David Benjamin 6965d25602 Work around a JDK 11 TLS 1.3 bug. JDK 11 shipped with a TLS 1.3 implementation enabled by default. Unfortunately, that implementation does not work and fails to send the SNI extension on resumption. See https://bugs.openjdk.java.net/browse/JDK-8211806. This means servers which enable TLS 1.3 will see JDK 11 clients work on the first connection and then fail on all subsequent connections. Add SSL_set_jdk11_workaround which configures a workaround to fingerprint JDK 11 and disable TLS 1.3 with the faulty clients. JDK 11 also implemented the downgrade signal, which means that connections that trigger the workaround also must not send the downgrade signal. Unfortunately, the downgrade signal's security properties are sensitive to the existence of any unmarked TLS 1.2 ServerHello paths. To salvage this, pick a new random downgrade marker for this scenario and modify the client to treat it as an alias of the standard one. Per the link above, JDK 11.0.2 will fix this bug. Hopefully the workaround can be retired sometime after it is released. Change-Id: I0627609a8cadf7cc214073eb7f1e880acdf613ef Reviewed-on: https://boringssl-review.googlesource.com/c/33284 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>		před 6 roky
.github	Add a PULL_REQUEST_TEMPLATE.	před 8 roky
crypto	Move ARM cpuinfo functions to the header.	před 6 roky
decrepit	Undo recent changes to \|X509V3_EXT_conf_nid\|.	před 6 roky
fipstools	Support symbol prefixes	před 6 roky
fuzz	Refresh fuzzer corpora for changes to split-handshake serialization.	před 6 roky
include/openssl	Work around a JDK 11 TLS 1.3 bug.	před 6 roky
infra/config	No longer set CQ-Verified label on CQ success/failure.	před 6 roky
ssl	Work around a JDK 11 TLS 1.3 bug.	před 6 roky
third_party	Modernize OPENSSL_COMPILE_ASSERT, part 2.	před 6 roky
tool	Work around a JDK 11 TLS 1.3 bug.	před 6 roky
util	Move JSON test results code into a common module.	před 6 roky
.clang-format	Import `newhope' (post-quantum key exchange).	před 8 roky
.gitignore	Update tools.	před 6 roky
API-CONVENTIONS.md	Clarify "reference" and fix typo.	před 6 roky
BREAKING-CHANGES.md	Add some notes on how to handle breaking changes.	před 6 roky
BUILDING.md	Switch docs to recommending NASM.	před 6 roky
CMakeLists.txt	Support assembly building for arm64e architecture.	před 6 roky
CONTRIBUTING.md	Add a CONTRIBUTING.md file.	před 8 roky
FUZZING.md	Switch to Clang 6.0's fuzzer support.	před 6 roky
INCORPORATING.md	Update URL for GN quick start guide.	před 6 roky
LICENSE	Note licenses for support code in the top-level LICENSE file.	před 6 roky
PORTING.md	Remove reference to SSL3 in PORTING.md.	před 6 roky
README.md	Add some notes on how to handle breaking changes.	před 6 roky
STYLE.md	Fix some style guide samples.	před 7 roky
codereview.settings	Comment change in codereview.settings	před 6 roky
go.mod	Set up Go modules.	před 6 roky
sources.cmake	Add new curve/hash ECDSA combinations from Wycheproof.	před 6 roky

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google’s product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it’s not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.
BREAKING-CHANGES.md: notes on potentially-breaking changes.