The State of SSL Stacks
a year ago
- #SSL
- #Performance
- #HAProxy
- HAProxy shares insights on SSL library performance challenges and alternatives.
- OpenSSL 3.0 introduced significant performance regressions and compatibility issues.
- Performance testing shows OpenSSL 3.0 performs worse than alternatives like BoringSSL, LibreSSL, WolfSSL, and AWS-LC.
- Functional requirements for SSL libraries include support for TLS versions, QUIC, certificate management, and cipher suites.
- Performance considerations highlight the computational intensity of SSL/TLS operations and their impact on energy efficiency.
- Maintenance challenges include security vulnerabilities, backward compatibility, and the need for specialized knowledge.
- OpenSSL's shift to version 3.0 as LTS forced many Linux distributions to adopt it despite its limitations.
- Alternatives like BoringSSL, LibreSSL, WolfSSL, and AWS-LC offer different trade-offs in performance, compatibility, and features.
- QUIC implementation challenges and the lack of a standard API in OpenSSL have hindered adoption.
- Performance testing reveals OpenSSL 3.0's poor scalability and high CPU usage due to excessive locking and atomic operations.
- AWS-LC and WolfSSL show promising performance and scalability, with AWS-LC benefiting from atomic operations over locks.
- Recommendations for HAProxy users include adopting AWS-LC or WolfSSL for better performance and considering QuicTLS for QUIC support.
- The future of SSL libraries is uncertain, with OpenSSL's performance issues unresolved and alternatives gaining traction.
- Hopes for improvement include OpenSSL releasing a new LTS version with better performance and broader adoption of efficient alternatives.