Monday, May 29, 2017

linux - IPv6 working fine, IPv4 throws OpenSSL error



I am building a webserver ( http://blog.linformatronics.nl/ ), which functions just fine on both IPv4 and IPv6 and when using a non-SSL connection. However when I connect to it through https, IPv6 works as expected, but an IPv4 connection throws a client side error. Server side logs are empty for the IPv4/https connection. Summarized in a table:



     | http  | https
-----+-------+-------------------------------------------------------
IPv4 | works | OpenSSL error, failed. No server side logging.

-----+-------+-------------------------------------------------------
IPv6 | works | self signed certificate warning, but works as expected


Apparently the SSL tunnel isn't even set up, which accounts for the Apache logs being empty. But why does it work fine for IPv6 and fail for IPv4?
My question is why is this OpenSSL error being thrown and how can I solve it?



Below is some extra information about the setup.







IPv6 https



Command used to reproduce IPv6/https behaviour:



$ wget --no-check-certificate -O /dev/null -6 https://blog.linformatronics.nl
--2012-11-03 15:46:48-- https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 2001:980:1b7f:1:a00:27ff:fea6:a2e7
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|2001:980:1b7f:1:a00:27ff:fea6:a2e7|:443... connected.
WARNING: cannot verify blog.linformatronics.nl's certificate, issued by `/CN=localhost':

Self-signed certificate encountered.
WARNING: certificate common name `localhost' doesn't match requested host name `blog.linformatronics.nl'.
HTTP request sent, awaiting response... 200 OK
Length: 4556 (4.4K) [text/html]
Saving to: `/dev/null'

100%[=======================================================================>] 4,556 --.-K/s in 0s

2012-11-03 15:46:49 (62.5 MB/s) - `/dev/null' saved [4556/4556]



IPv4 https



Command used to reproduce IPv6/https behaviour:



$ wget --no-check-certificate -O /dev/null -4 https://blog.linformatronics.nl
--2012-11-03 15:47:28-- https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 82.95.251.247
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|82.95.251.247|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Unable to establish SSL connection.


Notes




  • I am on Ubuntu Server 12.04.1 LTS


Answer



You have some serious firewall/NAT misconfigurations. You aren't actually running a web server on port 443...




$ telnet 82.95.251.247 443
Trying 82.95.251.247...
Connected to 82.95.251.247.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1


And your IPv6 service seems to be firewalled off...




$ telnet 2001:980:1b7f:1:a00:27ff:fea6:a2e7 443
Trying 2001:980:1b7f:1:a00:27ff:fea6:a2e7...
telnet: connect to address 2001:980:1b7f:1:a00:27ff:fea6:a2e7: Permission denied


Fix your firewall and/or service-on-the-wrong-port issues, and you should find things start working.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...