Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 127882
Status: rejected
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: RURBAN [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Prefer a secure ssl library over openssl
Download (untitled) / with headers
text/plain 227b
See http://cat.eyalro.net/ of a sidechannel attack on RSA 2048 against most ssl libs, just not BearSSL and BoringSSL. BearSSL has a bit different API, but at least probing for BoringSSL would fix most problems. -- Reini Urban
Download (untitled) / with headers
text/plain 1.1k
On Sat Dec 01 20:35:21 2018, RURBAN wrote: Show quoted text
> See http://cat.eyalro.net/ of a sidechannel attack on RSA 2048 against > most ssl libs, just not BearSSL and BoringSSL. > BearSSL has a bit different API, but at least probing for BoringSSL > would fix most problems.
I'm afraid this isn't going to happen: Net-SSLeay is a thin Perl wrapper around libssl and libcrypto, and BoringSSL has no commitment to maintaining libssl/libcrypto API compatibility. For this to work in a way that would be transparent to users of Net-SSLeay, we'd need to assume the burden of maintaining that API compatibility ourselves, which we're not prepared to do (and would be fraught with security risks of its own even if we were). Also note that Google actively advises the public not to use BoringSSL. From [1]: Show quoted text
> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs. > > Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
[1] https://boringssl.googlesource.com/boringssl/


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.