I am building a webserver ( http://blog.linformatronics.nl/ ), which functions just fine on both IPv4 and IPv6 and when using a non-SSL connection. However when I connect to it through https, IPv6 works as expected, but an IPv4 connection throws a client side error. Server side logs are empty for the IPv4/https connection. Summarized in a table:
| http | https
-----+-------+-------------------------------------------------------
IPv4 | works | OpenSSL error, failed. No server side logging.
-----+-------+-------------------------------------------------------
IPv6 | works | self signed certificate warning, but works as expected
Apparently the SSL tunnel isn't even set up, which accounts for the Apache logs being empty. But why does it work fine for IPv6 and fail for IPv4?
My question is why is this OpenSSL error being thrown and how can I solve it?
Below is some extra information about the setup.
IPv6 https
Command used to reproduce IPv6/https behaviour:
$ wget --no-check-certificate -O /dev/null -6 https://blog.linformatronics.nl
--2012-11-03 15:46:48-- https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 2001:980:1b7f:1:a00:27ff:fea6:a2e7
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|2001:980:1b7f:1:a00:27ff:fea6:a2e7|:443... connected.
WARNING: cannot verify blog.linformatronics.nl's certificate, issued by `/CN=localhost':
Self-signed certificate encountered.
WARNING: certificate common name `localhost' doesn't match requested host name `blog.linformatronics.nl'.
HTTP request sent, awaiting response... 200 OK
Length: 4556 (4.4K) [text/html]
Saving to: `/dev/null'
100%[=======================================================================>] 4,556 --.-K/s in 0s
2012-11-03 15:46:49 (62.5 MB/s) - `/dev/null' saved [4556/4556]
IPv4 https
Command used to reproduce IPv6/https behaviour:
$ wget --no-check-certificate -O /dev/null -4 https://blog.linformatronics.nl
--2012-11-03 15:47:28-- https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 82.95.251.247
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|82.95.251.247|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
Notes
- I am on Ubuntu Server 12.04.1 LTS
Answer
You have some serious firewall/NAT misconfigurations. You aren't actually running a web server on port 443...
$ telnet 82.95.251.247 443
Trying 82.95.251.247...
Connected to 82.95.251.247.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
And your IPv6 service seems to be firewalled off...
$ telnet 2001:980:1b7f:1:a00:27ff:fea6:a2e7 443
Trying 2001:980:1b7f:1:a00:27ff:fea6:a2e7...
telnet: connect to address 2001:980:1b7f:1:a00:27ff:fea6:a2e7: Permission denied
Fix your firewall and/or service-on-the-wrong-port issues, and you should find things start working.
No comments:
Post a Comment