LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Development

OpenSSL and IPv6

March 14, 2012

This article was contributed by Nathan Willis

OpenSSL is one of the most popular implementations of Transport Layer Security (TLS), as well as one of the leading free software libraries for general-purpose cryptography, but as an online debate recently highlighted, it still lags behind on support for IPv6 tools. Admittedly, "lagging behind on IPv6" is a charge that could be leveled at most of the Internet, but with OpenSSL the feature requests — and the patches — have been idling in limbo for several years, which appears to be garnering frustration from some developers.

Michael Stapelberg raised the issue in a March 6 post on Google Plus:

Nearly every time I use the OpenSSL command line tools I get angry. It’s 2012 and OpenSSL’s s_client still doesn’t work with IPv6. Every time, I go to the Debian bugtracker first. Every time, I see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520 and apply that patch.

I’ve been doing that so often, that I had enough of it and went to the OpenSSL request tracker: http://rt.openssl.org/index.html?q=ipv6 (user/pass: guest/guest). Turns out they actually have several patches lying around for that. The oldest one is 5 years old!

The command line tools Stapelberg refers to are s_client and s_server, both of which are standard commands for the openssl tool, and are designed to help users test their code and SSL/TLS applications. S_client implements a simple SSL/TLS client application that attempts to open a connection to a remote host. S_server implements a simple SSL/TLS server, which listens for connections and (if desired) can emulate a web server.

In practice, you might use s_client to try to connect to a new server with a command of the form: 

    openssl s_client -connect somehost:someportnumber
That command could be followed by flags to test out the particular settings of interest (e.g., certificate options, support for specific ciphers, or simply printing out session information for debugging). But with an unpatched OpenSSL, the command does not work if the host requested is only reachable via IPv6. Similarly, s_server can listen on any port, but if the connection requests originate from an IPv6 address, it fails.

Patches and other options

Stapelberg linked to the OpenSSL request tracker (which requires logging in with a username and password; guest/guest is acceptable), showing seven open requests that match "ipv6." Of those, three are requests to support IPv6 addresses in s_client or s_server, and all three include patches. The most recent is RT 2051, which was originally opened by Michael Tuexen in 2009, and which has received regular patch updates as new OpenSSL releases have come out. The latest update is from December 28, 2011.

Questions have also come up on the OpenSSL mailing lists about IPv6 support. What seems to frustrate the question-askers is that the library supports IPv6 addresses in most core routines and internal data structures. In addition to the s_client and s_server testing tools, however, there are places where the API is unaware of IPv6 addressing. Namely, an application cannot use the OpenSSL library to create a new socket to an IPv6-addressed host — but the application can create an IPv6-addressed socket separately (or using a different library), then hand that socket over to OpenSSL.

In the comments on Stapelberg's Google Plus post, Florian Foster asked why anyone would use OpenSSL, which is hardly the only game in town, particularly when GnuTLS fully supports IPv6 addresses both in its API and in its command-line tool gnutls-cli. Watson Ladd concurred, and also noted that OpenSSL still has big holes in its documentation. Gregory P. Smith commented that the bulk of the SSL/TLS traffic on open source systems probably comes from the Netscape Security Services (NSS) library used by Mozilla applications and Google Chrome (as well as by many mail user agents and server products from Red Hat and Sun).

There is an argument to be made for each of those positions. GnuTLS support does IPv6 pervasively, OpenSSL's official documentation does list four out of its six man pages as "STILL INCOMPLETE," and NSS probably does handle the lion's share of SSL/TLS bits in open source software — at least on the client side. But even when taken collectively, the three arguments do not justify throwing up one's hands in disgust and uninstalling OpenSSL.

First, GnuTLS was started in order to provide a GPL-compatible alternative to OpenSSL, which is dual-licensed under the Apache 1.0 license and the "old-style-BSD-like" SSLeay license. As a result, GnuTLS is used heavily by official GNU projects, as well as by large projects like GNOME and CUPS. But OpenSSL remains more popular on the server side, in web frameworks, virtual private network (VPN) tools, and mail servers, plus system utilities like cryptmount and wpasupplicant. The need to maintain license compatibility can restrict a project's options regarding which library to use — such as commercial vendors wishing to avoid GPL-licensed code. Second, even though the two projects are roughly on par, they do differ in the details when it comes to protocol and cipher support, which could make the difference for other users.

