from Hacker News

WolfSSL sucks too, so now what?

by thomasjb on 2/13/26, 10:18 AM with 124 comments

• by meinersbur on 2/13/26, 11:03 AM

  This is the WolfSSL maintainer's response[1]

  > This ticket is rather long and has a lot of irrelevant content regarding this new topic. If I need to bring in a colleague I do not want them to have to wade through all the irrelevant context. If you would like, please open a new issue with regards to how we support middlebox compatibility.

  The author turns this into:

  > The GitHub issue comment left at the end leads me to believe that they aren't really interested in RFC compliance. There isn't a middleground here or a "different way" of implementing middlebox compatibility. It's either RFC compliant or not. And they're not.

  This is a bad-faith interpretation of the maintainer's response. They only asked to open a new, more specific issue report. The maintainer always answered within minutes, which I find quite impressive (even after the author ghosted for months). The author consumed the maintainer's time and shouldn't get the blame for the author's problems.

  [1]: https://github.com/wolfSSL/wolfssl/issues/9156

• by SubjectToChange on 2/13/26, 3:26 PM

  The blog author seems like a real piece of work. He ghosts the WolfSSL maintainer for over 160 days and when asked to open a new, more specific issue, he instead chooses to write a blog post denigrating the project. The WolfSSL maintainer was nothing but courteous and helpful throughout the entire exchange.

  >...they aren't really interested in RFC compliance.

  Yeah, well "feld" can't claim to be "interested in RFC compliance" either when he ghosts the issue for months and chooses to write blog posts instead of opening a new issue. Good grief.

  If this is what the FreeBSD community is like, I want nothing to do with them.

• by move-on-by on 2/14/26, 1:58 AM

  > Asking me to open a new issue to discuss this behavior instead of it being a high priority for them to open up a new issue internally to fix this is odd. I'm not here to do their homework for them.

  Why are people so entitled? How much is the author paying WolfSSL to make demands of them?

  > Currently I've only identified one victim of this decision, but there's bound to be more out there.

  Oh yes, he has become a victim of using a FOSS library.

• by dieulot on 2/13/26, 11:23 AM

  Regarding HAProxy, they ended up using AWS-LC in their new Debian/Ubuntu “performance” packages: https://www.haproxy.com/blog/fresh-from-aws-reinvent-superch...

• by mythz on 2/13/26, 10:57 AM

  BearSSL by Thomas Pornin is always worth checking in on, not sure what the current status is but looks like it received a commit last year.

  [1] https://bearssl.org

• by 0xbadcafebee on 2/14/26, 7:56 AM

  If you change your software to comply with "middleboxes" that don't follow standards, then you're admitting your own software is faulty, not theirs. In this case, though, the TLS v1.3 standard actually carved out a portion of the standard itself just to comply with shitty middleware. You know what that says to me? Standards are pointless. Just make a middlebox, make it do whatever the hell you want, and everyone else will bend over to support you.

  This is yet one more reason why we need software building codes and regulations. If software people are unwilling to protect their own standards, the government should. It might fix the 20-year mistake of allowing "the web" to become a defacto network transport layer and application platform.

• by ospray on 2/13/26, 10:41 AM

  We need something with TLS in the name for the next one so people stop getting confused.

• by helpfulclippy on 2/14/26, 5:50 AM

  What really gets me is the commenter at the end of the GH issue lecturing a maintainer on policy in their own tracker.

• by germandiago on 2/13/26, 11:34 AM

  Usability-wise (I do not need many features or compliance for FIPS) I have been happy with Botan: https://botan.randombit.net/

• by 1vuio0pswjnm7 on 2/14/26, 7:33 PM

  "OpenBSD was probably right. We just need to focus on LibreSSL and forget about all of these other libraries."

  Having compiled many of the popular SSL libraries as an end user, on underpowered computers, IMHO LibreSSL has the best compilation process, e.g., least complex, fastest

  The library doesn't have all the features of the others but being able to compile it relatively quickly and easily IMHO is itself a "feature"

  WolfSSL has many, many options. Accepting the defaults is not sufficient IME.^1 According to the cited HAProxy blog post, AWS-LC is perhaps the fastest SSL library. But Amazon "overlooked" a simple CMake option that actually made it slower than WolfSSL

  To summarise, (a) in addition to library "features" I think the compilation process is also important, (b) IME getting what one wants from the various SSL libraries, if even possible, is needlessly complex and (c) FWIW, LibreSSL has (IMO) the least complicated and fastest compilation process

  1. It seems like the author did not want to spend the time to learn about all the options. For the end user (cf. "developer") this make sense. As the HAProxy blog post suggests, the SSL libraries that are controlled by people who work for advertising companies, e-commerce companies and CDN companies are naturally going to put their own interests first. Those interests may not always align with the end user's interests

• by stabbles on 2/13/26, 11:28 AM

  Many people and projects have tried to ditch OpenSSL in favor of LibreSSL, WolfSSL, MbedTLS, etc, but by now many have returned to OpenSSL. The IQ curve meme with "just use OpenSSL" applies.

• by cryptonector on 2/14/26, 6:14 AM

  There is also s2n-tls. I'm working on a GSS-based interface to TLS, much like SChannel is an SSPI-based interface to TLS.

• by mappu on 2/13/26, 11:53 PM

  Go can create C ABI shared libraries, I think OpenSSL-compatible C bindings to Go's crypto/tls would be a really interesting option.

• by tialaramex on 2/14/26, 1:16 AM

  > Last updated on 2026-12-13

  Yeah, no, I can't find a way to read this in which it's not in the future.

• by snvzz on 2/14/26, 8:56 AM

  Nothing wrong with LibreSSL, really.

  If it's good enough for openbsd, it's good enough for you as well.

  Particularly, they put in a lot of work on making it a drop-in replacement for openssl, and in making the portable version work well in many platforms.

  Only for distributions to fail to take the sorely needed step of actually making the switch.

• by eptcyka on 2/13/26, 10:58 AM

  There’s always rustls.

• by anthk on 2/14/26, 11:12 AM

  Dillo uses mbedTLS, it's fine.

• by MrBuddyCasino on 2/13/26, 10:55 AM

  Now what? BearSSL.

• by saqrais on 2/13/26, 11:01 AM

  NanoSSL by DigiCert https://dev.digicert.com/trustcore-sdk/nanossl.html

  It's opensource -> https://github.com/digicert/trustcore

• by phendrenad2 on 2/14/26, 1:55 AM

  In the age of GPT Codex 5.3 and Claude Opus 4.6. Just write your own.