On Wed, Sep 11, 2024 at 10:14:13AM +0200, ???? ??????? wrote: > ??, 11 ????. 2024 ?. ? 08:44, Alexis Vachette <[email protected]>: > > > Hi, > > > > Just wanted to know if you had a plan to release package for Ubuntu 20.04 > > Focal. > > > > Mostly because of OpenSSL 3.0 regression performance. > > > > The question is more for Vincent Bernat. > > > > I wonder what are your expectation of SSL lib for that package. I do not > see good choice > > 1) OpenSSL-1.1.1 (only limited QUIC unfortunately) > 2) OpenSSL-3.X (bad perf) > 3) QuicTLS (development frozen) > 4) AWS-LC, WolfSSL, LibreSSL (requires efforts from packaging) > > or, if you do not plan to use QUIC, OpenSSL-1.1.1 would b just nice
FWIW, at HaproxyTech, we decided to stick to OpenSSL-1.1.1 for now and are providing packages built with it. We've already got several reports of outages with 3.0 (not surprising) and are systematically directing customers to the 1.1.1 packages to avoid any future problem. I've read on the Ubuntu blog that they're going to maintain their 1.1.1 package up to 2030. I don't know if it's possible to install a package of an older distro on a newer one, but that could be convenient. Otherwise if you only want packaged stuff for Ubuntu 20, Vincent still provides haproxy up to 2.9 (that includes 2.8 which is LTS). But at some point you might have to build packages yourself if you need an extended support on an older distro, or to update to a newer distro with a different lib or version. It's sad but that the result of OpenSSL having irresponsibly tagged 3.0 LTS before even testing it... It ended up in distros while being totally unfit for a server, and distros can't easily switch to an unsupported version, as security issues are even worse for them than performance and stability issues. Willy
