Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Openssl IPv6 Support
559 views
Skip to first unread message
Mody, Darshan (Darshan)
Nov 5, 2014, 3:36:06 AM11/5/14
to
Hi,
Does Openssl support IPv6 officially?.
Thanks & Regards
Darshan
Matthias Apitz
Nov 5, 2014, 4:09:39 AM11/5/14
to
We are using openssl for our application servers with IPv6. It turned
out that the function BIO_set_conn_hostname() (and others may be) are
not capable to deal with an IPv6 IP addr (which contains colon signs).
We changed our code to create the socket the normal way:
/* connect to an IPv6 server */
getaddrinfo(serverIP, connport, &req, &ans);
sockFd = socket(ans->ai_family, ans->ai_socktype, ans->ai_protocol);
connect(sockFd, ans->ai_addr, ans->ai_addrlen);
and are using the created socket to bring up SSL on it with:
/* build SSL context on this socket */
ctx = SSL_CTX_new(SSLv23_client_method());
bio = BIO_new_socket(sockFd, BIO_NOCLOSE);
BIO_ctrl(bio, BIO_C_SSL_MODE, 1, 0);
ssl = SSL_new(ctx);
SSL_set_bio(ssl, bio, bio);
res = SSL_connect(ssl);
This works fine with IPv4 and IPv6.
HIH
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign:
E-mail: gu...@unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
| en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Marcus Meissner
Nov 5, 2014, 4:29:17 AM11/5/14
to
On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
> Hi,
>
> Does Openssl support IPv6 officially?.
AFAIK the libssl and libcrypto libraries do not use sockets at all,
> Hi,
>
> Does Openssl support IPv6 officially?.
these are left to the applications/libraries using them.
So openssl does neither support ipv4 nor ipv6.
Ciao, Marcus
Dave Thompson
Nov 5, 2014, 6:46:57 AM11/5/14
to
> From: owner-ope...@openssl.org On Behalf Of Marcus Meissner
> Sent: Wednesday, November 05, 2014 04:10
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan)
> wrote:
> > Hi,
> >
> > Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
libssl requires something it can send and receive on using the BIO API
that represents the connection to the peer and is normally a socket,
although in principle you could write your own module to substitute
something crazy like IP-over-carrier-pigeon.
The BIO module in libcrypto provides a BIO_sock instance that
does I/O on an OS socket and provides the BIO API to libssl
(or to code that wants to use plain non-SSL sockets, FTM).
BIO_sock can send and receive on any opened socket, IP4 or IP6.
So if the application 'connect's or 'accept's the sockets,
and then passes them to SSL_set_fd (or equivalent) it works.
But last I looked, BIO_sock cannot do IP6 *connect*, and
only does IP6 *accept* if you give it an already IP6 listen socket.
> Sent: Wednesday, November 05, 2014 04:10
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan)
> wrote:
> > Hi,
> >
> > Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
that represents the connection to the peer and is normally a socket,
although in principle you could write your own module to substitute
something crazy like IP-over-carrier-pigeon.
The BIO module in libcrypto provides a BIO_sock instance that
does I/O on an OS socket and provides the BIO API to libssl
(or to code that wants to use plain non-SSL sockets, FTM).
BIO_sock can send and receive on any opened socket, IP4 or IP6.
So if the application 'connect's or 'accept's the sockets,
and then passes them to SSL_set_fd (or equivalent) it works.
But last I looked, BIO_sock cannot do IP6 *connect*, and
only does IP6 *accept* if you give it an already IP6 listen socket.
Quanah Gibson-Mount
Nov 5, 2014, 1:04:09 PM11/5/14
to
--On November 5, 2014 at 10:10:26 AM +0100 Marcus Meissner
<meis...@suse.de> wrote:
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
>> Hi,
>>
>> Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
>> Hi,
>>
>> Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
> So openssl does neither support ipv4 nor ipv6.
apparently you've never used s_client, or looked at the *ancient* bug
explicitly asking that IPv6 support be added for s_client & s_server in
OpenSSL. It even has a patch that's been widely used for years by major
linux distributions.
