OpenSSL’s tools don’t support IPv6, patches unmerged without reason for 5 years

by secure on 3/6/2012, 12:43 PM with 26 comments
  • by obtino on 3/6/2012, 1:42 PM

    This post is about the 'openssl' tool that is provided with the OpenSSL library not supporting IPv6 - not OpenSSL itself! As far as I'm aware, IPv6 support has been provided by the library for a while.

  • by lnanek on 3/6/2012, 2:26 PM

    The link's "getting angry" comment reminds me of this bug report bingo card: http://the-b.org/~kenny/bingo.txt

    Which I just saw linked from this issue with an open source Android app: http://code.google.com/p/connectbot/issues/detail?id=100

    It's an amusing list of all the complaints and threats issue reporters make trying to get someone to do work for them for free. :)

  • by aninteger on 3/6/2012, 4:24 PM

    Is there any way to read this without signing into a Google account. On my mobile device I am getting a prompt to sign into Google.

  • by jacques_chester on 3/7/2012, 12:19 AM

    There are OpenSSL alternatives if you're prepared to walk the path less travelled.

    One I've taken a shine to lately is PolarSSL[1], which has the nice quality that you can selectively compile only those modules you need. Consequently the API is quite simplified and you can use it as a library rather than put up with the framework-y bookkeeping OpenSSL requires.

    I wrote a small wrapper to access the SHA-384/512 component in Lua[2]. Compared to a 500k+ OpenSSL .so, the PolarSSL version weighs in at 22k. It was a great learning experience.

    [1] http://polarssl.org/ [2] https://github.com/jchester/lua-polarssl

  • by losvedir on 3/6/2012, 1:35 PM

    Five years is a long time. However, with something as important as OpenSSL, some degree of discretion and evaluation should be done before patches are merged.

    Does anyone know the reason for the delay? I can't imagine that it's just them being lazy, for instance. Maybe they don't have the time and resources to properly analyze something as critical as this?

    Edit: I guess what I mean to say is, for OpenSSL I'd rather have no feature than a feature with a security vulnerability.

  • by grout on 3/6/2012, 8:51 PM

    OpenSSL's command line tools are so antequated and annoying that I can't help thinking that they're being held back by the Powers That Be so as to discourage casual crypto.

  • by X-Istence on 3/6/2012, 5:01 PM

    This annoyed me recently as I was attempting to test a daemon that was running on IPv6 only. Ended up using some netcat magic to bounce it from IPv4 to IPv6...