To begin with, BoringSSL is a branch of OpenSSL created by Google. However, the use of BoringSSL code does not guarantee the stability of API or ABI. Therefore, Google will continue to submit bug fixes to OpenSSL and provide support to the Core Infrastructure Initiative and the OpenBSD Foundation. Google has applied over 70 OpenSSL patches, some of which have been accepted and merged into the main OpenSSL library, but most have not. As Android, Chrome, and other projects started requiring subsets of these patches, the situation became increasingly complex, requiring too much effort to ensure that all patches work properly in different code repositories. Therefore, they decided to create a branch of OpenSSL.
In summary, the advantages of BoringSSL are that it is compatible with OpenSSL and has fixed many bugs that OpenSSL cannot fix. However, the disadvantage is that BoringSSL is only designed for TLS and HTTPS, and some OpenSSL switches are disabled by default. For other purposes, it is still recommended to use OpenSSL.
Replacing OpenSSL with BoringSSL in Nginx is similar to replacing it with LibreSSL. Manual compilation can be complicated, as it requires patching the code before compilation. Here is a pre-implemented compilation script for reference:
GitHub @ajhaydock https://github.com/ajhaydock/BoringNginx
Implementation script:
git clone https://github.com/limccn/BoringNginx.git
cd BoringNginx/1.10.0/
Execute compilation#
./build-debian.sh
For further reference, please visit: https://imququ.com/post/optimize-ssl-ciphers-with-boringssl.html