Compile gRPC gem against system OpenSSL
Currently the gRPC gem bundles its own version of SSL (BoringSSL), and this is not FIPS compliant.
We've proved out in #6435 that it's possible to patch the gRPC source code to build against the system OpenSSL. In fact, FreeBSD does this as well.
I've tried to upstream the changes in https://github.com/grpc/grpc/pull/27881, but the gRPC maintainers at this time don't seem to be that inclined to support linking against the system OpenSSL with the Ruby gem. However, it can be done easily for the C/C++ core from source via cmake
. The Ruby build process is a bit more esoteric.
This leaves us with several options:
- Generate and install our own gem (see the work in gitlab-org/ruby/gems/grpc!1 (merged) and !5711 (closed)).
- Download the gRPC source with the version in
Gemfile.lock
, dynamically apply our patches, build the gem, and then install it before Rails gets to install it.
The second option is self-documenting and requires no extra dependencies, but it may be cumbersome and/or tricky to maintain since we have to be sure we're installing the right version of gRPC before bundle install
does.
Having a pre-built gem would make it easier for Omnibus, CNG, and other users to quickly install the package without having to apply patches themselves. If we published this gem, we could make GitLab use this in FIPS mode (e.g. gitlab-grpc
) in the Gemfile
. But we would have to maintain a fork, though we might do this anyway for CI.