7

There are plenty of comparisons, but most of them are for older versions of OpenSSL. Apparently OpenSSL fixed a lot of infamous vulnerabilities, and cleaned up the code and the build process.

As of today (OpenSSL 1.1.1d), how does OpenSSL compare to BoringSSL? Would you move from BoringSSL to OpenSSL?

user
  • 626
  • 6
  • 11
Rahul
  • 171
  • 3
  • Is Google actually using BoringSSL? LibreSSL devs (OpenBSD) are actually serious about using theirs, so they switched to it for their OS. – user Sep 17 '19 at 17:34
  • 1
    @user: BoringSSL is the SSL stack of Android and of Chrome browser. – Steffen Ullrich Sep 17 '19 at 18:07
  • @SteffenUllrich Nice. I've updated my answer with that information. I'm used to large companies releasing some nice technology and just letting it die (Microsoft mostly). – user Sep 17 '19 at 18:10

1 Answers1

5

According to Google's own source code repository, BoringSSL is not intended for general use and the programming interface is not stable. They are, however, using it for both Android and the Chrome browser. I personally would not use it in my own products because the interfaces are not stable. Cloudflare seems to be using it, but they have more resources to dedicate to updating to new APIs when BoringSSL updates than I do.

user
  • 626
  • 6
  • 11