Google takes OpenSSL and turns it into BoringSSL

Summary:The search giant has announced that it has created a fork of OpenSSL to service its needs for Chrome, Android, and its other products.

Google announced over the weekend that it had taken the OpenSSL codebase, and forked it to create a new project dubbed BoringSSL.

In the past, Google had taken OpenSSL and rebased its custom patches with each OpenSSL release, from now on though, its patches will be integrated into the base of BoringSSL, with OpenSSL updates ported over to the Google project.

"We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL's guarantee of API and ABI stability and many of them are a little too experimental," wrote Google senior software engineer, Adam Langley in a blog post.

With over 70 patches used across multiple platforms, Langley said that the effort involved to maintain them for Chrome and Android had become too much.

"We are not aiming to replace OpenSSL as an open-source project. We will still be sending them bug fixes when we find them and we will be importing changes from upstream."

Langley said that the new project does not mean that Google will be stepping away from its commitments to help fund OpenBSD or the Core Infrastructure Initiative .

OpenBSD created its own fork of OpenSSL, eventually named LibreSSL , earlier this year, and it would be possible for LibreSSL and BoringSSL projects to import each other's changes.

"We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed," said Langley.

OpenBSD founder and leader, Theo de Raadt, welcomed the creation of BoringSSL.

"Their priority is on safety, not on ABI compatibility. Just like us," said de Raadt. " Over time, I suspect Google's version will also become 'reduced API', since they require less legacy application support. That may give LibReSSL the opportunity to head in the same direction, if the applications are willing..."

de Raadt also said a portable version of LibreSSL that would work on Linux was close, and a few changes were needed to get it out the door.

"Please stop believing rumours that we've made it hard to port! The entire world went to POSIX, and that's all this code needs to support," he said.

Topics: Security, Google

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.