February 2 2025

Tongsuo, the evolution of BabaSSL, which outclasses OpenSSL

Tongsuo, an evolution of BabaSSL, offers advanced cryptographic performance and Chinese certifications, but may face regulatory challenges in integrating with US and European software.

Tongsuo

In recent years, the security of online communications has become an increasingly central issue. The TLS (Transport Layer Security) protocol and cryptography in general play a fundamental role in ensuring the confidentiality, integrity and authentication of information transmitted over the Internet. OpenSSL has long been the reference point for the implementation of TLS and cryptography in open source systems. However, in recent years, more performing and secure alternatives have emerged. Among these, the most notable is Tongsuo, the direct evolution of BabaSSL, which offers significant advantages over OpenSSL.

What is Tongsuo and why is it important?

Tongsuo (铁锁, meaning “iron lock” in Chinese) is an advanced fork of OpenSSL that originated from BabaSSL, another project that was also derived from the OpenSSL codebase. Tongsuo is being developed by Alibaba Cloud and other major players in the technology ecosystem, with the goal of improving the security, performance, and functionality offered by OpenSSL.

The project was born with a specific focus on modern needs, including:

  • Performance improvements thanks to optimizations for modern architectures and advanced hardware acceleration.
  • Support for advanced cryptographic algorithms and more up-to-date safety protocols.
  • Greater resilience against cryptographic attacks compared to OpenSSL, thanks to improved code and reduced attack surfaces.
  • Better compatibility with enterprise and cloud scenarios where OpenSSL often proves limited.
  • Advanced TLS header compression to reduce the weight of encrypted communications, improving transmission speed.

The connection with BabaSSL

To understand Tongsuo, it is essential to examine the project from which it descends: BabaSSL. BabaSSL was developed by Alibaba Cloud Security Team with the goal of filling some of the gaps of OpenSSL in enterprise environments, especially large data centers and cloud services. BabaSSL introduced optimizations for heavy TLS usage, improved large-scale connection management, and added support for advanced cryptography and hardware acceleration.

Tongsuo inherits all these improvements and presents itself as an even more advanced solution, designed for those who need a robust and high-performance cryptographic infrastructure.

The main advantages of Tongsuo over OpenSSL

1. Superior performance

One of the main reasons why many are migrating to Tongsuo is the significant performance improvement over OpenSSL. This is possible due to:

  • Optimizations for modern CPUs: Tongsuo takes advantage of advanced instructions in modern CPUs (such as AVX2 and AES-NI) to improve the speed of cryptographic operations.
  • Better handling of simultaneous connections: While OpenSSL may exhibit scalability issues in high load scenarios, Tongsuo is able to handle a larger number of connections with reduced latency.
  • Advanced hardware acceleration: Supports a wider range of hardware accelerators, including those specific to data centers.
  • Better speed and lower latency, especially useful in the mobile web environment, with a positive impact on Time To First Byte (TTFB) thanks to TLS header compression and optimized network latency management.

2. Enhanced security

Tongsuo introduces several security improvements over OpenSSL:

  • Advanced protection against side-channel attacks: has more secure implementations for cryptographic algorithms that are susceptible to cache and timing attacks.
  • Improved support for post-quantum cryptography: Some of Tongsuo's new features are designed to address future threats related to quantum cryptography.
  • Faster bugfixes and security patches: Being a very active project, Tongsuo benefits from more frequent updates than OpenSSL.

3. Greater compatibility and flexibility

OpenSSL, although widespread, has limitations in its compatibility with some enterprise scenarios. Tongsuo, on the other hand, was developed with highly scalable environments in mind and with specific needs for advanced security. Some strengths in this area are:

  • Support for advanced protocols such as QUIC, improved TLS 1.3 and extended features for PKI (Public Key Infrastructure).
  • Better TLS session management to reduce the load on servers during multiple connections.
  • OpenSSL API Compatibility, making it easy to migrate from OpenSSL to Tongsuo without radically changing existing application code.

Tongsuo vs OpenSSL Side-by-Side Comparison

Here is a brief comparison between OpenSSL and Tongsuo:

Feature OpenSSL Tongsuo
Performances Standard Optimized for modern CPUs
Hardware acceleration Limited Advanced support for accelerators
TLS 1.3 support Present Optimized with advanced features
Safety Standard Improved protection against side-channel attacks
Scalability Medium-high High, optimized for cloud and data center
Post-quantum cryptography Limited Present with improvements
TLS header compression Absent Present, improve TTFB for mobile

If you are interested in Tongsuo, you can find more information and the official repository at GitHub.

Officially approved in China

Tongsuo has been certified as a commercial cryptographic product in China, compliant with the GM/T 0028 “Technical Security Requirements for Cryptographic Modules” standard. This certification, issued by the Commercial Cryptographic Product Certification Center of the State Cryptography Management Office, certifies that Tongsuo meets the security requirements for commercial use in China.

validation-android

Here are the main points of the certificate:

  1. Certificate number: GM003312220220743.
  2. Issuer: State Cryptography Management Office of China.
  3. Certified product: The BabaSSL cryptographic software module, version 8.2.1, produced by Ant Group (related to BabaSSL).
  4. Technical reference standard: GMT 0028, a Chinese standard for the security of commercial cryptographic modules.
  5. Validity: From November 30, 2022 to November 29, 2027.
  6. Production place: The addresses specified refer to the operational headquarters of Ant Group.
  7. Test organization: China National Commercial Cryptographic Product Testing Center.

The certificate certifies that the product meets the requirements of Chinese commercial encryption regulations, ensuring security and compliance.

While Tongsuo is an advanced and certified solution in China for commercial encryption, Its adoption in U.S. and European software products may face regulatory and regulatory hurdles. In particular, U.S. laws, such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), combined with stringent European data privacy and security regulations, could make it difficult to integrate certified cryptographic software in China. Such regulations often require rigorous verification of provenance and source code control, as well as restrictions on the use of technologies considered strategic or sensitive. These factors could impact the full adoption of Tongsuo in Western environments, especially in sectors such as cloud computing, finance, and critical infrastructure.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top