

Nginx + LibreSSL – a first test - zdw
https://www.mare-system.de/blog/page/1405201517/

======
stephen_g
The small performance degradation could be a good thing - it may be a result
of the use of explicit_bzero to clear sensitive data structures (instead of
memset which was used previously) before freeing.

It could mean that a fair bit of that important cleaning was being optimised
out before with OpenSSL.

~~~
axaxs
Possibly, but it could also be much faster with all the cruft gone. Dynamic
linking has a small overhead, so would love to see an apples to apples
comparison.

~~~
stephen_g
Definitely to some extent, but I think the cruft would have a much smaller
effect. Much of it was dead code - commented out, whole files not actually
compiled, code ifdefed out, or bits of code only compiled on platforms that
nobody has used this decade etc. It was making maintainability a nightmare and
making it a lot harder to find bugs, but I don't think it would have had a
huge performance impact.

------
AlyssaRowan
Cool, it builds!

Reminder: You still have RC4 enabled. It's time to take that out.

~~~
castorio
yes, i know, but accoring to the blogpost below it should be no problem for
newser browsers when using tls 1.2, but might e usefull to keep compatibility
with very legacy clients, no? disclaimer: i'm not a crypto-guru, the ciphers
used are copypasta'd from [https://www.ssllabs.com/projects/best-
practices/](https://www.ssllabs.com/projects/best-practices/).

[https://community.qualys.com/blogs/securitylabs/2013/03/19/r...](https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-
tls-is-broken-now-what)

------
castorio
an updated version is available, now with nginx+libressl statically linked

