Hayden Roche wrote:
Hi everyone,
Hi!
Sure, I've used wolfSSL before, I think it would be nice to have it as a first class option. I'm a bit leery of OpenSSL compatibility layers. LibreSSL tends to confuse all version number checks with theirs, so it's better to avoid that mess if possible.
I'm a software engineer with wolfSSL, which is a fast, lightweight, and FIPS-certified TLS implementation written in C. wolfSSL offers an OpenSSL compatibility layer that presents the same API as OpenSSL, but under the hood, calls into wolfSSL and woflCrypt (our crypto library) functions. One of our commercial users recently had us port OpenLDAP to use wolfSSL. With some modifications to the OpenSSL backend code (primarily in tls_o.c), I was able to get OpenLDAP 2.4.47 building and (to my knowledge) working with wolfSSL's OpenSSL compatibility layer. I recently reached out on your IRC channel to see if there was any interest in supporting wolfSSL as a TLS backend for OpenLDAP upstream and was directed to this mailing list (thanks JoBbZ). I was also pointed to this issue in your issue tracking system, where a developer (Quanah Gibson-Mount) expressed interest in using wolfSSL: https://bugs.openldap.org/show_bug.cgi?id=9303
Is there still interest in getting wolfSSL working with OpenLDAP's latest version and integrated upstream? If so, I imagine we'd want to make wolfSSL a first class citizen among the TLS backends (i.e. rather than using our OpenSSL compatibility layer and modifying tls_o.c, use wolfSSL's native functions and create a new tls_w.c). Looking forward to hearing from you.
Thanks!
Hayden Roche