Welcome to Centmin Mod Community
Register Now

OpenSSL or LibreSSL in mid 2020?

Discussion in 'System Administration' started by petecooper, May 29, 2020.

  1. petecooper

    petecooper New Member

    3
    0
    1
    Mar 4, 2020
    Ratings:
    +0
    Local Time:
    8:22 PM
    1.19.0
    ––
    Hello.
    I've been involved in web ops for about 5 years or so, give or take. I don't often speak with other server system administrators, but this is as a good a time as any to start talking with much smarter people than me.

    I have traditionally compiled Nginx with OpenSSL, and I keep up with source releases to make sure I am up-to-date. I have followed LibreSSL since Heartbleed appeared. I have, for testing purposes, compiled Nginx with LibreSSL but haven't found either to be objectively "better" in real world usage.

    Given the current state of OpenSSL and LibreSSL (and BoringSSL, and so on), what's your recommendation for an SSL/TLS library on Nginx in 2020? I know there are BoringSSL vs OpenSSL comparisons (e.g. here) but I'm discounting BoringSSL on the grounds of no OCSP stapling.

    I don't have any obscure clients or browsers to account for, and I'm running a a TLS 1.3 & 1.2 setup, Mozilla modern SSL spec (version 4.0), I do OCSP stapling, and I am happy to test/compile stuff for hours on end in place of an active social life…

    Thank you in advance, and best wishes to you.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,684
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,792
    Local Time:
    5:22 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    LibreSSL was great as alternative when Heartbleed first emerged, but LibreSSL development has lagged way behind OpenSSL to the point that OpenSSL 1.1.1 is miles ahead of LibreSSL in performance. For Nginx right now it's OpenSSL 1.1.1 so you get TLSv1.3 support. There's forks/patched OpenSSL working on adding HTTP/3 QUIC support too so probably see that way before LibreSSL catches up too.