i am, incidentally, going to continue posting "the openssl maintainers are irresponsible" threads every time they do something irresponsible and its brought to my attention. squeaky wheels get grease, after all.
Conversation
gnutls isn’t good either, libressl is better but not awesome. boringssl is pretty good.
1
LibreSSL has higher quality code but has fallen far behind on development and hasn't done a completely overhaul of the project. BoringSSL is quite good but doesn't give people a stable API and expects them to keep up with the changes. Also not meant to satisfy everyone's needs.
1
Any chance of a solution? Perhaps stable releases of BoringSSL?
1
Part of the point of BoringSSL is that it can adapt to changes in the ecosystem by dropping obsolete cryptography, platforms, features, etc. along with regularly overhauling both the API and implementation. Easy to use if your project is well maintained with security resources.
1
The simplest way for a distro to use BoringSSL would be to use it in libcurl. Libcurl’s API and ABI hardly depend on the underlying TLS library.
1
could use it in its base system if it wished.
1
Most Android apps use BoringSSL because it's the backend for the Java standard library and the subset of Bouncy Castle provided by the OS. Those are stable APIs but legacy cryptography is deprecated and eventually removed. Apps and their services are expected to be maintained.
2
I do wish Android provided a decent NDK API for cryptography. JNI works for asymmetric crypto, but it is way too slow for symmetric crypto.
1
Apps can ship BoringSSL on their own but many apps don't keep their libraries properly updated. It can't be exposed by the OS because there isn't a stable API.
source.android.com/devices/archit could provide a stable API for the NDK but that's not currently within the scope of it.