Hi, As an experiment, I tested with LibreSSL and BoringSSL on LInux using the FFM code. Both did not need too many API changes to start working, so I committed the changes to "add support" for them.
LibreSSL: - I cannot get it to renegotiate anything. The client always gets a "no_renegotiation" alert. - Seems relatively complete. - I tested with Linux and 3.9. - Testing is easy on GitHub. Out of the box with macos-latest using LibreSSL 3.3. Verified it does the same as my 3.9. BoringSSL: - Only TLS 1.3 "renegotiation" seems to work (TestClientCertTls13). This could be seen as acceptable. - It seems very bare bones, all the stuff for supporting exotic certs seems to be gone. So basically you need a standard certificate doing TLS 1.3 and that's all it does, but it then just works. - When it doesn't like something, the client gets a connection close (no alert, no nothing; I guess sending alerts is less efficient ;) ). - Testing is far more problematic. The project is quite "original" in that it does not do releases. Funny (not ...). I don't have much experience with these so maybe I'm doing something wrong. For both, the basics (TestSsl) and quite a bit more work, but not everything. BoringSSL inspires more confidence in what it does and how it does it than the other one, but not having releases is obviously a deal breaker ... So I'm not very impressed. Given the amount of work it still seems "ok", but that's about it, OpenSSL is by far the best choice for Tomcat without even factoring in possible quic support in the future. Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
