
OpenSSL’s tools don’t support IPv6, patches unmerged without reason for 5 years - secure
https://plus.google.com/108593031838085993726/posts/YKVxPMxF8m6
======
obtino
This post is about the 'openssl' tool that is provided with the OpenSSL
library not supporting IPv6 - not OpenSSL itself! As far as I'm aware, IPv6
support has been provided by the library for a while.

~~~
sohn
The library has nothing to do with IPv6 - SSL is not in that layer

~~~
nknight
That must be why these functions don't exist:

<http://openssl.org/docs/crypto/BIO_s_connect.html>

While the library isn't what's at issue here, your assumptions are way off.
IPv4-capable code doesn't magically become IPv6-capable code by virtue of
running on an IPv6-capable OS. Functions like these require some tweaking to
be made to use new IPv6-capable structs as well as getaddrinfo. The switch is
not invisible to anyone making socket API calls.

------
lnanek
The link's "getting angry" comment reminds me of this bug report bingo card:
<http://the-b.org/~kenny/bingo.txt>

Which I just saw linked from this issue with an open source Android app:
<http://code.google.com/p/connectbot/issues/detail?id=100>

It's an amusing list of all the complaints and threats issue reporters make
trying to get someone to do work for them for free. :)

~~~
secure
Heh, that’s a good list and what you describe does happen often.

Being a developer myself, I try hard to not make that impression when
reporting bugs. I always check first if the issue was reported and don’t post
unless I have some value to add. If there is no fix yet, I fix it.

However, in this case, there are (working) fixes and I don’t see any other
method to contribute to fixing this issue apart from raising awareness and
thereby maybe getting an OpenSSL developer to merge the patch.

~~~
davidw
Right - the polite thing to do on their part would be to either 1) say why the
patch and others like it are not acceptable 2) comment on what needs
fixing/improving (docs? test cases?) in order to accept the patches, or 3)
declare that they are no longer able to maintain the code, and if someone
wants to take it over, go ahead.

------
aninteger
Is there any way to read this without signing into a Google account. On my
mobile device I am getting a prompt to sign into Google.

~~~
jonemo
Welcome to the end of the www as we know it. Where you request permission to
follow an interesting sounding link on HN by logging in to Google.

~~~
icebraining
Only if you're on a mobile device, though. On a desktop browser you can access
it without being logged in to Google.

~~~
myko
Yeah this seems more like a bug/oversight on the G+ team's part than something
planned.

------
jacques_chester
There are OpenSSL alternatives if you're prepared to walk the path less
travelled.

One I've taken a shine to lately is PolarSSL[1], which has the nice quality
that you can selectively compile only those modules you need. Consequently the
API is quite simplified and you can use it as a _library_ rather than put up
with the framework-y bookkeeping OpenSSL requires.

I wrote a small wrapper to access the SHA-384/512 component in Lua[2].
Compared to a 500k+ OpenSSL .so, the PolarSSL version weighs in at 22k. It was
a great learning experience.

[1] <http://polarssl.org/> [2] <https://github.com/jchester/lua-polarssl>

~~~
sargun
Sorry, but I prefer my crypto being tried and tested:

"What makes you think you can invent a good cipher if y ou have no expertise
in the subject? Maybe you can, but it's not terribly likely. Imagine how you
would react if your doctor told you "You have appendicitis, a disease that is
life-threatening if not treated. We have a time-tested cure that cures 99% of
all patients with no noticeable side-effects, but I'm not going to give you
that: I'm going to give you a new experimental treatment my cousin dreamed up
last week. No, my cousin has no medical training. No, I have no evidence that
the new treatment will work, and it's never been tested or analyzed in depth
-- but I'm going to give it to you anyway because my cousin thinks it is good
stuff." You'd find another doctor, I hope. Rational people leave medical care
to the medical experts. The medical experts have a much better track record
than the quacks." \-- David Wagner PhD, sci.crypt, 19th Oct 02.

~~~
jacques_chester
PolarSSL invents no new ciphers. It implements the well-known ones.

More to the point, it is in my unprofessional opinion easier to verify the
PolarSSL implementations because they are all completely standalone. By design
you can compile a single .c file and it will do what you expect.

OpenSSL has its advantages, to be sure. It's more widely used and thus
theoretically yields better for Linus's Law. Its maintainers also take great
care to squeeze extra performance out of different architectures.

But for my case having the smallest possible reliable implementation of the
SHA-512 algorithm is what I want.

------
losvedir
Five years is a long time. However, with something as important as OpenSSL,
some degree of discretion and evaluation should be done before patches are
merged.

Does anyone know the reason for the delay? I can't imagine that it's just them
being lazy, for instance. Maybe they don't have the time and resources to
properly analyze something as critical as this?

Edit: I guess what I mean to say is, for OpenSSL I'd rather have no feature
than a feature with a security vulnerability.

~~~
spdegabrielle
Found on the openSSL dev list:

Newsgroups: mailing.openssl.dev From: ku...@tenebras.com (Michael Sierchio)
Date: Wed, 30 Jul 2008 08:02:41 -0700 Local: Wed, Jul 30 2008 3:02 pm Subject:
Re: IPv6 support in OpenSSL Ravindra wrote: > I'm looking for information
regarding IPv6 support in OpenSSL. > Which is the first and stable version
that adds support for IPv6 in OpenSSL ?

SSL operates atop TCP. Whether this supports IPv6 is left as an exercise for
the reader. \- M

PS Does your web browser support IPv6? Does your monitor? How about your
keyboard?
______________________________________________________________________ OpenSSL
Project <http://www.openssl.org> Development Mailing List
openssl-...@openssl.org Automated List Manager majord...@openssl.org

~~~
burgerbrain
If you add two ' '(space) characters in front of a line, HN will stop
"formatting" your text.

~~~
simcop2387
awesome I've been trying to figure out how to do that myself. Is there any
place that has a list of all of these things?

~~~
icebraining
<https://news.ycombinator.com/formatdoc> (it's linked from the FAQ)

~~~
steve-howard
I honestly can't see why that isn't linked from the posting page.

~~~
icebraining
What's even more strange is that it isn't linked from the new post page, as
you said, but it _is_ linked from the edit post page.

------
grout
OpenSSL's command line tools are so antequated and annoying that I can't help
thinking that they're being held back by the Powers That Be so as to
discourage casual crypto.

------
X-Istence
This annoyed me recently as I was attempting to test a daemon that was running
on IPv6 only. Ended up using some netcat magic to bounce it from IPv4 to
IPv6...

