OpenSSL 1.1.1 End Of Live

ab · 2023-09-08 12:13:34

You may have noticed that the OpenSSL 1.1.1 series will reach End of Life (EOL) next Monday...
Most sensible options are to switch to 3.0 or 3.1 as soon as possible.

Of course, our mORMot 2 OpenSSL unit runs on 1.1 and 3.x branches, and self-adapt at runtime to the various API incompatibilities existing between each branch.
But we also discovered that switching to OpenSSL 3.0 could led into big performance regressions... so which version do you need to use?

This is the forum thread for blog article
https://blog.synopse.info/?post/2023/09 … penSSL-3.0

mpv · 2023-09-14 14:19:52

Modern Linux distribution came with OpenSSL3x (RHE/OEL 9, Cenos stream etc.), It's even not possible to install OpenSSL1,1 (only using compat-openssl11 package). So in most case we will use 3.x. Hope performance issues will be fixed in 3.0 also.

ab · 2023-09-15 15:34:49

If we copy the good .so files in a folder and define LD_LIBRARY_PATH then mORMot will be able to load a custom OpenSSL version.

But I doubt the performance will be fixed in 3.0 because it seems to be in LTS maintainance mode.

wsherman · 2024-12-09 01:40:10

I ran across this short article on phoronix about recent performance testing by the Rustls folks:

Rustls Multi-Threaded Performance Is Battering OpenSSL
https://www.phoronix.com/news/Rustls-Mu … ading-Perf

Details on Rustls vs BoringSSL vs OpenSSL performance are here:

Measuring and Improving rustls's Multithreaded Performance
https://rustls.dev/perf/2024-11-28-threading/

ab · 2024-12-09 07:45:52

OpenSSL 3.0 has performance issues, and OpenSSL 3.4 is better but not ideal.

In short: OpenSSL has a huge performance overhead because its API is code style just came from a weird brain.
The core computing functions of OpenSSL are very optimized, but the whole API itself is a real PITA, and not optimized.
It is especially slow with multi-threading, due to its abuse of locks, even in the core functions.

I observed that mORMot has much less overhead than OpenSSL, e.g. if you cipher a few bytes (typically a small HTTP Response, or a UDP frame).
In the future, I am willing to implement TLS 1.3 in pure pascal within mORMot - we will see how it scales.

mORMot Open Source

#1 2023-09-08 12:13:34

OpenSSL 1.1.1 End Of Live

#2 2023-09-14 14:19:52

Re: OpenSSL 1.1.1 End Of Live

#3 2023-09-15 15:34:49

Re: OpenSSL 1.1.1 End Of Live

#4 2024-12-09 01:40:10

Re: OpenSSL 1.1.1 End Of Live

#5 2024-12-09 07:45:52

Re: OpenSSL 1.1.1 End Of Live

Board footer