#1 2023-09-08 12:13:34

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

OpenSSL 1.1.1 End Of Live

You may have noticed that the OpenSSL 1.1.1 series will reach End of Life (EOL) next Monday...
Most sensible options are to switch to 3.0 or 3.1 as soon as possible.

mormotSecurity.jpg

Of course, our mORMot 2 OpenSSL unit runs on 1.1 and 3.x branches, and self-adapt at runtime to the various API incompatibilities existing between each branch.
But we also discovered that switching to OpenSSL 3.0 could led into big performance regressions... so which version do you need to use?

This is the forum thread for blog article
https://blog.synopse.info/?post/2023/09 … penSSL-3.0

Offline

#2 2023-09-14 14:19:52

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,576
Website

Re: OpenSSL 1.1.1 End Of Live

Modern Linux distribution came with OpenSSL3x (RHE/OEL 9, Cenos stream etc.), It's even not possible to install OpenSSL1,1 (only using compat-openssl11 package). So in most case we will use 3.x. Hope performance issues will be fixed in 3.0 also.

Offline

#3 2023-09-15 15:34:49

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

Re: OpenSSL 1.1.1 End Of Live

If we copy the good .so files in a folder and define LD_LIBRARY_PATH then mORMot will be able to load a custom OpenSSL version.

But I doubt the performance will be fixed in 3.0 because it seems to be in LTS maintainance mode.

Offline

#4 2024-12-09 01:40:10

wsherman
Member
Registered: 2022-01-24
Posts: 4

Re: OpenSSL 1.1.1 End Of Live

I ran across this short article on phoronix about recent performance testing by the Rustls folks:

Rustls Multi-Threaded Performance Is Battering OpenSSL
https://www.phoronix.com/news/Rustls-Mu … ading-Perf

Details on Rustls vs BoringSSL vs OpenSSL performance are here:

Measuring and Improving rustls's Multithreaded Performance
https://rustls.dev/perf/2024-11-28-threading/

Offline

#5 2024-12-09 07:45:52

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

Re: OpenSSL 1.1.1 End Of Live

OpenSSL 3.0 has performance issues, and OpenSSL 3.4 is better but not ideal.

In short: OpenSSL has a huge performance overhead because its API is code style just came from a weird brain.
The core computing functions of OpenSSL are very optimized, but the whole API itself is a real PITA, and not optimized.
It is especially slow with multi-threading, due to its abuse of locks, even in the core functions.

I observed that mORMot has much less overhead than OpenSSL, e.g. if you cipher a few bytes (typically a small HTTP Response, or a UDP frame).
In the future, I am willing to implement TLS 1.3 in pure pascal within mORMot - we will see how it scales.

Offline

Board footer

Powered by FluxBB