So who cares about IP addresses anyway?

It is a little unclear why it has taken so long for the IPv6 patches to get merged. In 2009, Arkadiusz Miskiewicz objected to the style in Tuexen's patch, but Tuexen responded, and subsequently the patch was met with approval. OpenSSL core developer Stephen Henson chalked it up to a simple matter of time. "There has been a fair bit of activity lately related to the FIPS 140-2 validation work and the upcoming release of 1.0.1," he said, after which the team "can look at getting several patches including IPv6 support in place."

The only real ongoing objection to explicitly supporting IPv6 has been that IP addresses are not a fundamental SSL/TLS concern to begin with. The argument goes that TLS runs on top of TCP (and DTLS on top of UDP), so an application requiring TLS or DTLS must deal with the TCP or UDP connection, regardless of the state of the Internet layer beneath it. That is true to an extent; SSL/TLS is agnostic about what lies beneath the transport layer — but it clearly does not apply to the command-line testing tools that ship with OpenSSL. They are supposed to emulate an SSL/TLS client and server, after all, all the way up to the application layer, and not patching them means application developers must turn elsewhere.

Tuexen and others have updated the patch for both the current development version of OpenSSL and for the older releases. As Stapelberg mentioned in his Google Plus post, Debian adds the patch downstream (which is then picked up by Ubuntu and derivatives); so too does Red Hat (including Fedora).

Regardless of whether IPv6 support is conceptually important to the package, then, the interest in IPv6 tools among developers and sysadmins seems clear. The risk to the project is that by letting the patch languish for years, potential new developers may head towards GnuTLS or another competitor rather than wait. At 13 years of age, OpenSSL is a mature project, and it certainly deals with subjects that demand a lot of domain expertise, such as cryptography. Consequently it may find it difficult to recruit new contributors.

But two years is still a long time for an actively-updated patch to remain in limbo. As is the case with the still-incomplete man pages, OpenSSL probably gets more leeway than other projects thanks to its solid reputation for robustness. But it is also a gamble — in the comments on Stapelberg's post, there is frustration with the project on several fronts, and one never knows when goodwill is going to run out.

Comments (6 posted)

Brief items

Quotes of the week

In what most people would think of as counter-intuitive, copyleft licences are more predominant amongst vendor-led open source projects. The reason for this is that some vendors choose to run a dual licensing business model where they put the code out under a restrictive copyleft license and ship a commercial license themselves. They usually combine the licensing regime with a contributor agreement. This means that the intellectual property is aggregated and owned by the sponsoring vendor. This provides the sponsoring vendor with the unique advantage of being able to distribute and package the code as they see fit under a commercial licensing regime. This is exactly the business model that Sun used with OpenOffice and, as I mentioned previously, the reason that the LibreOffice could only fork the code under a copyleft license.
-- Douglas Heintzman on the IBM Software Blog

Tridge,

With Samba well on its way to a third decade as of January this year, we wanted to thank you personally for your mentorship, guidance and leadership of the Samba project over the past twenty years. For the past decade, we have personally witnessed the strength of your technical innovations, and your passionate commitment to free software. The Samba Team and project is immeasurably stronger not only because of your amazing technical skill, but also by your dedication to the cause in the legal arena as well.

-- Andrew Bartlett and Jelmer Vernooij

Comments (none posted)

bzr 2.5.0 released

Version 2.5.0 of the bzr version control system is out. "This is a bugfix and polish release over the 2.4 series, with a large number of bugs fixed (~170 for the 2.5 series alone). The 2.5 series provides a faster smart protocol implementation for many operations, basic support for colocated branches." Also new to this release is a set of translations for over 20 languages.

