[Privoxy-devel] 0004-Enable-building-Privoxy-with-OpenSSL
Lee
ler762 at protonmail.com
Wed Aug 9 09:37:00 CEST 2023
On Wednesday, August 9th, 2023 at 5:19 AM, Fabian Keil wrote:
> The patch looks reasonable to me, but please split it
> in two using one for the changes to openssl.c and project.h
> and one for the change to windows/MYconfigure.
OK.. but are the changes to openssl.c and/or project.h necessary for anything besides Windows?
I don't mind splitting it into two patches - I'd just like to understand the reasoning.
> What is the motivation behind the patch?
The big one was Mbed-tls does _not_ do TLS 1.3; OpenSSL does.
My understanding is that TLS 1.3 is the only secure version.
A minor concern was related to fingerprinting. Anyone using Privoxy with https-inspection enabled would stand out since FF and (i believe)Chrome use TLS1.3
> Did you measure
> better performance than with MbedTLS (which would not surprise
> me giving my own benchmarks at [0])? If yes, you may want
> to mention it in the commit message.
No, I didn't measure performance. IMO security trumps performance, so I didn't care if it was faster or slower.
> One issue I see with the patch is that using an external
> Apache2-licensed library like OpenSSL 3.x requires the
> Privoxy binary to be distributed under GPLv3 (or later)
> instead of GPLv2 or later so the win32_blurb[] in win32.c
> may need a modification before the next release so we don't
> mislead our users.
Didn't Mbed-TLS require changing the Privoxy license to GPLv2 or 3?
I thought I was safe enabling privoxy to use openssl..
Thanks,
Lee
More information about the Privoxy-devel
mailing list