Re: FYI: OpenWrt switches from wolfssl to mbedtls as default
On Mon, Oct 16, 2023 at 02:40:37PM +0200, William Lallemand wrote: > On Fri, Oct 13, 2023 at 04:30:37PM +0200, William Lallemand wrote: > > > and TLSv1.3 is a must-have, > > > > I don't get this point, mbedtls supports TLS 1.3 so I don't really > > understand what they are talking about. Maybe they disable TLS 1.3 on > > the 2.28 version for some rease but I couldn't find any detail. > > > > > > Regarding this, I found in the changelog that mbedtls provides a minimum > viable implementation of the TLS 1.3 protocol starting from the 3.1.0 > version, so it explains everything. > > https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.1.0 > > Mbed TLS provides a minimum viable implementation of the TLS 1.3 > > protocol. See docs/architecture/tls13-support.md for the definition of > > the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3 > > configuration option controls the enablement of the support. The APIs > > mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow > > to select the 1.3 version of the protocol to establish a TLS connection. > > > > Related to this discussion, I think that's a good example: https://github.com/wolfSSL/wolfssl/issues/6928 -- William Lallemand
Re: FYI: OpenWrt switches from wolfssl to mbedtls as default
On Fri, Oct 13, 2023 at 04:30:37PM +0200, William Lallemand wrote: > > and TLSv1.3 is a must-have, > > I don't get this point, mbedtls supports TLS 1.3 so I don't really > understand what they are talking about. Maybe they disable TLS 1.3 on > the 2.28 version for some rease but I couldn't find any detail. > > Regarding this, I found in the changelog that mbedtls provides a minimum viable implementation of the TLS 1.3 protocol starting from the 3.1.0 version, so it explains everything. https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.1.0 > Mbed TLS provides a minimum viable implementation of the TLS 1.3 > protocol. See docs/architecture/tls13-support.md for the definition of > the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3 > configuration option controls the enablement of the support. The APIs > mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow > to select the 1.3 version of the protocol to establish a TLS connection. > -- William Lallemand
Re: FYI: OpenWrt switches from wolfssl to mbedtls as default
On Fri, Oct 13, 2023 at 11:39:59AM +, Lukas Tribus wrote: > Hello, > > > an interesting move from the OpenWRT project: > > > > Switch from wolfssl to mbedtls as default > > = > > > > OpenWrt has transitioned its default cryptographic library from wolfssl > > to mbedtls. This shift brings several changes and implications: > > > > * Size Efficiency: mbedtls is considerably smaller, making it an > > optimal choice for systems where storage space is paramount. > > * LTS and ABI Stability: mbedtls consistently provides updates via its > > Long Term Support (LTS) branch, ensuring both security and a stable > > application binary interface (ABI). In contrast, wolfssl does not > > offer an LTS release, and its stable ABI is limited to a specific set > > of functions. > > * TLS 1.3 Support: Users should be aware that mbedtls 2.28 no longer > > supports TLS 1.3. > > > > While mbedtls is now the default, users who have specific needs or > > preferences can still manually switch back to wolfssl or choose openssl. > > As per: > http://lists.openwrt.org/pipermail/openwrt-announce/2023-October/47.html > > Size Efficiency does not matter a lot in the context of haproxy, It depends, OpenSSL uses a lot of memory and a smaller footprint is interesting when you want more simultaneous sessions. > and TLSv1.3 is a must-have, I don't get this point, mbedtls supports TLS 1.3 so I don't really understand what they are talking about. Maybe they disable TLS 1.3 on the 2.28 version for some rease but I couldn't find any detail. > but I'm surprisedFYI about the point about LTS > and ABI Stability in wolfssl and I'm wondering if this is really the > case? > To be honest I don't know well enough the wolfssl release cycle, but they don't announce publicly LTS versions for their opensource versions, if you want that you must have commercial contract. Regarding the ABI, it seems to me that are a lot of changes, but it makes sense since there is no LTS> We are using the openssl compatibility API for HAProxy, the API is not supposed to change a lot, but the ABI change fromt time to time. -- William Lallemand
FYI: OpenWrt switches from wolfssl to mbedtls as default
Hello, an interesting move from the OpenWRT project: > Switch from wolfssl to mbedtls as default > = > > OpenWrt has transitioned its default cryptographic library from wolfssl > to mbedtls. This shift brings several changes and implications: > > * Size Efficiency: mbedtls is considerably smaller, making it an > optimal choice for systems where storage space is paramount. > * LTS and ABI Stability: mbedtls consistently provides updates via its > Long Term Support (LTS) branch, ensuring both security and a stable > application binary interface (ABI). In contrast, wolfssl does not > offer an LTS release, and its stable ABI is limited to a specific set > of functions. > * TLS 1.3 Support: Users should be aware that mbedtls 2.28 no longer > supports TLS 1.3. > > While mbedtls is now the default, users who have specific needs or > preferences can still manually switch back to wolfssl or choose openssl. As per: http://lists.openwrt.org/pipermail/openwrt-announce/2023-October/47.html Size Efficiency does not matter a lot in the context of haproxy, and TLSv1.3 is a must-have, but I'm surprisedFYI about the point about LTS and ABI Stability in wolfssl and I'm wondering if this is really the case? cheers, lukas