Full Story (comments: none)

Firefox 11 and Thunderbird 11 released

The Firefox 11 and Thunderbird 11 releases are out. They contain the usual pile of fixes to scary security-related bugs and a number of new features. New goodies in Firefox include the ability to import information from Google Chrome, synchronization of add-ons, CSS improvements, a CSS style editor, Mozilla Tilt, and more. The list of Thunderbird improvements is shorter but includes a new user interface with tabs placed above the main menu.

Comments (7 posted)

Gnuplot 4.6 released

Version 4.6 of the gnuplot plotting utility is out; this is the first major release in two years. New features include a new flow control syntax, user-definable line types in plots, statistical summary calculation, some new terminal drivers, better multi-byte encoding support, and more.

Full Story (comments: 20)

Laborejo Release 0.1

A new project called Laborejo has announced its existence with a 0.1 release. "It is a Lilypond GUI frontend, a MIDI creator and finally a tool collection to inspire and help you compose. It works by reducing music-redundancy and by seperating layout and data. Don't worry about the layout, just concentrate on the music."

Full Story (comments: none)

OpenSSL 1.0.1 released

The OpenSSL 1.0.1 release is out. The version number notwithstanding, this release contains a number of new features, including SCTP support, TLS/DTLS heartbeat support, and more.

Full Story (comments: none)

2012 Language Summit Report (Python Insider)

The Python Insider site has a report from the 2012 Python Language Summit, held March 7 in Santa Clara, California. "One thing that seemed to have broad agreement was that shortening the standard library turnaround time would be a good thing in terms of new contributors. Few people are interested in writing new features that might not be released for over a year -- it's just not fun. Even with bug fixes, sometimes the duration can be seen as too long, to the point where users may end up just fixing our problems from within their own code if possible."

Comments (none posted)

Newsletters and articles

Development newsletters from the last week

Comments (none posted)

Brewtarget: Hop into Beer Brewing with Open Source (Linux.com)

Linux.com has an interview with Philip Lee about his Brewtarget project. Brewtarget helps homebrewers create and manage their recipes. "Right after I got into homebrewing in 2008, I was looking for open source beer tools for Linux, and I found QBrew, but after looking at its implementation and contemplating whether to extend it or start from scratch, I decided I could do better by starting from scratch. I made some simple attempts early in 2008, but didn't get very far, and resorted to calculating recipes by hand. I'm actually glad I did this, because after doing this for about a year, I learned all the math I would need to make a piece of software, plus some extra. The serious work started in December 2008, when I was sitting at home over the holidays – I was, and still am, a grad student – and had some free time to kill."

Comments (1 posted)

Firefox in 2011 – Firefox plans for 2012

The Firefox team looks back at its 2011 accomplishments and discusses its plans for this year. "With fullscreen support in web browsers, the next step is improve the gaming and interaction experience for building more advanced web sites with key input in fullscreen mode and also being able to use the mouse as a controller instead of as a pointer."

Comments (20 posted)

Idealism vs. pragmatism: Mozilla debates supporting H.264 video playback (ars technica)

Ars technica covers the discussion (the very long discussion) in the Mozilla community about relaxing its stand on patent-encumbered codecs. "Andreas Gal, Mozilla's director of research, announced on a public mailing list today that he wants to proceed with a plan that would enable H.264 decoding on Mozilla's Boot2Gecko (B2G) mobile operating system. The proposed change would allow the video element in Mozilla's HTML rendering engine to rely on codecs that are supplied by the underlying operating system or dedicated video hardware." (Thanks to Paul Wise).

Comments (85 posted)

Weir: Where did the time go?

Rob Weir has posted a timeline of work done on Apache OpenOffice and some associated commentary. "As the timeline shows, most of our attention on the project has been spent on community building and infrastructure migration efforts. We're not engaging in a race to see how fast we can come out with a release, or to show how quickly we can crank out minor releases. A huge portion of our effort has been to ensure continuity for the many millions of users of OpenOffice.org, by far the most popular open source productivity suite."

This response from Michael Meeks may also be worth a look.

Comments (19 posted)

Page editor: Jonathan Corbet
Next page: Announcements>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds