Hi Aleks, On Mon, May 12, 2025 at 07:48:26PM +0200, Aleksandar Lazic wrote: > Hi. > > I asked my self, after reading the excellent blog post > https://www.haproxy.com/blog/state-of-ssl-stacks , what's now the way > HAProxy will go for TLS/SSL libraries? > > Based on the first line. > > > A paper on this topic was prepared for internal use within HAProxy last > year, and this version is now being shared publicly > > Will the upcoming Docker Images and recommendation be based on AWS-LC or > wolfssl or something else? > > Thank you Willy and William for the excellent Post and detail description.
Thanks for the feedback, you're welcome. The current state is still far from being perfect. At least OpenSSL 3.5 was released as LTS recently and for those for whom hosting costs don't depend on performance, it may constitue an acceptable hassle-free option once it reaches distros. For those dealing with high traffic and who don't want to double or triple their number of servers, aws-lc and wolfssl constitute excellent options but address different needs. I'd say that aws-lc is much closer from the openssl API since it shares ancestry with it via boringssl. WolfSSL on the other hand is much lighter and tailorable to your needs, but will not necessarily support some rarely used features of openssl. But it may constitute a nice option when you just want a TLS endpoint and are assembling your hardware yourself and want to get the most out of it. Plus it has a enterprise support, which can make a difference. Also, the QuicTLS team re-confirmed to me their intent to work on addressing the performance problems, and I've heard rumors that quictls could finally appear in some distros. That continues to be interesting to have a look at. Regarding aws-lc, we're finding it increasingly interesting. I'm personally using it in my every day builds for example, and intend to switch to it on the image that's running on my home reverse-proxy (that's totally outdated now). I think this lib will gain in popularity because it focuses on doing things right and is already very compatible. Anyway my understanding is that such points will be discussed in details at the haproxyconf in 3 weeks, that's another reason for going there :-) Cheers, Willy
