Skip to content

OpenSSL replacements

Noted by on his .


Are you referring to making an OpenSSL-compatible API, so OpenSSL-only programs can link against BearSSL?

I really like BearSSL for TLS 1.2: it’s tiny, runs well on old hardware, and has no dynamic memory allocation. I do have serious doubts for making it the default TLS library when it doesn’t support TLS 1.3. Looking at commit logs, I doubt it’ll get 1.3 anytime soon.

mbedTLS, LibreSSL, WolfSSL, s2n-tls, MatrixSSL, GnuTLS (eww), BoringSSL, picotls, NSS, even Fizz and Rustls (just including these two for completeness) all support 1.3 and can be linked in C programs; picking the one high-profile implementation lacking it seems like a bad idea. Perhaps wrapping BearSSL and a TLS 1.3 implementation (like picotls) could work?

Personally, I’d like to see adoption of more 1.3 extensions to reduce information leakage, such as Encrypted Client Hello or random padding.


Web­mentions

This site supports Webmentions, a backlink-based alternative to traditional comment forms.

Publish a response on your own website and share the link here to send me a webmention! Include a link to this page's canonical location for it to be accepted.

Webmentions received for this post appear in the following list after I approve them. I sometimes send Webmentions to myself on behalf of linking sites that don't support them. I replace broken links with Wayback Machine snapshots, if they exist.

Toggle Webmentions
by

@ariadne indeed, not supporting TLS 1.3 would also be a dealbreaker for me.

Feel free to contact me directly with feedback; here’s my contact info