Mailing List Archive

Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS
Status: New
Owner: ----

New issue 1309 by dan...@d15.biz: Having IPv6 enabled breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

I've found that when IPv6 is enabled, Cherokee serves plain HTTP on SSL
ports, even when the port is correctly marked as a SSL/TLS port. Once IPv6
is disabled, SSL works correctly. Another user in the Cherokee IRC channel
("minus") has encountered the same issue.

Previous (related) mailing list post:
http://permalink.gmane.org/gmane.comp.web.cherokee.general/8117

To reproduce:
1. Install Cherokee on Debian (I used Cherokee 1.2.100 from Debian Unstable)
2. Ensure IPv6 and SSL are both enabled and configured correctly
3. Go to https://server/

Expected: Page loads via SSL
Actual: Page does not load, but going to http://server:443/ works

My configuration:
- Debian Testing, all upgrades applied as at 29th November 2011
- Cherokee 1.2.100 from Debian Unstable

Also replicated with this configuration (by minus from IRC):
- Ubuntu 10.04, 32-bit
- Cherokee 1.2.101 from Ubuntu PPA

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #1 on issue 1309 by p...@noc4.net: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

looks like this could be the same as Issue 1308

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #2 on issue 1309 by alobbs: Having IPv6 enabled breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Looks like you did not mark the 443 port as a SSL/TLS port, that why it
loads with "http://" and fails with "https://".

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #3 on issue 1309 by daniel@d15.biz: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Port 443 is marked as an SSL/TLS port, and works when IPv6 is disabled.
However, as soon as IPv6 is enabled, it stops working as an SSL port and
just serves plain HTTP.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #4 on issue 1309 by p...@noc4.net: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

confirm behaviour as described in Comment 3 (see attached config screen
grab, and this config snippet):

config!version = 001002101
server!bind!3!interface = 31.3.231.205
server!bind!3!port = 443
server!bind!3!tls = 1
server!bind!4!interface = 31.3.231.205
server!bind!4!port = 80
server!bind!4!tls = 0
server!bind!5!interface = 2a02:2658:1017::450:3
server!bind!5!port = 443
server!bind!5!tls = 1
server!bind!6!interface = 2a02:2658:1017::450:3
server!bind!6!port = 80

actually IPv6 works as https and then IPv4 serves plain http on port 443

test with
http://31.3.231.205:443/
https://[2a02:2658:1017::450:3]:443/

i'll leave these on whilst this bug is in progress

Attachments:
General - Cherokee Admin.png 51.8 KB

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #5 on issue 1309 by ste...@konink.de: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Issue 1308 has been merged into this issue.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #6 on issue 1309 by p...@noc4.net: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

after further testing it appears that when binding to all addresses with:

config!version = 001002101
server!bind!1!port = 80
server!bind!1!tls = 0
server!bind!2!port = 443
server!bind!2!tls = 1

everything behaves as expected on v4 & v6

however with:

config!version = 001002101
server!bind!3!interface = 31.3.231.205
server!bind!3!port = 443
server!bind!3!tls = 1
server!bind!4!interface = 31.3.231.205
server!bind!4!port = 80
server!bind!4!tls = 0
server!bind!5!interface = 2a02:2658:1017::450:3
server!bind!5!port = 443
server!bind!5!tls = 1
server!bind!6!interface = 2a02:2658:1017::450:3
server!bind!6!port = 80

the ports and protocols become muddled up as described above

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #7 on issue 1309 by soc...@anonsphere.com: Having IPv6 enabled
breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

I tried to add IPv6 support to my server and found exact the same behaviour
(.101 debian). IPv6 enabled => SSL broken. Another (usability) problem is,
that cherokee fails to start when IPv6 is disabled, but the v6 adress is
added, because port 443 is blocked.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #8 on issue 1309 by soc...@anonsphere.com: Having IPv6 enabled
breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Oh and it works, if you attach port 80 and 443 to all interfaces as comment
6 mentions.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #9 on issue 1309 by paul@noc4.net: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

any news on the "new architecture" which is going to fix this issue?

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #10 on issue 1309 by ste...@konink.de: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

https://github.com/cherokee/webserver/tree/dev

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #11 on issue 1309 by ste...@konink.de: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

http://www.cherokee-project.com/download/pre-releases/cherokee-1.3.0A1.tar.gz

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #12 on issue 1309 by jeremy.v...@gmail.com: Having IPv6 enabled
breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Issue is reproducible with 1.3.0A2.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #13 on issue 1309 by martin.b...@gmail.com: Having IPv6 enabled
breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

I'm having this issue with 1.3.0A2 (Debian Squeeze) too.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #14 on issue 1309 by martin.b...@gmail.com: Having IPv6 enabled
breaks SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

I'm having this issue with 1.3.0A2 (Debian Squeeze) too but only if I have
multiple IPs binded.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #15 on issue 1309 by ammac...@gmail.com: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Reproducible with Cherokee 1.2.101 from FreeBSD ports on FreeBSD
8.3-RELEASE-p3 amd64. Disabling IPv6 access allows SSL to work over IPv4.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #16 on issue 1309 by ste...@konink.de: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

Can you also reproduce this with the current github master version?

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Re: Issue 1309 in cherokee: Having IPv6 enabled breaks SSL/TLS [ In reply to ]
Comment #17 on issue 1309 by paul@noc4.net: Having IPv6 enabled breaks
SSL/TLS
http://code.google.com/p/cherokee/issues/detail?id=1309

sadly yes:

# git describe
v1.2.101-112-gacfe9d6

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev