OpenSSL is one of the most popular implementations of Transport Layer Security (TLS), as well as one of the leading free software libraries for general-purpose cryptography, but as an online debate recently highlighted, it still lags behind on support for IPv6 tools. Admittedly, "lagging behind on IPv6" is a charge that could be leveled at most of the Internet, but with OpenSSL the feature requests — and the patches — have been idling in limbo for several years, which appears to be garnering frustration from some developers.
Michael Stapelberg raised the issue in a March 6 post on Google Plus:
Nearly every time I use the OpenSSL command line tools I get angry. It’s 2012 and OpenSSL’s s_client still doesn’t work with IPv6. Every time, I go to the Debian bugtracker first. Every time, I see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520
and apply that patch.
I’ve been doing that so often, that I had enough of it and went to the
OpenSSL request tracker: http://rt.openssl.org/index.html?q=ipv6 (user/pass: guest/guest). Turns out they actually have several patches lying around for that. The oldest one is 5 years old!
The command line tools Stapelberg refers to are s_client and s_server, both
of which are standard commands for the openssl tool, and are
designed to help users test their code and SSL/TLS applications. S_client
implements a simple SSL/TLS client application that attempts to open a
connection to a remote host. S_server implements a simple SSL/TLS server,
which listens for connections and (if desired) can emulate a web server.
In practice, you might use s_client to try to connect to a new server
with a command of the form:
openssl s_client -connect somehost:someportnumber
That command could be followed by flags to test out the particular settings of interest (e.g., certificate options, support for specific ciphers, or simply printing out session information for debugging). But with an unpatched OpenSSL, the command does not work if the host requested is only reachable via IPv6. Similarly, s_server can listen on any port, but if the connection requests originate from an IPv6 address, it fails.
Patches and other options
Stapelberg linked to the OpenSSL request tracker (which requires logging in with a username and password; guest/guest is acceptable), showing seven open requests that match "ipv6." Of those, three are requests to support IPv6 addresses in s_client or s_server, and all three include patches. The most recent is RT 2051, which was originally opened by Michael Tuexen in 2009, and which has received regular patch updates as new OpenSSL releases have come out. The latest update is from December 28, 2011.
Questions have also come up on the OpenSSL mailing lists about IPv6 support. What seems to frustrate the question-askers is that the library supports IPv6 addresses in most core routines and internal data structures. In addition to the s_client and s_server testing tools, however, there are places where the API is unaware of IPv6 addressing. Namely, an application cannot use the OpenSSL library to create a new socket to an IPv6-addressed host — but the application can create an IPv6-addressed socket separately (or using a different library), then hand that socket over to OpenSSL.
In the comments on Stapelberg's Google Plus post, Florian Foster asked why anyone would use OpenSSL, which is hardly the only game in town, particularly when GnuTLS fully supports IPv6 addresses both in its API and in its command-line tool gnutls-cli. Watson Ladd concurred, and also noted that OpenSSL still has big holes in its documentation. Gregory P. Smith commented that the bulk of the SSL/TLS traffic on open source systems probably comes from the Netscape Security Services (NSS) library used by Mozilla applications and Google Chrome (as well as by many mail user agents and server products from Red Hat and Sun).
There is an argument to be made for each of those positions. GnuTLS support does IPv6 pervasively, OpenSSL's official documentation does list four out of its six man pages as "STILL INCOMPLETE," and NSS probably does handle the lion's share of SSL/TLS bits in open source software — at least on the client side. But even when taken collectively, the three arguments do not justify throwing up one's hands in disgust and uninstalling OpenSSL.
First, GnuTLS was started in order to provide a GPL-compatible
alternative to OpenSSL, which is dual-licensed under the Apache 1.0 license
and the "old-style-BSD-like" SSLeay license. As a result, GnuTLS is used heavily by
official GNU projects, as well as by large projects like GNOME and CUPS.
But OpenSSL remains more popular on the server side, in web frameworks,
virtual private network (VPN) tools, and mail servers, plus system
utilities like cryptmount and wpasupplicant. The need to maintain license
compatibility can restrict a project's
options regarding which library to use — such as commercial
vendors wishing to avoid GPL-licensed code. Second, even though the two
projects are roughly on par, they do differ
in the details when it comes to protocol and cipher support, which could
make the difference for other users.
So who cares about IP addresses anyway?
It is a little unclear why it has taken so long for the IPv6 patches to get merged. In 2009, Arkadiusz Miskiewicz objected to the style in Tuexen's patch, but Tuexen responded, and subsequently the patch was met with approval. OpenSSL core developer Stephen Henson chalked it up to a simple matter of time. "There has been a fair bit of activity lately related to the FIPS 140-2 validation work and the upcoming release of 1.0.1," he said, after which the team "can look at getting several patches including IPv6 support in place."
The only real ongoing objection to explicitly supporting IPv6 has been that IP addresses are not a fundamental SSL/TLS concern to begin with. The argument goes that TLS runs on top of TCP (and DTLS on top of UDP), so an application requiring TLS or DTLS must deal with the TCP or UDP connection, regardless of the state of the Internet layer beneath it. That is true to an extent; SSL/TLS is agnostic about what lies beneath the transport layer — but it clearly does not apply to the command-line testing tools that ship with OpenSSL. They are supposed to emulate an SSL/TLS client and server, after all, all the way up to the application layer, and not patching them means application developers must turn elsewhere.
Tuexen and others have updated the patch for both the current development version of OpenSSL and for the older releases. As Stapelberg mentioned in his Google Plus post, Debian adds the patch downstream (which is then picked up by Ubuntu and derivatives); so too does Red Hat (including Fedora).
