BearSSL’s latest official release is version 0.6, was released on August 14, 2018 (6y ago). Since then, there have been no new releases. According to the project’s repository, activity appears minimal, with only a couple of commits per year.
Should this be a cause for concern? Given the lack of recent updates and the low level of activity, it seems that BearSSL is no longer actively maintained. This raises the question: should we consider alternative SSL/TLS libraries that are actively supported?
Using an outdated library comes with risks and limitations, such as potential security vulnerabilities due to the lack of updates, as well as compatibility issues with modern protocols and evolving cryptographic standards.
In fact, the reason for this inquiry stems from my work with nim-quic and ngtcp2. While evaluating the feasibility of using BearSSL as the TLS backend for ngtcp2, I found that BearSSL lacks support for TLS 1.3. This limitation, combined with its apparent stagnation, makes me wonder whether it’s time to explore other options. Additionally, it’s worth discussing the key factors that should be considered when selecting a replacement.
Would love to hear thoughts on this—are there viable alternatives that offer similar lightweight performance while maintaining active development?