Hi Thomas,
>> In fact the boringssl build is not optimized for production use, it >> would need some manual changes before building. > > What about polarssl or cyassl ? Whats your opinion about that if you > going to reduce footprint (e.g. size if the lib) I don't have a strong opinion about it, the size of the lib is usually not a problem (expect in embedded environments). Interesting is the per SSL/TLS session memory consumption, and this is where I believe Cyassl may be able to challenge OpenSSL. On the other hand we will probably not see bleeding edge cryptographic features in Polarssl or Cyassl, while with a library that is heavily internally used by Google and most of the CDNs you do benefit from their development efforts. Whats important is to have a choice, but unfortunately, applications are strongly married to their libcrypto's because each library has its own API, there is no standardization. So, if we want to test application X with librcryto Z instead of the default libcrypto Y, we need to implement libcrypto Z's API in the application first. Benchmarking different libraries is therefor limited to application support. Cyassl is AFAIK a possible candidate for HAProxy (as an alternative to OpenSSL). >> LibreSSL should be quite ok, here's a benchmark with nginx: >> https://www.mare-system.de/blog/page/1405201517/ > > mare-systems do a good job, but they only focus on nginx. I posted it because they published a performance comparison between vanilla openssl and libressl. Nginx has a similar architecture than haproxy. > Maybe we could write an blog post about > configuring haproxy to achive an A+ at ssllabs and > explain the drawbacks that comes with it? E.g. Kicking Support for older > browsers like ie on Windows XP? Mozilla has an uptodate guide on howto configure TLS servers correctly, with or without XP/IE6 support, here: https://wiki.mozilla.org/Security/Server_Side_TLS Regards, Lukas