Regardless of whether IPv6 support is conceptually important to the package, then, the interest in IPv6 tools among developers and sysadmins seems clear. The risk to the project is that by letting the patch languish for years, potential new developers may head towards GnuTLS or another competitor rather than wait. At 13 years of age, OpenSSL is a mature project, and it certainly deals with subjects that demand a lot of domain expertise, such as cryptography. Consequently it may find it difficult to recruit new contributors.
But two years is still a long time for an actively-updated patch to remain in limbo. As is the case with the still-incomplete man pages, OpenSSL probably gets more leeway than other projects thanks to its solid reputation for robustness. But it is also a gamble — in the comments on Stapelberg's post, there is frustration with the project on several fronts, and one never knows when goodwill is going to run out.
Comments (6 posted)
In what most people would think of as counter-intuitive, copyleft
licences are more predominant amongst vendor-led open source
projects. The reason for this is that some vendors choose to run a
dual licensing business model where they put the code out under a
restrictive copyleft license and ship a commercial license
themselves. They usually combine the licensing regime with a
contributor agreement. This means that the intellectual property is
aggregated and owned by the sponsoring vendor. This provides the
sponsoring vendor with the unique advantage of being able to
distribute and package the code as they see fit under a commercial
licensing regime. This is exactly the business model that Sun used
with OpenOffice and, as I mentioned previously, the reason that the
LibreOffice could only fork the code under a copyleft license.
on the IBM Software Blog
With Samba well on its way to a third decade as of January this
year, we wanted to thank you personally for your mentorship,
guidance and leadership of the Samba project over the past twenty
years. For the past decade, we have personally witnessed the
strength of your technical innovations, and your passionate
commitment to free software. The Samba Team and project is
immeasurably stronger not only because of your amazing technical
skill, but also by your dedication to the cause in the legal arena
-- Andrew Bartlett and Jelmer Vernooij
Comments (none posted)
Version 2.5.0 of the bzr version control system is out. "This is a bugfix and polish release over the 2.4 series, with a large number
of bugs fixed (~170 for the 2.5 series alone). The 2.5 series provides a
faster smart protocol implementation for many operations, basic support for
" Also new to this release is a set of
translations for over 20 languages.
Full Story (comments: none)
The Firefox 11 and Thunderbird 11 releases are out. They contain the usual
pile of fixes to scary security-related bugs and a number of new features.
goodies in Firefox
include the ability to import information from
Google Chrome, synchronization of add-ons, CSS improvements, a CSS style
editor, Mozilla Tilt
, and more. The
list of Thunderbird improvements
is shorter but includes a new user
interface with tabs placed above the main menu.
Comments (7 posted)
Version 4.6 of the gnuplot
utility is out; this is the first major
release in two years. New features include a new flow control syntax,
user-definable line types in plots, statistical summary calculation, some
new terminal drivers, better multi-byte encoding support, and more.
Full Story (comments: 20)
A new project called Laborejo has announced its existence with a 0.1
release. "It is a Lilypond GUI frontend, a MIDI creator and finally
a tool collection to inspire and help you compose. It works by reducing
music-redundancy and by seperating layout and data. Don't worry about the
layout, just concentrate on the music.
Full Story (comments: none)
The OpenSSL 1.0.1 release is out. The version number notwithstanding, this
release contains a number of new features, including SCTP support, TLS/DTLS
heartbeat support, and more.
Full Story (comments: none)
The Python Insider site has a
from the 2012 Python Language Summit, held March 7 in Santa
Clara, California. "One thing that seemed to have broad agreement
was that shortening the standard library turnaround time would be a good
thing in terms of new contributors. Few people are interested in writing
new features that might not be released for over a year -- it's just not
fun. Even with bug fixes, sometimes the duration can be seen as too long,
to the point where users may end up just fixing our problems from within
their own code if possible.
Comments (none posted)
Newsletters and articles
Comments (none posted)
Linux.com has an interview
with Philip Lee about his Brewtarget
project. Brewtarget helps homebrewers create and manage their recipes. "Right after I got into homebrewing in 2008, I was looking for open source beer tools for Linux, and I found QBrew, but after looking at its implementation and contemplating whether to extend it or start from scratch, I decided I could do better by starting from scratch. I made some simple attempts early in 2008, but didn't get very far, and resorted to calculating recipes by hand. I'm actually glad I did this, because after doing this for about a year, I learned all the math I would need to make a piece of software, plus some extra. The serious work started in December 2008, when I was sitting at home over the holidays – I was, and still am, a grad student – and had some free time to kill.
Comments (1 posted)
The Firefox team looks
back at its 2011 accomplishments
and discusses its plans for this
year. "With fullscreen support in web browsers, the next step is
improve the gaming and interaction experience for building more advanced
web sites with key input in fullscreen mode and also being able to use the
mouse as a controller instead of as a pointer.
Comments (20 posted)
Ars technica covers
) in the Mozilla community about relaxing its stand on
patent-encumbered codecs. "Andreas Gal, Mozilla's director of
research, announced on a public mailing list today that he wants to proceed
with a plan that would enable H.264 decoding on Mozilla's Boot2Gecko (B2G)
mobile operating system. The proposed change would allow the video element
in Mozilla's HTML rendering engine to rely on codecs that are supplied by
the underlying operating system or dedicated video hardware.
(Thanks to Paul Wise).
Comments (85 posted)
Rob Weir has posted a
timeline of work done on Apache OpenOffice
and some associated
commentary. "As the timeline shows, most of our attention on the
project has been spent on community building and infrastructure migration
efforts. We're not engaging in a race to see how fast we can come out with
a release, or to show how quickly we can crank out minor releases. A huge
portion of our effort has been to ensure continuity for the many millions
of users of OpenOffice.org, by far the most popular open source
response from Michael Meeks may also be worth a look.
Comments (19 posted)
Page editor: Jonathan Corbet
Next page: Announcements>>