In recent years, the security of online communications has become an increasingly central issue. The TLS (Transport Layer Security) protocol and cryptography in general play a fundamental role in ensuring the confidentiality, integrity and authentication of information transmitted over the Internet. OpenSSL has long been the reference point for the implementation of TLS and cryptography in open source systems. However, in recent years, more performing and secure alternatives have emerged. Among these, the most notable is Tongsuo, the direct evolution of BabaSSL, which offers significant advantages over OpenSSL.
What is Tongsuo and why is it important?
Tongsuo (铁锁, meaning “iron lock” in Chinese) is an advanced fork of OpenSSL that originated from BabaSSL, another project that was also derived from the OpenSSL codebase. Tongsuo is being developed by Alibaba Cloud and other major players in the technology ecosystem, with the goal of improving the security, performance, and functionality offered by OpenSSL.
The project was born with a specific focus on modern needs, including:
- Performance improvements thanks to optimizations for modern architectures and advanced hardware acceleration.
- Support for advanced cryptographic algorithms and more up-to-date safety protocols.
- Greater resilience against cryptographic attacks compared to OpenSSL, thanks to improved code and reduced attack surfaces.
- Better compatibility with enterprise and cloud scenarios where OpenSSL often proves limited.
- Advanced TLS header compression to reduce the weight of encrypted communications, improving transmission speed.
The connection with BabaSSL
To understand Tongsuo, it is essential to examine the project from which it descends: BabaSSL. BabaSSL was developed by Alibaba Cloud Security Team with the goal of filling some of the gaps of OpenSSL in enterprise environments, especially large data centers and cloud services. BabaSSL introduced optimizations for heavy TLS usage, improved large-scale connection management, and added support for advanced cryptography and hardware acceleration.
Tongsuo inherits all these improvements and presents itself as an even more advanced solution, designed for those who need a robust and high-performance cryptographic infrastructure.
The main advantages of Tongsuo over OpenSSL
1. Superior performance
One of the main reasons why many are migrating to Tongsuo is the significant performance improvement over OpenSSL. This is possible due to:
- Optimizations for modern CPUs: Tongsuo takes advantage of advanced instructions in modern CPUs (such as AVX2 and AES-NI) to improve the speed of cryptographic operations.
- Better handling of simultaneous connections: While OpenSSL may exhibit scalability issues in high load scenarios, Tongsuo is able to handle a larger number of connections with reduced latency.
- Advanced hardware acceleration: Supports a wider range of hardware accelerators, including those specific to data centers.
- Better speed and lower latency, especially useful in the mobile web environment, with a positive impact on Time To First Byte (TTFB) thanks to TLS header compression and optimized network latency management.
2. Enhanced security
Tongsuo introduces several security improvements over OpenSSL:
- Advanced protection against side-channel attacks: has more secure implementations for cryptographic algorithms that are susceptible to cache and timing attacks.
- Improved support for post-quantum cryptography: Some of Tongsuo's new features are designed to address future threats related to quantum cryptography.
- Faster bugfixes and security patches: Being a very active project, Tongsuo benefits from more frequent updates than OpenSSL.
3. Greater compatibility and flexibility
OpenSSL, although widespread, has limitations in its compatibility with some enterprise scenarios. Tongsuo, on the other hand, was developed with highly scalable environments in mind and with specific needs for advanced security. Some strengths in this area are:
- Support for advanced protocols such as QUIC, improved TLS 1.3 and extended features for PKI (Public Key Infrastructure).
- Better TLS session management to reduce the load on servers during multiple connections.
- OpenSSL API Compatibility, making it easy to migrate from OpenSSL to Tongsuo without radically changing existing application code.
Tongsuo vs OpenSSL Side-by-Side Comparison
Here is a brief comparison between OpenSSL and Tongsuo:
Feature | OpenSSL | Tongsuo |
---|---|---|
Performances | Standard | Optimized for modern CPUs |
Hardware acceleration | Limited | Advanced support for accelerators |
TLS 1.3 support | Present | Optimized with advanced features |
Safety | Standard | Improved protection against side-channel attacks |
Scalability | Medium-high | High, optimized for cloud and data center |
Post-quantum cryptography | Limited | Present with improvements |
TLS header compression | Absent | Present, improve TTFB for mobile |
If you are interested in Tongsuo, you can find more information and the official repository at GitHub.
Officially approved in China
Tongsuo has been certified as a commercial cryptographic product in China, compliant with the GM/T 0028 “Technical Security Requirements for Cryptographic Modules” standard. This certification, issued by the Commercial Cryptographic Product Certification Center of the State Cryptography Management Office, certifies that Tongsuo meets the security requirements for commercial use in China.
Here are the main points of the certificate:
- Certificate number: GM003312220220743.
- Issuer: State Cryptography Management Office of China.
- Certified product: The BabaSSL cryptographic software module, version 8.2.1, produced by Ant Group (related to BabaSSL).
- Technical reference standard: GMT 0028, a Chinese standard for the security of commercial cryptographic modules.
- Validity: From November 30, 2022 to November 29, 2027.
- Production place: The addresses specified refer to the operational headquarters of Ant Group.
- Test organization: China National Commercial Cryptographic Product Testing Center.
The certificate certifies that the product meets the requirements of Chinese commercial encryption regulations, ensuring security and compliance.
While Tongsuo is an advanced and certified solution in China for commercial encryption, Its adoption in U.S. and European software products may face regulatory and regulatory hurdles. In particular, U.S. laws, such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), combined with stringent European data privacy and security regulations, could make it difficult to integrate certified cryptographic software in China. Such regulations often require rigorous verification of provenance and source code control, as well as restrictions on the use of technologies considered strategic or sensitive. These factors could impact the full adoption of Tongsuo in Western environments, especially in sectors such as cloud computing, finance, and critical infrastructure.