[www.kde.org] [Bug 354585] New: IPv6 connections to https://dot.kde.org fail
Jon Burgess via KDE Bugzilla
bugzilla_noreply at kde.org
Thu Oct 29 23:55:22 UTC 2015
https://bugs.kde.org/show_bug.cgi?id=354585
Bug ID: 354585
Summary: IPv6 connections to https://dot.kde.org fail
Product: www.kde.org
Version: unspecified
Platform: Other
URL: https://dot.kde.org
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: kde-www at kde.org
Reporter: jburgess777 at googlemail.com
I have been unable to connect successfully to https://dot.kde.org for several
weeks. Digging a little deeper shows that the DNS entry returns both A and AAAA
records and my machine tries to use the IPv6 (AAAA) result, forcing it to use
IPv4 instead works.
Reproducible: Always
Steps to Reproduce:
1. Use firefox to connect to https://dot.kde.org from machine connected to
internet via a dual stack IPv4 + IPv6
Actual Results:
Connection times out
Expected Results:
web page
The debug steps I went through are below. Although I can establish a TCP
connection to port 443 OpenSSL fails to complete the HTTPS handshake with the
server.
[jburgess at localhost ~]$ host dot.kde.org
dot.kde.org is an alias for t6jrh.x.incapdns.net.
t6jrh.x.incapdns.net has address 149.126.74.103
t6jrh.x.incapdns.net has IPv6 address 2a02:e980:c::67
[jburgess at localhost ~]$ ping dot.kde.org
PING t6jrh.x.incapdns.net (149.126.74.103) 56(84) bytes of data.
64 bytes from 149.126.74.103.ip.incapdns.net (149.126.74.103): icmp_seq=1
ttl=60 time=11.3 ms
64 bytes from 149.126.74.103.ip.incapdns.net (149.126.74.103): icmp_seq=2
ttl=60 time=10.8 ms
^C
--- t6jrh.x.incapdns.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 10.815/11.104/11.394/0.308 ms
[jburgess at localhost ~]$ ping6 dot.kde.org
PING dot.kde.org(2a02:e980:c::67) 56 data bytes
64 bytes from 2a02:e980:c::67: icmp_seq=1 ttl=60 time=11.1 ms
64 bytes from 2a02:e980:c::67: icmp_seq=2 ttl=60 time=10.7 ms
64 bytes from 2a02:e980:c::67: icmp_seq=3 ttl=60 time=11.0 ms
64 bytes from 2a02:e980:c::67: icmp_seq=4 ttl=60 time=11.0 ms
^C
--- dot.kde.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.721/10.973/11.152/0.202 ms
OpenSSL connecting IPv4 is OK:
[jburgess at localhost ~]$ openssl s_client -connect 149.126.74.103:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation
CA - SHA256 - G2
verify return:1
depth=0 C = US, ST = Delaware, L = Dover, O = Incapsula Inc, CN = incapsula.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256
- G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256
- G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
... content deleted ...
-----END CERTIFICATE-----
subject=/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4910 bytes and written 333 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
27543796A9A45E09435BD0CEDD01932F78C291BC17D50CC46F04F0B0FF856F0F
Session-ID-ctx:
Master-Key:
202005B53ED8D5D9067686AEF12386EE6F2D431D1D89A9FF97054679F253A78404DFFBFA5ACE4363112D44799FEB24C0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a1 dd 57 fb 6a 56 8b 21-8c 4d da 06 06 75 4f 3d ..W.jV.!.M...uO=
0010 - 38 1c d7 f1 b8 b4 77 19-35 81 c3 2e 7c e2 72 0c 8.....w.5...|.r.
0020 - 15 a7 be ae 5a ff 51 9a-e6 0d 5a 65 b2 cb ff 58 ....Z.Q...Ze...X
0030 - 2c e9 c7 cb 1c fb c0 eb-9b c5 1b af bd af 2e 8e ,...............
0040 - 25 9e 4c 08 9d 17 3c c8-ce 16 fb fb d3 70 f3 f0 %.L...<......p..
0050 - 7a a4 ff 94 36 cf 22 cc-ae 19 65 8c 88 a1 00 5b z...6."...e....[
0060 - 01 57 b5 c3 19 75 72 03-49 13 a4 35 d9 de ba 4b .W...ur.I..5...K
0070 - 54 a5 35 b1 93 86 75 1e-9b 14 b4 70 2c b2 72 57 T.5...u....p,.rW
0080 - 9e 09 d4 eb 2c 14 51 b9-d7 90 4c 82 14 0d 1a b6 ....,.Q...L.....
0090 - a3 c9 27 d9 92 d6 0c 83-53 50 07 f1 19 5a 79 84 ..'.....SP...Zy.
Start Time: 1446162215
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
Conecting via the IPv6 address times out...
[jburgess at localhost ~]$ openssl s_client -connect [2a02:e980:c::67]:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Similarly connecting via the DNS name (which is likely using IPv6) also times
out:
[jburgess at localhost ~]$ openssl s_client -connect dot.kde.org:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the kde-www
mailing list