OpenSSL or LibreSSL in mid 2020?

petecooper · May 29, 2020

Hello.
I've been involved in web ops for about 5 years or so, give or take. I don't often speak with other server system administrators, but this is as a good a time as any to start talking with much smarter people than me.

I have traditionally compiled Nginx with OpenSSL, and I keep up with source releases to make sure I am up-to-date. I have followed LibreSSL since Heartbleed appeared. I have, for testing purposes, compiled Nginx with LibreSSL but haven't found either to be objectively "better" in real world usage.

Given the current state of OpenSSL and LibreSSL (and BoringSSL, and so on), what's your recommendation for an SSL/TLS library on Nginx in 2020? I know there are BoringSSL vs OpenSSL comparisons (e.g. here) but I'm discounting BoringSSL on the grounds of no OCSP stapling.

I don't have any obscure clients or browsers to account for, and I'm running a a TLS 1.3 & 1.2 setup, Mozilla modern SSL spec (version 4.0), I do OCSP stapling, and I am happy to test/compile stuff for hours on end in place of an active social life…

Thank you in advance, and best wishes to you.

eva2000 · May 29, 2020

LibreSSL was great as alternative when Heartbleed first emerged, but LibreSSL development has lagged way behind OpenSSL to the point that OpenSSL 1.1.1 is miles ahead of LibreSSL in performance. For Nginx right now it's OpenSSL 1.1.1 so you get TLSv1.3 support. There's forks/patched OpenSSL working on adding HTTP/3 QUIC support too so probably see that way before LibreSSL catches up too.

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

OpenSSL or LibreSSL in mid 2020?

petecooper New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

OpenSSL or LibreSSL in mid 2020?

petecooper New Member

eva2000 Administrator Staff Member

.