Hi @wlallemand
Thank you for bringing this to our attention. I think we need to do some internal discussion. For example, not sure how this would affect our internal testing infrastructure. Please stay tuned.
Warm regards, Anthony

Hello @wlallemand ,

So I don't want to split hairs here, but the default configuration is

./configure

So, when a distribution uses --enable-distro they are already no longer doing the "defualt". They are also going to need to add a prefix as well. Would it be too much to ask them to also add --enable-haproxy and/or --enable-quic if they want it?

Respectfully, Anthony

I get your point, but distribution maintainers tend to minimize the build option they use, because they want to use what is recommended by the project. For HAProxy packages in ubuntu/debian we had to set some options by default directly in the project because it didn't make sense for the packagers to add options that diverged from the default build.

I don't know why they are building with --enable-distro but from what I'm reading in the documentation it "Enable wolfSSL distro build." so we can presume that is supposed to be used for packaging in distributions? Maybe I misunderstand but that what I thought.

If you have to add every single build option of wolfssl in the package build script it's quickly unmaintainable. The build options of WolfSSL are complex and it's difficult to chose them without being an expert on the subject.

The packages in a distribution are kind of a storefront, it's better to put shiny features so people can see them! The QUIC feature is a major asset compared to openssl which doesn't include the feature for example.

If you don't activate a maximum of options in the distribution, the package is pretty useless in a lot of cases and people would still have to maintain their wolfssl build. It would be beneficial for the wolfSSL project to have a maximum of features activated in major distributions, so projects that want to use it only have to link with it. Nobody wants to maintain an SSL package in addition to their project. When you want to provide 3rd party packages, you try to only package your project and rely on the distribution for the dependencies.

Hi @wlallemand ,

you make eloquent arguments and I don't disagree with any of your points at all.

... they want to use what is recommended by the project.

I fully agree. As such, I as a single developer, a member of a wider organization, need to go back to my team to see if we actually do recommend these settings. please allow me some time to organize some internal communications. You will hear back from me early next we here.

Warm regards, Anthony

I know that changing default options could be challenging from an organization point of view, thanks for taking the time to handle this!

Regards,

Now that #6841 has gone into master, I've checked and

./configure --enable-distro --enable-haproxy --enable-quic
make clean all check

...no longer fails.
I will now proceed to make --enable-distro pull in --enable-haproxy and --enable-quic
Please stay tuned.

Thanks for the feedback! By the way, the next ubuntu LTS will be frozen at the end of february 2024. It would be great if a new release is done with that before this date, so the package could be updated, or we would be stuck for another 2 years without this unfortunately :/

Hi @wlallemand ,

Can you provide some sort of assurance that if this work is completed soon, Ubuntu will take wolfssl?

WolfSSL is already packaged in ubuntu https://packages.ubuntu.com/search?searchon=sourcenames&keywords=wolfssl . However it's not up to date with the 5.6.4 version. I'm not part of the ubuntu project and can't guarantee they will pick this version unfortunately. It's possible that it is already too late :/

It looks like the 5.6.4 version is already in debian experimental, but not in debian sid, that's probably the reason why it's not there yet.

https://packages.debian.org/search?keywords=wolfssl&searchon=names&suite=all&section=all

It looks like 5.6.4 landed in the next ubuntu and debian:

• https://packages.ubuntu.com/source/noble/wolfssl
• https://packages.debian.org/sid/libwolfssl-dev

Well, this is great news!! Thank you for letting us know @wlallemand

@wlallemand ,

if you look at our latest on master, --enable-distro now brings in QUIC, but not HAPROXY. This is due to HAPROXY needing secure renegotiation. We don't feel --enable-distro should enable secure renegotiation.

Let me know if this makes sense to you.

Warm regards, Anthony

I don't see any reason for this to be needed by haproxy by default, we even set SSL_OP_NO_RENEGOTIATION in the SSL_CTX initilization with OpenSSL. And It's really not something which is recommended by default indeed.

@anhu could the secure renegociation be disabled in --enable-haproxy so we can have haproxy by default?

An interesting proposal. You're saying for HAPROXY, we can leave secure renegotiation disabled. Please stay tuned. I will have a chat with my colleagues.

Hello, Any update on this?