WolfSSL Sucks Too, So Now What?

https://blog.feld.me/posts/2026/02/wolfssl-sucks-too/

39•thomasjb•1h ago

Comments

ospray•1h ago

We need something with TLS in the name for the next one so people stop getting confused.

magicalhippo•57m ago

MbedTLS[1] got your back!

[1]: https://www.trustedfirmware.org/projects/mbed-tls/

weinzierl•38m ago

rustls is there. It has TLS in the name, it is good and there is a C FFI wrapper.

gspr•19m ago

Rustls still outsources cryptographic primitives. I believe the currently supported providers of those are… drumroll… AWS-LC and Ring. The latter is a fork of BoringSSL. The article describes AWS-LC and BoringSSL as "Googled and Amazoned to death; they don't care about anyone but their own use cases".

The state of things sucks :-(

koakuma-chan•12m ago

there is https://github.com/RustCrypto/rustls-rustcrypto fwiw

koakuma-chan•14m ago

rustls doesn't have its own implementation of cryptography, you have to choose a provider like openssl or aws lc

dwedge•9m ago

A c wrapper to rust feels like we've gone full circle

zephen•23m ago

You're obviously looking for lastLs.

MrBuddyCasino•58m ago

Now what? BearSSL.

mythz•56m ago

BearSSL by Thomas Pornin is always worth checking in on, not sure what the current status is but looks like it received a commit last year.

[1] https://bearssl.org

jorams•41m ago

BearSSL is really cool, but it claims beta quality with the latest release in 2018, doesn't support TLS 1.3, and hasn't seen meaningful development in years. It's averaging about 1 commit per year recently, and they're not big ones.

eptcyka•55m ago

There’s always rustls.

LtWorf•28m ago

FIPS compliant?

gspr•17m ago

The state of things sucks :-(

meinersbur•50m ago

This is the WolfSSL maintainer's response[1]

> This ticket is rather long and has a lot of irrelevant content regarding this new topic. If I need to bring in a colleague I do not want them to have to wade through all the irrelevant context. If you would like, please open a new issue with regards to how we support middlebox compatibility.

The author turns this into:

> The GitHub issue comment left at the end leads me to believe that they aren't really interested in RFC compliance. There isn't a middleground here or a "different way" of implementing middlebox compatibility. It's either RFC compliant or not. And they're not.

This is a bad-faith interpretation of the maintainer's response. They only asked to open a new, more specific issue report. The maintainer always answered within minutes, which I find quite impressive (even after the author ghosted for months). The author consumed the maintainer's time and shouldn't get the blame for the author's problems.

[1]: https://github.com/wolfSSL/wolfssl/issues/9156

reanimus•39m ago

I don't know, I don't think it's really a huge waste of time considering I just read the entire comment thread in a handful of minutes. And beyond that, failing to comply with RFC requirements is the bug here -- a workaround existing for a specific language isn't a fix.

deng•35m ago

Again: the maintainer does not say there is no bug. He says: please open a new issue, with a proper title and description for the actual underlying problem. Is that seriously too much to ask? Instead, the guy writes a whole blog post shitting on the project. Does anyone still wonder why people burn out on maintaining FOSS projects?

halapro•8m ago

Not great behavior I agree, but what else is there to say other than "it does not match the spec at point 1.2.3"?

hypeatei•4m ago

The maintainer should just open a new issue for RFC compliance himself since that's a pretty big issue and he obviously thinks OP spams too much.

This game of stalling / obfuscating via the issue tracker gets very old.

dieulot•30m ago

Regarding HAProxy, they ended up using AWS-LC in their new Debian/Ubuntu “performance” packages: https://www.haproxy.com/blog/fresh-from-aws-reinvent-superch...

stabbles•25m ago

Many people and projects have tried to ditch OpenSSL in favor of LibreSSL, WolfSSL, MbedTLS, etc, but by now many have returned to OpenSSL. The IQ curve meme with "just use OpenSSL" applies.

germandiago•19m ago

Usability-wise (I do not need many features or compliance for FIPS) I have been happy with Botan: https://botan.randombit.net/

Israel used weapons in Gaza that made Palestinians evaporate

PreApply – Terraform plan analyzer with blast radius and risk scoring

I Told You So

Cisco's Jeetu Patel: Why AI Fluency Will Soon Be Non-Optional

You should care about colorForth (2024) [video]

pdit: The Python Un-Notebook for Coding Agents

Russ Cox on: What should we do with CLs generated by AI?

Swarms of AI bots can sway people's beliefs

Design Decision: Technical Debt in BillaBear

Translator Hub: Bridging the Global Language Gap with Professional Excellence

The Problem with Anonymous Academic Review (ACM Supercomputing 2026 Case Study)

Waymo is paying DoorDash gig workers to close its robotaxi doors

Ask HN: Why is everyone in search of peak productivity?

AgentPact – A marketplace where AI agents find work and get paid in USDC

Gotermsql

8086 assembler/disassembler and emulator in a single C++ file. Built for AI

Website for launching and discovering mobile apps

colorForth

Flemish: An elmish architecture for fltk-rs

The software sell-off (part one)

Is software engineering still a craft?

Meta unit must pay Deutsche Telekom $36M over network services, German court say

We are SuperCMMS and we plan to use HN as an alternative to Twitter / X

TFL Station Guessing Game

BegBot: AI That Begs to Survive

BalatroBench Benchmarks Large Language Models Playing Balatro

Show HN: A tool to create merch designs without Photoshop

Streaming Analytics Made Simple

Pure Python Rdkit Alternative

Elm-native – Elm in hybrid (iOS/Android/PWA) apps