mandated by support reasons, at least 3.1 recovers a small fraction of this
important loss.
-Three OpenSSL derivatives called LibreSSL, BoringSSL and QUICTLS are reported
-to work as well. While there are some efforts from the community to ensure they
-work well, OpenSSL remains the primary target and this means that in case of
-conflicting choices, OpenSSL support will be favored over other options. Note
-that QUIC is not fully supported when haproxy is built with OpenSSL. In this
-case, QUICTLS is the preferred alternative. As of writing this, the QuicTLS
-project follows OpenSSL very closely and provides update simultaneously, but
-being a volunteer-driven project, its long-term future does not look certain
-enough to convince operating systems to package it, so it needs to be build
-locally. See the section about QUIC in this document.
+Four OpenSSL derivatives called LibreSSL, BoringSSL, QUICTLS, and AWS-LC are
+reported to work as well. While there are some efforts from the community to
+ensure they work well, OpenSSL remains the primary target and this means that
+in case of conflicting choices, OpenSSL support will be favored over other
+options. Note that QUIC is not fully supported when haproxy is built with
+OpenSSL. In this case, QUICTLS is the preferred alternative. As of writing
+this, the QuicTLS project follows OpenSSL very closely and provides update
+simultaneously, but being a volunteer-driven project, its long-term future does
+not look certain enough to convince operating systems to package it, so it
+needs to be build locally. See the section about QUIC in this document.
A fifth option is wolfSSL (https://github.com/wolfSSL/wolfssl). It is the only
supported alternative stack not based on OpenSSL, yet which implements almost
USE_OPENSSL=1 SSL_INC=/opt/ssl-1.1.1/include SSL_LIB=/opt/ssl-1.1.1/lib
To use HAProxy with WolfSSL, WolfSSL must be built with haproxy support, at
-least WolfSSL 5.6.0 is needed, but a development version migh be needed for
+least WolfSSL 5.6.0 is needed, but a development version might be needed for
some of the features:
$ cd ~/build/wolfssl
$ make -j $(nproc) TARGET=generic USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 \
SSL_INC=/opt/wolfssl-5.6.0/include SSL_LIB=/opt/wolfssl-5.6.0/lib
+To use HAProxy with AWS-LC you must have version v1.13.0 or newer of AWS-LC
+built and installed locally.
+ $ cd ~/build/aws-lc
+ $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/opt/aws-lc
+ $ make -j $(nproc)
+ $ make install
+
+Building HAProxy with AWS-LC requires you to enable AWS-LC support, and specify
+the path it was installed to when running make for HAPRoxy.
+
+ $ cd ~/build/haproxy
+ $ make -j $(nproc) TARGET=generic USE_OPENSSL_AWSLC=1 \
+ SSL_INC=/opt/aws-lc/include SSL_LIB=/opt/aws-lc/lib
+
In order to link OpenSSL statically against HAProxy, first download OpenSSL
from https://www.openssl.org/ then build it with the "no-shared" keyword and
install it to a local directory, so your system is not affected :
# USE_CRYPT_H : set it if your system requires including crypt.h
# USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names.
# USE_OPENSSL : enable use of OpenSSL. Recommended, but see below.
+# USE_OPENSSL_AWSLC : enable use of AWS-LC
# USE_OPENSSL_WOLFSSL : enable use of wolfSSL with the OpenSSL API
# USE_QUIC : enable use of QUIC with the quictls API (quictls, libressl, boringssl)
# USE_QUIC_OPENSSL_COMPAT : enable use of QUIC with the standard openssl API (limited features)
USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \
USE_TPROXY USE_LINUX_TPROXY USE_LINUX_CAP \
USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \
- USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_SSL USE_LUA \
- USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \
- USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC USE_MATH \
- USE_DEVICEATLAS USE_51DEGREES \
+ USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_OPENSSL_AWSLC \
+ USE_SSL USE_LUA USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ \
+ USE_CPU_AFFINITY USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC \
+ USE_MATH USE_DEVICEATLAS USE_51DEGREES \
USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL \
USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX \
USE_MEMORY_PROFILING USE_SHM_OPEN \
USE_OPENSSL := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit)
endif
+# This is for the AWS-LC variant of the OpenSSL API. Setting it implies
+# OPENSSL so it's not necessary to set the latter.
+ifneq ($(USE_OPENSSL_AWSLC),)
+ # always automatically set USE_OPENSSL
+ USE_OPENSSL := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit)
+endif
+
# This is for any variant of the OpenSSL API. By default it uses OpenSSL.
ifneq ($(USE_OPENSSL),)
# only preset these for the regular openssl
projects / thirdparty / haproxy.git / commitdiff
