WebKit currently has four network backends:
- CoreFoundation (used by macOS and iOS, and thus Safari)
- CFNet (used by iTunes on Windows… I think only iTunes?)
- cURL (used by most Windows applications, also PlayStation)
- libsoup (used by WebKitGTK+ and WPE WebKit)
One guess which of those we’re going to be talking about in this post. Yeah, of course, libsoup! If you’re not familiar with libsoup, it’s the GNOME HTTP library. Why is it called libsoup? Because before it was an HTTP library, it was a SOAP library. And apparently somebody thought that when Mexican people say “soap,” it often sounds like “soup,” and also thought that this was somehow both funny and a good basis for naming a software library. You can’t make this stuff up.
Anyway, libsoup is built on top of GIO’s sockets APIs. Did you know that GIO has Object wrappers for BSD sockets? Well it does. If you fancy lower-level APIs, create a GSocket
and have a field day with it. Want something a bit more convenient? Use GSocketClient
to create a GSocketConnection
connected to a GNetworkAddress
. Pretty straightforward. Everything parallels normal BSD sockets, but the API is nice and modern and GObject, and that’s really all there is to know about it. So when you point WebKitGTK+ at an HTTP address, libsoup is using those APIs behind the scenes to handle connection establishment. (We’re glossing over details like “actually implementing HTTP” here. Trust me, libsoup does that too.)
Things get more fun when you want to load an HTTPS address, since we have to add TLS to the picture, and we can’t have TLS code in GIO or GLib due to this little thing called “copyright law.” See, there are basically three major libraries used to implement TLS on Linux, and they all have problems:
- OpenSSL is by far the most popular, but it’s, hm, shall we say technically non-spectacular. There are forks, but the forks have problems too (ask me about BoringSSL!), so forget about them. The copyright problem here is that the OpenSSL license is incompatible with the GPL. (Boring details: Red Hat waves away this problem by declaring OpenSSL a system library qualifying for the GPL’s system library exception. Debian has declared the opposite, so Red Hat’s choice doesn’t gain you anything if you care about Debian users. The OpenSSL developers are trying to relicense to the Apache license to fix this, but this process is taking forever, and the Apache license is still incompatible with GPLv2, so this would make it impossible to use GPLv2+ software except under the terms of GPLv3+. Yada yada details.) So if you are writing a library that needs to be used by GPL applications, like say GLib or libsoup or WebKit, then it would behoove you to not use OpenSSL.
- GnuTLS is my favorite from a technical standpoint. Its license is LGPLv2+, which is unproblematic everywhere, but some of its dependencies are licensed LGPLv3+, and that’s uncomfortable for many embedded systems vendors, since LGPLv3+ contains some provisions that make it difficult to deny you your freedom to modify the LGPLv3+ software. So if you rely on embedded systems vendors to fund the development of your library, like say libsoup or WebKit, then you’re really going to want to avoid GnuTLS.
- NSS is used by Firefox. I don’t know as much about it, because it’s not as popular. I get the impression that it’s more designed for the needs of Firefox than as a Linux system library, but it’s available, and it works, and it has no license problems.
So naturally GLib uses NSS to avoid the license issues of OpenSSL and GnuTLS, right?
Haha no, it uses a dynamically-loadable extension point system to allow you to pick your choice of OpenSSL or GnuTLS! (Support for NSS was started but never finished.) This is OK because embedded systems vendors don’t use GPL applications and have no problems with OpenSSL, while desktop Linux users don’t produce tivoized embedded systems and have no problems with LGPLv3. So if you’re using desktop Linux and point WebKitGTK+ at an HTTPS address, then GLib is going to load a GIO extension point called glib-networking, which implements all of GIO’s TLS APIs — notably GTlsConnection
and GTlsCertificate
— using GnuTLS. But if you’re building an embedded system, you simply don’t build or install glib-networking, and instead build a different GIO extension point called glib-openssl, and libsoup will create GTlsConnection
and GTlsCertificate
objects based on OpenSSL instead. Nice! And if you’re Centricular and you’re building GStreamer for Windows, you can use yet another GIO extension point, glib-schannel, for your native Windows TLS goodness, all hidden behind GTlsConnection
so that GStreamer (or whatever application you’re writing) doesn’t have to know about SChannel or OpenSSL or GnuTLS or any of that sad complexity.
