On Fri, Oct 13, 2023 at 11:39:59AM +0000, Lukas Tribus wrote: > Hello, > > > an interesting move from the OpenWRT project: > > > > Switch from wolfssl to mbedtls as default > > ========================================= > > > > OpenWrt has transitioned its default cryptographic library from wolfssl > > to mbedtls. This shift brings several changes and implications: > > > > * Size Efficiency: mbedtls is considerably smaller, making it an > > optimal choice for systems where storage space is paramount. > > * LTS and ABI Stability: mbedtls consistently provides updates via its > > Long Term Support (LTS) branch, ensuring both security and a stable > > application binary interface (ABI). In contrast, wolfssl does not > > offer an LTS release, and its stable ABI is limited to a specific set > > of functions. > > * TLS 1.3 Support: Users should be aware that mbedtls 2.28 no longer > > supports TLS 1.3. > > > > While mbedtls is now the default, users who have specific needs or > > preferences can still manually switch back to wolfssl or choose openssl. > > As per: > http://lists.openwrt.org/pipermail/openwrt-announce/2023-October/000047.html > > Size Efficiency does not matter a lot in the context of haproxy,
It depends, OpenSSL uses a lot of memory and a smaller footprint is interesting when you want more simultaneous sessions. > and TLSv1.3 is a must-have, I don't get this point, mbedtls supports TLS 1.3 so I don't really understand what they are talking about. Maybe they disable TLS 1.3 on the 2.28 version for some rease but I couldn't find any detail. > but I'm surprisedFYI about the point about LTS > and ABI Stability in wolfssl and I'm wondering if this is really the > case? > To be honest I don't know well enough the wolfssl release cycle, but they don't announce publicly LTS versions for their opensource versions, if you want that you must have commercial contract. Regarding the ABI, it seems to me that are a lot of changes, but it makes sense since there is no LTS> We are using the openssl compatibility API for HAProxy, the API is not supposed to change a lot, but the ABI change fromt time to time. -- William Lallemand
