2022-10-30 13:10:29 -07:00
---
title: "Using BoringSSL"
date: 2022-10-30T13:10:29-07:00
replyURI: "https://lobste.rs/s/9eas9d/you_should_prepare_for_openssl_3_x_secvuln#c_sk5f3v "
replyTitle: "“BoringSSL…is not intended for general use”"
replyType: "Comment"
replyAuthor: "AJ Jordan"
replyAuthorURI: "https://strugee.net/"
2023-04-24 09:53:04 -07:00
syndicatedCopies:
- title: 'The Fediverse'
url: 'https://pleroma.envs.net/notice/AUjf1wCr0xk0yCVpKK'
- title: 'Lobsters'
url: 'https://lobste.rs/s/9eas9d/you_should_prepare_for_openssl_3_x_secvuln#c_lreowa '
2022-10-30 13:10:29 -07:00
---
Despite BoringSSL's "not intended for general use" warning, it's used by many projects:
- The "ring" rust crate's crypto primitives (used by Rustls)
- Cloudflare: used everywhere, including Quiche.
- Apple's Secure Transport (it's in both major mobile OSes!)
- Optionally: Nginx, libcurl
2023-04-24 09:53:04 -07:00
- < ins datetime = "2023-04-24" > (Update < time > 2023-04-24</ time > ) [Apple's SwiftNIO SSL ](https://github.com/apple/swift-nio-ssl )</ ins >
- < ins datetime = "2023-04-24" > (Update < time > 2023-04-24</ time > ) [AWS libcrypto ](https://github.com/aws/aws-lc ) is based on BoringSSL</ ins >
2023-05-26 20:57:41 -07:00
- < ins datetime = "2023-05-26" > (Update < time > 2023-05-26</ time > ) the Envoy proxy [uses BoringSSL ](https://www.envoyproxy.io/docs/envoy/latest/faq/build/boringssl )</ ins >
2022-10-30 13:10:29 -07:00
I use nginx-quic with BoringSSL without issue, although I did have to use [a separate script ](https://github.com/tomwassenberg/certbot-ocsp-fetcher ) to manage the OCSP cache. The script manages the cache better than Nginx ever did, so I recommend it; it should be trivial to switch it from OpenSSL to LibreSSL.