OpenSSL 1.1.0, BoringSSL, and CPython

257 views
Skip to first unread message

Mohamed Koubaa

unread,
May 17, 2017, 3:35:55 PM5/17/17
to grp...@googlegroups.com
Hello,

My organization is using gRPC primarily with C++, Python, and C#, and we have a few challenges related to SSL.  We're under a restriction that we do not redistribute any ThirdParty code that has any CVE.  For this reason we cannot distribute OpenSSL 1.0.0 (we must use 1.1.0).

We were able to build gRPC against OpenSSL 1.1.0 on both windows and linux using the patch from this github issue, although many tests fail.  (Is there any version targeted to support this officially?)

Another option would be to use BoringSSL.  AFAIK there are no CVEs against the version of BoringSSL that gRPC uses.  However, this could be challenging because we use OpenSSL with python for things other than gRPC.  We won't be able to link both, so my question here is are there any known libraries/wrappers which use BoringSSL directly from CPython and are they swap-in replacements for the OpenSSL equivalent?

Thanks!
Mohamed Koubaa
Software Developer
ANSYS, Inc

Craig Tiller

unread,
May 17, 2017, 3:48:20 PM5/17/17
to Mohamed Koubaa, grp...@googlegroups.com
I was under the impression that we do link BoringSSL (but don't export the symbols) with the CPython extension.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAJBOL5ttgWnFaq1G5y4ECon7Qe3yvvRE_gmmr-GscsD%2BX_xANQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Mohamed Koubaa

unread,
May 18, 2017, 11:32:50 AM5/18/17
to Craig Tiller, grp...@googlegroups.com
Craig,

That's correct.  I see that the CPython extension (at least as of gRPC v1.0.0) just compiles the source files of gRPC, Zlib,and boringSSL.  I suppose this isn't the list for the followup question about using BoringSSL from CPython without gRPC.

Thanks!
Mohamed Koubaa
Software Developer
ANSYS, Inc
On Wed, May 17, 2017 at 3:48 PM, Craig Tiller <cti...@google.com> wrote:
I was under the impression that we do link BoringSSL (but don't export the symbols) with the CPython extension.

On Wed, May 17, 2017 at 12:35 PM Mohamed Koubaa <mohamed...@ansys.com> wrote:
Hello,

My organization is using gRPC primarily with C++, Python, and C#, and we have a few challenges related to SSL.  We're under a restriction that we do not redistribute any ThirdParty code that has any CVE.  For this reason we cannot distribute OpenSSL 1.0.0 (we must use 1.1.0).

We were able to build gRPC against OpenSSL 1.1.0 on both windows and linux using the patch from this github issue, although many tests fail.  (Is there any version targeted to support this officially?)

Another option would be to use BoringSSL.  AFAIK there are no CVEs against the version of BoringSSL that gRPC uses.  However, this could be challenging because we use OpenSSL with python for things other than gRPC.  We won't be able to link both, so my question here is are there any known libraries/wrappers which use BoringSSL directly from CPython and are they swap-in replacements for the OpenSSL equivalent?

Thanks!
Mohamed Koubaa
Software Developer
ANSYS, Inc

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages