
Make SSL boring again - hepha1979
https://blog.cloudflare.com/make-ssl-boring-again/
======
dfabulich
Why did Cloudflare choose BoringSSL over LibreSSL?

[https://boringssl.googlesource.com/boringssl/](https://boringssl.googlesource.com/boringssl/)

> _BoringSSL is a fork of OpenSSL that is designed to meet Google 's needs._

> _Although BoringSSL is an open source project, it is not intended for
> general use, as OpenSSL is. We don 't recommend that third parties depend
> upon it. Doing so is likely to be frustrating because there are no
> guarantees of API or ABI stability._

~~~
jgrahamc
Because after Heartbleed we started to look for a performant alternative to
OpenSSL that we felt would be safe for us to use.

~~~
dfabulich
But why not LibreSSL?

~~~
jgrahamc
LibreSSL doesn't provide the features of BoringSSL that we use so would have
required a huge amount of work to use.

------
cdancette
TLDR: cloudflare switched from openssl to the Google fork BoringSSL.

They now have out of the box some features they maintained themselves, and
have a more stable and maintainable stack.

~~~
gjjrfcbugxbhf
But they also seem to be supporting some features they previously had out of
the box?

------
peterwwillis
Why are we still calling it SSL? It's like saying Telnet whenever you refer to
SSH.

Also: it seems like there's no release or commit signing, unless I missed it?
So couldn't you just compromise one user, or commit bot, or git repo location,
and basically own all TLS that Cloudflare uses, effectively owning like half
of the internet?

