David Benjamin 6965d25602 Work around a JDK 11 TLS 1.3 bug. JDK 11 shipped with a TLS 1.3 implementation enabled by default. Unfortunately, that implementation does not work and fails to send the SNI extension on resumption. See https://bugs.openjdk.java.net/browse/JDK-8211806. This means servers which enable TLS 1.3 will see JDK 11 clients work on the first connection and then fail on all subsequent connections. Add SSL_set_jdk11_workaround which configures a workaround to fingerprint JDK 11 and disable TLS 1.3 with the faulty clients. JDK 11 also implemented the downgrade signal, which means that connections that trigger the workaround also must not send the downgrade signal. Unfortunately, the downgrade signal's security properties are sensitive to the existence of any unmarked TLS 1.2 ServerHello paths. To salvage this, pick a new random downgrade marker for this scenario and modify the client to treat it as an alias of the standard one. Per the link above, JDK 11.0.2 will fix this bug. Hopefully the workaround can be retired sometime after it is released. Change-Id: I0627609a8cadf7cc214073eb7f1e880acdf613ef Reviewed-on: https://boringssl-review.googlesource.com/c/33284 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>		6 年之前
.github	Add a PULL_REQUEST_TEMPLATE.	8 年之前
crypto	Move ARM cpuinfo functions to the header.	6 年之前
decrepit	Undo recent changes to \|X509V3_EXT_conf_nid\|.	6 年之前
fipstools	Support symbol prefixes	6 年之前
fuzz	Refresh fuzzer corpora for changes to split-handshake serialization.	6 年之前
include/openssl	Work around a JDK 11 TLS 1.3 bug.	6 年之前
infra/config	No longer set CQ-Verified label on CQ success/failure.	6 年之前
ssl	Work around a JDK 11 TLS 1.3 bug.	6 年之前
third_party	Modernize OPENSSL_COMPILE_ASSERT, part 2.	6 年之前
tool	Work around a JDK 11 TLS 1.3 bug.	6 年之前
util	Move JSON test results code into a common module.	6 年之前
.clang-format	Import `newhope' (post-quantum key exchange).	8 年之前
.gitignore	Update tools.	6 年之前
API-CONVENTIONS.md	Clarify "reference" and fix typo.	6 年之前
BREAKING-CHANGES.md	Add some notes on how to handle breaking changes.	6 年之前
BUILDING.md	Switch docs to recommending NASM.	6 年之前
CMakeLists.txt	Support assembly building for arm64e architecture.	6 年之前
CONTRIBUTING.md	Add a CONTRIBUTING.md file.	8 年之前
FUZZING.md	Switch to Clang 6.0's fuzzer support.	6 年之前
INCORPORATING.md	Update URL for GN quick start guide.	6 年之前
LICENSE	Note licenses for support code in the top-level LICENSE file.	6 年之前
PORTING.md	Remove reference to SSL3 in PORTING.md.	6 年之前
README.md	Add some notes on how to handle breaking changes.	6 年之前
STYLE.md	Fix some style guide samples.	7 年之前
codereview.settings	Comment change in codereview.settings	6 年之前
go.mod	Set up Go modules.	6 年之前
sources.cmake	Add new curve/hash ECDSA combinations from Wycheproof.	6 年之前

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google’s product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it’s not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.
BREAKING-CHANGES.md: notes on potentially-breaking changes.