LLMpediaThe first transparent, open encyclopedia generated by LLMs

BoringSSL

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Transport Layer Security Hop 4
Expansion Funnel Raw 39 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted39
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
BoringSSL
NameBoringSSL
DeveloperGoogle
Released20 June 2014
Programming languageC, C++, Assembly
Operating systemCross-platform
GenreCryptographic library
LicenseISC license
Websitehttps://boringssl.googlesource.com/boringssl/

BoringSSL. It is a fork of the OpenSSL cryptographic library, created and maintained by Google for internal use within its vast array of services and products. The project was initiated to provide a more streamlined, secure, and maintainable codebase tailored to Google's specific needs, diverging from OpenSSL's broader, general-purpose design. While it shares a common ancestry with OpenSSL, BoringSSL is not intended as a drop-in replacement and incorporates significant internal refactoring, the removal of legacy features, and the introduction of new APIs.

Overview

BoringSSL serves as the foundational cryptographic layer for numerous Google projects, including the Chrome web browser, the Android operating system, and various backend services on Google Cloud Platform. Its primary design philosophy emphasizes security, simplicity, and performance, often prioritizing these over strict Backward compatibility with older software. The library is developed in the open, with its source code hosted on a public Git repository, allowing for external review and contributions, though Google's internal team drives the main development direction. This approach ensures the library meets the rigorous security demands of large-scale internet infrastructure.

History and development

The project was forked from OpenSSL in June 2014, shortly after the disclosure of the critical Heartbleed vulnerability, which highlighted issues with code complexity and maintenance in the upstream library. Google engineers, who had long maintained a substantial set of private patches to OpenSSL for use in products like Chrome OS, decided to consolidate these changes into a coherent, independent fork. Key initial developers included members of the Google Chrome security team. Development is conducted primarily by Google employees, with the codebase undergoing constant refinement to address new cryptographic standards, such as those from NIST, and to mitigate emerging threats like those discussed at conferences like Black Hat.

Features and design

A central design goal is the reduction of attack surface by aggressively removing support for obsolete protocols, algorithms, and configuration options, such as SSL 2.0, export-grade ciphers, and the RC4 stream cipher. It introduces new, safer APIs intended to prevent common developer errors in handling TLS connections and cryptographic primitives. The library includes implementations of modern cryptographic schemes like ChaCha20-Poly1305 and support for Post-quantum cryptography experiments. Its build system and code structure are also simplified compared to its parent project, aiming to improve auditability and integration into large projects like the Chromium browser engine.

Relationship with OpenSSL

BoringSSL maintains a complex, symbiotic relationship with the upstream OpenSSL project. While it is a fork, Google engineers regularly contribute security fixes, performance improvements, and new feature implementations back to OpenSSL, with notable contributions to the QUIC transport protocol support. However, the codebases have diverged significantly in internal architecture and API design, making direct interoperability challenging. The ISRG, which oversees projects like Let's Encrypt, uses BoringSSL in some of its tooling. The relationship is governed by a practical need for interoperability on the web, rather than a goal of code reunification.

Usage and deployment

Beyond its extensive use within Google's ecosystem, BoringSSL is integrated into several other significant open-source projects. It forms the cryptographic core for the Caddy web server and is used in parts of the Envoy proxy framework. Some Cloud computing providers and CDN services utilize it in their edge networking infrastructure. Due to its specialized nature and the fact it is not a drop-in replacement for OpenSSL, its adoption is generally limited to projects that can accommodate its specific API and are aligned with its philosophy of minimal, secure defaults.

Category:Cryptographic software Category:Google software Category:Free security software Category:Open-source software