diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2c46b936c..b25057dd6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -152,7 +152,7 @@ jobs:
             - false
           library:
             - name: boringssl
-              version: e6489902b7fb692875341b8ab5e57f0515f47bc1
+              version: 2db0eb3f96a5756298dcd7f9319e56a98585bd10
             - name: openssl
               version: vendored
             - name: openssl
@@ -277,7 +277,7 @@ jobs:
               ;;
             "i686-unknown-linux-gnu")
               OS_COMPILER=linux-elf
-              OS_FLAGS=-m32
+              OS_FLAGS="-m32 -msse2"
               ;;
             "arm-unknown-linux-gnueabihf")
               OS_COMPILER=linux-armv4
diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs
index 606acc35c..70a7a14e0 100644
--- a/openssl-sys/build/main.rs
+++ b/openssl-sys/build/main.rs
@@ -132,6 +132,34 @@ fn main() {
         println!("cargo:rustc-link-lib={}={}", kind, lib);
     }
 
+    // libssl in BoringSSL requires the C++ runtime, and static libraries do
+    // not carry dependency information. On unix-like platforms, the C++
+    // runtime and standard library are typically picked up by default via the
+    // C++ compiler, which has a platform-specific default. (See implementations
+    // of `GetDefaultCXXStdlibType` in Clang.) Builds may also choose to
+    // override this and specify their own with `-nostdinc++` and `-nostdlib++`
+    // flags. Some compilers also provide options like `-stdlib=libc++`.
+    //
+    // Typically, such information is carried all the way up the build graph,
+    // but Cargo is not an integrated cross-language build system, so it cannot
+    // safely handle any of these situations. As a result, we need to make
+    // guesses. Getting this wrong may result in symbol conflicts and memory
+    // errors, but this unsafety is inherent to driving builds with
+    // externally-built libraries using Cargo.
+    //
+    // For now, we guess that the build was made with the defaults. This too is
+    // difficult because Rust does not expose this information from Clang, but
+    // try to match the behavior for common platforms. For a more robust option,
+    // this likely needs to be deferred to the caller with an environment
+    // variable.
+    if version == Version::Boringssl && kind == "static" && env::var("CARGO_CFG_UNIX").is_ok() {
+        let cpp_lib = match env::var("CARGO_CFG_TARGET_OS").unwrap().as_ref() {
+            "macos" => "c++",
+            _ => "stdc++",
+        };
+        println!("cargo:rustc-link-lib={}", cpp_lib);
+    }
+
     // https://github.com/openssl/openssl/pull/15086
     if version == Version::Openssl3xx
         && kind == "static"
diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index ae61a2ad3..25c2da012 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -944,7 +944,7 @@ fn test_verify_param_set_depth_fails_verification() {
     store_bldr.add_cert(ca).unwrap();
     let mut verify_params = X509VerifyParam::new().unwrap();
     // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do
-    let expected_depth = if cfg!(any(ossl110)) { 0 } else { 1 };
+    let expected_depth = if cfg!(any(ossl110, boringssl)) { 0 } else { 1 };
     verify_params.set_depth(expected_depth);
     store_bldr.set_param(&verify_params).unwrap();
     let store = store_bldr.build();