On Sat Dec 01 20:35:21 2018, RURBAN wrote:
Show quoted text> See
http://cat.eyalro.net/ of a sidechannel attack on RSA 2048 against
> most ssl libs, just not BearSSL and BoringSSL.
> BearSSL has a bit different API, but at least probing for BoringSSL
> would fix most problems.
I'm afraid this isn't going to happen: Net-SSLeay is a thin Perl wrapper around libssl and libcrypto, and BoringSSL has no commitment to maintaining libssl/libcrypto API compatibility. For this to work in a way that would be transparent to users of Net-SSLeay, we'd need to assume the burden of maintaining that API compatibility ourselves, which we're not prepared to do (and would be fraught with security risks of its own even if we were).
Also note that Google actively advises the public not to use BoringSSL. From [1]:
Show quoted text> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
>
> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
[1]
https://boringssl.googlesource.com/boringssl/
