Hi all,
With the ever-increasing threat of one day needing to give up on OpenSSL
1.1.1 (whenever the next bad CVE is found on QuicTLS 1.1.1w,
essentially) I was looking at alternatives a bit closer.
Based on the wiki,
https://github.com/openssl/openssl/issues/20286#issuecomment-1527869072,
and that it has support for other features I'm interested in (notably
ECH), WolfSSL seems by far my best bet at the moment.
However, given that almost everything is compile time and defaults focus
on suitability for constrained embedded environments rather than best
big-proxy-server oriented performance, does anyone have pointers on what
flags are important/traps/etc?
Besides the getrandom thing, HAProxy's INSTALL/wiki only vaguely mention
that such build-time tuning is required, so I'm hoping someone might
have gone through that already.
This one is a bit extra, but considering that aiming for bleeding edge
with WolfSSL is not entirely compatible with how most distros work (ie
even if it was packaged, it's likely going to be perpetually quite far
behind), what does the future look like in that regard from the distros'
side?
Thanks,
Tristan
- WolfSSL builds for use with HAProxy Tristan
-