It boggles the mind that to this day that patch has not been integrated in
the 5 years since the bug was opened.
See <http://rt.openssl.org/Ticket/Display.html?id=2051>,
<https://bugs.debian.org/589520>
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Matthias Apitz
Nov 5, 2014, 2:06:33 PM11/5/14
to
El día Wednesday, November 05, 2014 a las 10:10:26AM +0100, Marcus Meissner escribió:
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
> > Hi,
> >
> > Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
> So openssl does neither support ipv4 nor ipv6.
Marcus,
> On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
> > Hi,
> >
> > Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not use sockets at all,
> these are left to the applications/libraries using them.
>
> So openssl does neither support ipv4 nor ipv6.
I do not fully understand your reply. Ofc, openssl is using sockets to
talk over. The question is only if openssl is capable to create an IPv6
socket behind its scene or not. And it can not do this, one has to pass
a created IPv6 socket to the SSL layer routines.
This should be fixed.
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign:
E-mail: gu...@unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
| en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
Salz, Rich
Nov 5, 2014, 2:13:36 PM11/5/14
to
> It boggles the mind that to this day that patch has not been integrated in the
> 5 years since the bug was opened.
So many things about openssl can boggle the mind :)
> 5 years since the bug was opened.
In this particular case, I think the issue is that adding things to s_client/s_server apps isn't really enough to enable IPv6 programs.
And then you have to deal with sockaddr types across platforms.
Yuk.
Kurt Roeckx
Nov 5, 2014, 2:33:47 PM11/5/14
to
On Wed, Nov 05, 2014 at 02:07:16PM -0500, Salz, Rich wrote:
> > It boggles the mind that to this day that patch has not been integrated in the
> > 5 years since the bug was opened.
>
> So many things about openssl can boggle the mind :)
>
> In this particular case, I think the issue is that adding things to s_client/s_server apps isn't really enough to enable IPv6 programs.
I've actually been working on it and it's doing much more than
> > It boggles the mind that to this day that patch has not been integrated in the
> > 5 years since the bug was opened.
>
> So many things about openssl can boggle the mind :)
>
> In this particular case, I think the issue is that adding things to s_client/s_server apps isn't really enough to enable IPv6 programs.
just s_client / s_server. But I didn't have time to actually
finish the patch yet.
Kurt
Marcus Meissner
Nov 5, 2014, 2:43:30 PM11/5/14
to
On Wed, Nov 05, 2014 at 08:45:55AM -0800, Quanah Gibson-Mount wrote:
>
>
> --On November 5, 2014 at 10:10:26 AM +0100 Marcus Meissner
> <meis...@suse.de> wrote:
>
>
>
> --On November 5, 2014 at 10:10:26 AM +0100 Marcus Meissner
> <meis...@suse.de> wrote:
>
> >On Wed, Nov 05, 2014 at 08:28:40AM +0000, Mody, Darshan (Darshan) wrote:
> >>Hi,
> >>
> >>Does Openssl support IPv6 officially?.
> >
> >AFAIK the libssl and libcrypto libraries do not use sockets at all,
> >these are left to the applications/libraries using them.
> >
> >So openssl does neither support ipv4 nor ipv6.
>
> >>Hi,
> >>
> >>Does Openssl support IPv6 officially?.
> >
> >AFAIK the libssl and libcrypto libraries do not use sockets at all,
> >these are left to the applications/libraries using them.
> >
> >So openssl does neither support ipv4 nor ipv6.
>
> apparently you've never used s_client, or looked at the *ancient*
> bug explicitly asking that IPv6 support be added for s_client &
> s_server in OpenSSL. It even has a patch that's been widely used
> for years by major linux distributions.
The question was for the library and I was mistaken apparently.
> bug explicitly asking that IPv6 support be added for s_client &
> s_server in OpenSSL. It even has a patch that's been widely used
> for years by major linux distributions.
I actually also ported a IPv6 patch to the commandline tool.
Without autoconf or other automatic detection I do not dare to even try to get it upstream :(
CIao, Marcus
0 new messages