Selecting a TLS library for Nginx in 2020
nginx-forum at forum.nginx.org
Thu Aug 27 08:53:35 UTC 2020
I compile Nginx from mainline source and update shortly after each
patch/point release. As part of the compile process, I obtain the current
OpenSSL source and bake that in with these compile flags:
--with-openssl-opt="enable-ec_nistp_64_gcc_128 shared no-ssl2 no-ssl3
no-weak-ssl-ciphers -fstack-protector-strong" \
I understand Nginx can be compiled with other TLS libraries. I also
understand this might be 'there be dragons' territory.
I use OpenSSL because it appears to work for my use case. However, I am
researching alternative TLS libraries to perhaps use with Nginx.
Heartbleed (2014) alerted me to the issue(s) with OpenSSL and although some
time has passed, I am aware that projects like LibreSSL were borne out of a
necessity to improve code quality. TLS 1.3 support in LibreSSL is improving,
and that's my impetus to investigate a potential change.
If you compile Nginx with a TLS library -- whether it's OpenSSL or not -- I
would be grateful if you could tell me what vendor/flavour you use, and a
brief note about why you selected it.
Thank you, and best wishes to you from rainy Cornwall, United Kingdom.
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289206,289206#msg-289206
More information about the nginx