Which SSL/TLS library is Cloudflare using?

[anotherjin]

I used the patch in sslconfig/patches for openssl-1.0.2, but I can't add Curve25519 So , which SSL/TLS library is Cloudflare using?

[draft1]

BoringSSL i think.

[hamjin]

But how do they use OCSP stapling and multi certs?

[injust]

@railjty I'm not sure about multi certs, but OCSP stapling was never removed in BoringSSL. The OCSP protocol was removed, but not stapling and parsing.

[hamjin]

Now where can I get the patch for boringssl?#78

[ymshenyu]

i think they are using openssl with equal cipher patch. you can get the patch at https://github.com/hakasenyang/openssl-patch @railjty

[injust]

@ymshenyu Incorrect, see https://github.com/cloudflare/sslconfig/issues/78#issuecomment-324434709. Cloudflare is using BoringSSL.

[ymshenyu]

ok , but boringssl ocsp stapling also need a patch and i am not recommend to use that patch. @injust

[hamjin]

@ymshenyu That page is incorrect

[hamjin]

Now I 'm using the openssl 1.1.1-pre2 with the patch at https://github.com/kn007/patch

[hakasenyang]

Hello.

@railjty, My patch is here. Please, READ ME.

I'm using OpenSSL-1.1.1-pre9-dev.

• Test testssl.sh : https://ssl.hakase.io/ssltest/hakase.io.html
• Test ssllabs : https://www.ssllabs.com/ssltest/analyze.html?d=hakase.io

[hamjin]

Tnanks a lot! It's very useful that add tls1.3 draft 23 back. And would someone add chacha20-poly1305-draft cipher back? Like BoringSSL branch 2987, it has both TLS1.3 Draft 18 and chacha20-poly1305-old(0xcc13 0xcx14 0xcc15)

[hakasenyang]

@railjty As I think, I no longer need a draft version of chacha20-poly1305. If you need it, consider BoringSSL.

[hamjin]

Now BoringSSL deleted it. So only old LibreSSL/BoringSSL and cloudflare's patch can add it

[ymshenyu]

@injust may i get cloudflare boringssl patch ?