Now you know why the TLS extension point system exists in GIO. Software licenses! And you should not be surprised to learn that direct use of any of these crypto libraries is banned in libsoup and WebKit: we have to cater to both embedded system developers and to GPL-licensed applications. All TLS library use is hidden behind the GTlsConnection
API, which is really quite nice to use because it inherits from GIOStream
. You ask for a TLS connection, have it handed to you, and then read and write to it without having to deal with any of the crypto details.
As a recap, the layering here is: WebKit -> libsoup -> GIO (GLib) -> glib-networking (or glib-openssl or glib-schannel).
So when Epiphany fails to load a webpage, and you’re looking at a TLS-related error, glib-networking is probably to blame. If it’s an HTTP-related error, the fault most likely lies in libsoup. Same for any other GNOME applications that are having connectivity troubles: they all use the same network stack. And there you have it!
P.S. The glib-openssl maintainers are helping merge glib-openssl into glib-networking, such that glib-networking will offer a choice of GnuTLS or OpenSSL and obsoleting glib-openssl. This is still a work in progress. glib-schannel will be next!
P.S.S. libcurl also gives you multiple choices of TLS backend, but makes you choose which at build time, whereas with GIO extension points it’s actually possible to choose at runtime from the selection of installed extension points. The libcurl approach is fine in theory, but creates some weird problems, e.g. different backends with different bugs are used on different distributions. On Fedora, it used to use NSS, but now uses OpenSSL, which is fine for Fedora, but would be a license problem elsewhere. Debian actually builds several different backends and gives you a choice, unlike everywhere else. I digress.
Interesting read, thanks for writing this article.
> The glib-openssl maintainers are helping merge glib-openssl into glib-networking, such that glib-networking will offer a choice of GnuTLS or OpenSSL and obsoleting glib-openssl.
Once that’s done, how do we tell glib-networking which (gnutls or openssl) to use?
I ask because above you say that the right backend is chosen by GLib depending on which is installed: glib-networking or glib-openssl.
But if GLib has a single backend (glib-networking handling both gnutls and openssl), how does glib-networking itself chooses?
It can’t just pick which one is installed, because for example in the Freedesktop Sdk project we have both openssl and gnutls. Will we need to specify which one to use when building glib-networking?
The backends pass priorities to
g_io_extension_point_implement
. It’s the same way GIO determines whichGProxyResolver
orGNetworkMonitor
implementation you get.Originally, glib-openssl gave itself a higher priority than glib-networking, so that it would win if installed, since glib-networking was a widely-available default. The assumption was that you don’t build or install glib-openssl unless you know what you’re doing. That failed because openSUSE packaged glib-openssl, and users promptly began installing it without understanding what it is, breaking loads of websites in Epiphany (glib-openssl is less-mature and less-compatible than glib-networking). So now glib-networking has the higher priority, and the assumption is that if you want glib-openssl you’ll either not build glib-networking, or explicitly request it with an environment variable.
The plan going forward is to have OpenSSL support in glib-networking disabled by default at build time (and we don’t want it in freedesktop-sdk, so no need to worry about that). This should make it hard for users to accidentally enable, without causing any problems for embedded systems vendors, the target audience for the OpenSSL backend. There will still be two backends, just like before, they’ll just be contained in one source package now.
Thanks for the details.
Makes me wonder what happens when a dostro decides to enable both, but I’m happy that’s not my problem.
GnuTLS backend will have a higher priority, so it would win and OpenSSL would be unused unless you set an environment variable.
What about s2n: https://github.com/awslabs/s2n
It is apache licensed, high quality, pure C99
Please tell us about BoringSSL and LibreSSL :)
FWIW, there are also early implementations of android/java and iOS/macOS specific TLS backends available from:
https://gitlab.gnome.org/ystreet00/glib-android-ssl
https://gitlab.gnome.org/ystreet00/glib-secure-transport