Hi, > In fact when I say "yassl", I really mean "CyaSSL".
Ok, great. A few more comments about (C)yassl: - development of new features is obviously not as fast as in OpenSSL. For example TLS SNI is not supported yet (ETA: next release) [1]. This feature was introduced in 2007 (0.9.8f) in the openssl implementation, and it was enabled by default in 2009 (0.9.8j), [2]. That doesn't mean yassl isn't suited for haproxy, one just needs to be aware that yassl is NOT a faster openssl with lower memory overhead. Its a different implementation with different goals and OpenSSL will remain the full-featured reference, with company's like Google introducing new features and providing bugfixes for it. - (C)yassl doesn't support - by design - renegotiation. They also don't implement RFC4756 (secure renegotiation), see [3]. While this is not a security problem (from a server point of view), it will become an interoperability problem sooner or later, once browser vendors "make the switch", and threat non-RFC4756 capable servers as broken [4], [5], [6]. I wonder how this is going to be fixed, if at all. - I also believe that most of the haproxy maintainers will compile haproxy with openssl, and yassl will be more or less available only to those compiling haproxy on their own. In fact, libyassl/libcyassl is not even available in debian for example [7], and they don't like libs linked statically to their packages. Anyway, time will tell and the mentioned issues are no "showstoppers". Regards, Lukas [1] http://www.yassl.com/yaSSL/Blog/Entries/2012/8/15_CyaSSL_to_include_SNI_%28Server_Name_Indication%29_in_Upcoming_Release.html [2] http://www.openssl.org/news/changelog.html [3] http://yassl.com/yaSSL/Docs-cyassl-manual-9-library-design.html [4] https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken [5] https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation [6] http://my.opera.com/securitygroup/blog/2010/11/04/a-few-results-from-the-tls-prober [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664553
