npub1zra5eh7q4urdp0c34u7rgghvywde8ch0evf8wp4dwfu7ku2gn4csyrwazx (npub1zra…wazx) npub1p450apv3j8jmqjct3ddfklzusxyfkkyqpzxx4p33u099xjzvfwwsw789jz (npub1p45…89jz)
TL;DR: ... I fully understand that projects are ditching mbed TLS these days. It's generally not moving fast enough forward and lingering behind on important standards and even lacking support for features OpenSSL users takes for granted.
Longer read ...
We've just recently been through similar challenges in OpenVPN projects too. We've recently added support for mbedtls-3.0 and newer, which was held back due to licensing issues; Apache 2.0 and GPL has some challenges.
The TLS 1.3 support is at best not feature complete. They even state so themselves: https://github.com/Mbed-TLS/mbedtls/pull/4963
To my knowledge, not much has happened since this time.
Yes, mbed TLS development has improved over the last years. But it's essentially not moving fast enough; their backlog is just too overwhelming. Considering it even performs a lot worse than OpenSSL (especially on CPUs with accelerators available), the performance gap is just giving any reasons to look at mbed TLS any more. And it even has a general feature gap compared to what OpenSSL is capable of as well. Unfortunately.
PolarSSL (before it got acquired by ARM and the mbed organisation) had some progress and moved forward. And at that time, the OpenSSL was not properly funded.
Now OpenSSL is now properly funded, better organised and having paid staff managing and developing the project. So the table has turned. mbed TLS moves very slowly forward (feels understaffed) ... So OpenSSL seems now to be in a far better position than mbed TLS is.
🔗 David Sommerseth /
npub1pu…ew2fu
2024-03-07 10:18:36
in reply to nevent1q…k84f
Author Public Key
npub1puft30cctn4uhy2gufu4ynaa7vfzqx3lj4hkg545usdggtv8e9psdew2fuPublished at
2024-03-07 10:18:36Event JSON
{
"id": "b9b7deeaf4f7df2b81f269126de827bd075e58aaab52efb2a76f30040ba4f8db",
"pubkey": "0f12b8bf185cebcb9148e279524fbdf312201a3f956f6452b4e41a842d87c943",
"created_at": 1709806716,
"kind": 1,
"tags": [
[
"p",
"10fb4cdfc0af06d0bf11af3c3422ec239b93e2efcb127706ad7279eb71489d71",
"wss://relay.mostr.pub"
],
[
"p",
"0d68fe859191e5b04b0b8b5a9b7c5c81889b5880088c6a8631e3ca53484c4b9d",
"wss://relay.mostr.pub"
],
[
"p",
"4ea52005fe7385e690854e0a24a75be0461bc14df1de7280e293f66d3b6fd390",
"wss://relay.mostr.pub"
],
[
"p",
"783f5e8607f5b88c53c6c6a334445e79376235013841bc40db7c59eeb7b9e94b",
"wss://relay.mostr.pub"
],
[
"e",
"765507c2bd11d595d397065b2e80e94fdd5f926ae1173cc7605a48fa4ad13dbd",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://infosec.exchange/users/dazo/statuses/112053892984319219",
"activitypub"
]
],
"content": "nostr:npub1zra5eh7q4urdp0c34u7rgghvywde8ch0evf8wp4dwfu7ku2gn4csyrwazx nostr:npub1p450apv3j8jmqjct3ddfklzusxyfkkyqpzxx4p33u099xjzvfwwsw789jz \n\nTL;DR: ... I fully understand that projects are ditching mbed TLS these days. It's generally not moving fast enough forward and lingering behind on important standards and even lacking support for features OpenSSL users takes for granted.\n\nLonger read ...\n\nWe've just recently been through similar challenges in OpenVPN projects too. We've recently added support for mbedtls-3.0 and newer, which was held back due to licensing issues; Apache 2.0 and GPL has some challenges.\n\nThe TLS 1.3 support is at best not feature complete. They even state so themselves: https://github.com/Mbed-TLS/mbedtls/pull/4963\n\nTo my knowledge, not much has happened since this time.\n\nYes, mbed TLS development has improved over the last years. But it's essentially not moving fast enough; their backlog is just too overwhelming. Considering it even performs a lot worse than OpenSSL (especially on CPUs with accelerators available), the performance gap is just giving any reasons to look at mbed TLS any more. And it even has a general feature gap compared to what OpenSSL is capable of as well. Unfortunately.\n\nPolarSSL (before it got acquired by ARM and the mbed organisation) had some progress and moved forward. And at that time, the OpenSSL was not properly funded.\n\nNow OpenSSL is now properly funded, better organised and having paid staff managing and developing the project. So the table has turned. mbed TLS moves very slowly forward (feels understaffed) ... So OpenSSL seems now to be in a far better position than mbed TLS is.",
"sig": "441e61d40ad871bdb70c8871c94defce8fe7641fae6a43101e9436ed373ff517e02283c8520acdf19bf6751ca78822e34def2fbed8cf495024fb702090bf8f61"
}