[Privoxy-devel] WolfSSL support ready for testing

Fabian Keil fk at fabiankeil.de
Sat Mar 9 13:27:20 CET 2024 

User Git <git at git.privoxy.org> wrote on 2024-03-09 at 12:10:21:

> git pushed a commit to branch master
> in repository privoxy.
> 
> commit eee84548c26f5d5efcb19a3a2c3c949a01de45c2
> Author: Fabian Keil <fk at fabiankeil.de>
> AuthorDate: Tue Jan 12 08:12:38 2021 +0100
> 
>     Allow to use wolfSSL for https inspection
>     
>     It's licensed under GPlv2 or later and unlike mbedTLS
>     there don't seem to be plans to change the license.
>     
>     As a bonus, wolfSSL supports TLS 1.3 and can be significantly
>     faster than mbedTLS. Mainly tested on ElectroBSD amd64 where
>     it can compete with OpenSSL and LibreSSL:
>     https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/
>     
>     To enable the support, install wolfSSL and run ./configure
>     with the --with-wolfssl option.
>     
>     Privoxy users and packagers that currently build Privoxy
>     binaries with mbedTLS may want to consider using wolfSSL
>     in the future once it has been properly tested.
>     
>     Sponsored by: Privoxy project funds collected at SPI

As you can see above I finally pushed the WolfSSL [0] support
to the master branch.

One issue I noticed while testing is that some websites
including ours [1] can't be loaded anymore on my ElectroBSD
system using the current WolfSSL 5.6.3:

12:17:20.862 048 Error: X509 certificate verification for www.privoxy.org failed with error -313: received alert fatal error

This used to work in 2021 when I wrote the code and
I'm optimistic that this issue can be resolved by
compiling WolfSSL differently.

At the moment I'm configuring WolfSSL like this:

CONFIGURE_ARGS=	--disable-dependency-tracking \
		--enable-certgen \
		--enable-des3 \
		--disable-des3-ciphers \
		--enable-dh \
		--enable-dsa \
		--enable-dtls \
		--enable-ecc \
		--enable-fastmath \
		--enable-fasthugemath \
		--enable-ipv6 \
		--enable-keygen \
		--enable-opensslall \
		--enable-opensslextra \
		--enable-renegotiation-indication \
		--enable-ripemd \
		--enable-sessioncerts \
		--enable-session-ticket \
		--enable-sp \
		--enable-sp-asm \
		--enable-sp-math-all \
		--enable-sha512 \
		--enable-shared \
		--enable-sni \
		--enable-ssh \
		--enable-static \
		--enable-tls13 \
		--enable-tls13-draft18

I'll look into this.

In the meantime I'd be interested to know how WolfSSL
works on other platforms.

I've compiled WolfSSL with a patch [2] to prevent a bad rating at [3].

Fabian

[0] <https://www.wolfssl.com/>
[1] <https://www.privoxy.org/>
[2] <https://github.com/wolfSSL/wolfssl/pull/7315>
[3] <https://www.howsmyssl.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20240309/2b849677/attachment.bin>

More information about the Privoxy-devel mailing list