David Benjamin 6965d25602 Work around a JDK 11 TLS 1.3 bug. JDK 11 shipped with a TLS 1.3 implementation enabled by default. Unfortunately, that implementation does not work and fails to send the SNI extension on resumption. See https://bugs.openjdk.java.net/browse/JDK-8211806. This means servers which enable TLS 1.3 will see JDK 11 clients work on the first connection and then fail on all subsequent connections. Add SSL_set_jdk11_workaround which configures a workaround to fingerprint JDK 11 and disable TLS 1.3 with the faulty clients. JDK 11 also implemented the downgrade signal, which means that connections that trigger the workaround also must not send the downgrade signal. Unfortunately, the downgrade signal's security properties are sensitive to the existence of any unmarked TLS 1.2 ServerHello paths. To salvage this, pick a new random downgrade marker for this scenario and modify the client to treat it as an alias of the standard one. Per the link above, JDK 11.0.2 will fix this bug. Hopefully the workaround can be retired sometime after it is released. Change-Id: I0627609a8cadf7cc214073eb7f1e880acdf613ef Reviewed-on: https://boringssl-review.googlesource.com/c/33284 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>		6 years ago
.github	Add a PULL_REQUEST_TEMPLATE.	8 years ago
crypto	Move ARM cpuinfo functions to the header.	6 years ago
decrepit	Undo recent changes to \|X509V3_EXT_conf_nid\|.	6 years ago
fipstools	Support symbol prefixes	6 years ago
fuzz	Refresh fuzzer corpora for changes to split-handshake serialization.	6 years ago
include/openssl	Work around a JDK 11 TLS 1.3 bug.	6 years ago
infra/config	No longer set CQ-Verified label on CQ success/failure.	6 years ago
ssl	Work around a JDK 11 TLS 1.3 bug.	6 years ago
third_party	Modernize OPENSSL_COMPILE_ASSERT, part 2.	6 years ago
tool	Work around a JDK 11 TLS 1.3 bug.	6 years ago
util	Move JSON test results code into a common module.	6 years ago
.clang-format	Import `newhope' (post-quantum key exchange).	8 years ago
.gitignore	Update tools.	6 years ago
API-CONVENTIONS.md	Clarify "reference" and fix typo.	6 years ago
BREAKING-CHANGES.md	Add some notes on how to handle breaking changes.	6 years ago
BUILDING.md	Switch docs to recommending NASM.	6 years ago
CMakeLists.txt	Support assembly building for arm64e architecture.	6 years ago
CONTRIBUTING.md	Add a CONTRIBUTING.md file.	8 years ago
FUZZING.md	Switch to Clang 6.0's fuzzer support.	6 years ago
INCORPORATING.md	Update URL for GN quick start guide.	6 years ago
LICENSE	Note licenses for support code in the top-level LICENSE file.	6 years ago
PORTING.md	Remove reference to SSL3 in PORTING.md.	6 years ago
README.md	Add some notes on how to handle breaking changes.	6 years ago
STYLE.md	Fix some style guide samples.	7 years ago
codereview.settings	Comment change in codereview.settings	6 years ago
go.mod	Set up Go modules.	6 years ago
sources.cmake	Add new curve/hash ECDSA combinations from Wycheproof.	6 years ago

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google’s product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it’s not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.
BREAKING-CHANGES.md: notes on potentially-breaking changes.