чт, 8 февр. 2024 г. в 15:49, Tristan <tris...@mangadex.org>:
> Hi all, > > With the ever-increasing threat of one day needing to give up on OpenSSL > 1.1.1 (whenever the next bad CVE is found on QuicTLS 1.1.1w, > essentially) I was looking at alternatives a bit closer. > > Based on the wiki, > https://github.com/openssl/openssl/issues/20286#issuecomment-1527869072, > and that it has support for other features I'm interested in (notably > ECH), WolfSSL seems by far my best bet at the moment. > I run QUIC Interop from time to time, WolfSSL shows the best compatibility compared to LibreSSL and aws-lc. it really looks like a winner today > > However, given that almost everything is compile time and defaults focus > on suitability for constrained embedded environments rather than best > big-proxy-server oriented performance, does anyone have pointers on what > flags are important/traps/etc? > > Besides the getrandom thing, HAProxy's INSTALL/wiki only vaguely mention > that such build-time tuning is required, so I'm hoping someone might > have gone through that already. > I'm afraid it practice it works in a different way. First, you install WolfSSL to prod, next INSTALL/wiki got updated :) > > This one is a bit extra, but considering that aiming for bleeding edge > with WolfSSL is not entirely compatible with how most distros work (ie > even if it was packaged, it's likely going to be perpetually quite far > behind), what does the future look like in that regard from the distros' > side? > > Thanks, > Tristan > >
