[Privoxy-devel] WolfSSL support ready for testing
Fabian Keil
fk at fabiankeil.de
Mon Apr 1 17:45:40 CEST 2024
Roland Rosenfeld <roland at spinnaker.de> wrote on 2024-04-01 at 16:58:24:
> On Mon, 01 Apr 2024, Fabian Keil wrote:
>
> > I pushed a change to use X509_V_OK if it's available.
>
> In contrast to the others, this didn't work, since X509_V_OK is part
> of an enum in my somewhat outdated wolfssl 5.5.4 and not a precompiler
> #define.
Thanks for testing. I made another attempt in b0a88373c96.
> > > Just a first draft with wolfssl (without
> > > --enable-renegotiation-indication).
>
> > Did you check https://www.howsmyssl.com/ already?
>
> Didn't even notice that this page exists :-)
> I now checked the results of the API call
> https://www.howsmyssl.com/a/check
>
> While "no proxy", "no https-inspection" and "mbedtls" give the same
> results in Firefox.
>
> In contrast to openssl, which lists a lot more
> cipher_suites (and is okay otherwise).
>
> And wolfssl also lists a bunch of other cipher_suites (which are
> interpreted as "Bad"), while "Session Ticket Support" is "Improvable"
> here.
>
> I'll attach the results of mbedtls (identical to no-proxy and
> no-https-inspection), openssl and wolfssl.
Looks like Mailman ate them.
> I did some tests with https://badssl.com, but this is hard to automate
> and compare the results. I think about writing a script to check all
> mentioned URLs using curl and then compare the results
> - without proxy
> - with privoxy and without https-inspection
> - with privoxy and with https-inspection with mbedtls
> - with privoxy and with https-inspection with openssl
> - with privoxy and with https-inspection with wolfssl
> but this may take some time to implement...
Privoxy-Regression-Test --check-bad-ssl option already does
part of the work.
> > Does https://www.privoxy.org/ work?
>
> Yes that seems to work with all variants.
> But mbedtls currently seems to be the best variant to me.
>
> BTW: In Debian the wolfssl package should only be used for packages,
> that cannot use openssl because of licensing problems. Since GPLv3
> allows to use OpenSSL and mbedTLS, I currently don't see a reason to
> switch to wolfssl in Debian (but it's good to have the choice).
Why do you prefer mbedTLS over OpenSSL?
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20240401/9e37291f/attachment.bin>
More information about the Privoxy-devel
mailing list