daniel:// stenberg://May 6, 2025

The state of SSL stacks:

https://www.haproxy.com/blog/state-of-ssl-stacks

The State of SSL Stacks

The SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.

HAProxy Technologies
Show threaddaniel:// stenberg://May 6, 2025

as the site is asleep, I'll offer the tldr: aws-lc is the fastest, wolfssl is number two, openssl is not very fast

but read the post later, it is super long and detailed

Show threaddaniel:// stenberg://May 6, 2025
"in a world where everyone is striving to reduce their energy footprint, sticking to a library that operates at only a quarter of its predecessor's efficiency, and six to nine times slower than the competition, contradicts global sustainability efforts"
Show threadHoward Chu @ Symas

@bagder yeah, everything you can possibly imagine to do wrong, they did wrong. https://github.com/openssl/openssl/issues/18317

It's difficult to show all the degradations in a reproducible single-threaded benchmark, so I never updated that ticket. But in a multithreaded workload, their heavy reliance on malloc and all the locking it requires interacts badly with every other need for synchronization in a process.

May 7, 2025 at 11:58amWeb
Show threadHoward Chu @ SymasMay 7, 2025

@bagder not only did they kill their multithreaded performance by making every crypto mechanism dependent on malloc, they also made it impossible to safely free all of the library's allocated memory. https://github.com/openssl/openssl/issues/25294#issuecomment-2312841205

It's like the entire OpenSSL dev team got replaced by a bunch of recent CS grad students.

Race condition on error strings cleanup? · Issue #25294 · openssl/openssl

This report is inspired by latchset/pkcs11-provider#429 (comment) and latchset/pkcs11-provider#429 (comment). This report is based on my understanding of the issue and may not be correct, we didn't...

GitHub