> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
As a final note we’d like to thank the BoringSSL developers for the great work they poured into the project and for the help they provided us along the way.
Seems like they are working pretty close together and got something out of the deal as well.
Interesting, I would think it would be easier to use LibreSSL for this since the OpenBSD folks are so conservative that the modern APIs are likely to be stable. Maybe they want to use more of the legacy APIs that the OpenBSD folks are excising?
Why are we still calling it SSL? It's like saying Telnet whenever you refer to SSH.
Also: it seems like there's no release or commit signing, unless I missed it? So couldn't you just compromise one user, or commit bot, or git repo location, and basically own all TLS that Cloudflare uses, effectively owning like half of the internet?
9 comments
[ 1.8 ms ] story [ 30.4 ms ] threadThey now have out of the box some features they maintained themselves, and have a more stable and maintainable stack.
https://boringssl.googlesource.com/boringssl/
> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Seems like they are working pretty close together and got something out of the deal as well.
Also: it seems like there's no release or commit signing, unless I missed it? So couldn't you just compromise one user, or commit bot, or git repo location, and basically own all TLS that Cloudflare uses, effectively owning like half of the internet?