5

I am building a webserver ( http://blog.linformatronics.nl/ ), which functions just fine on both IPv4 and IPv6 and when using a non-SSL connection. However when I connect to it through https, IPv6 works as expected, but an IPv4 connection throws a client side error. Server side logs are empty for the IPv4/https connection. Summarized in a table:

     | http  | https
-----+-------+-------------------------------------------------------
IPv4 | works | OpenSSL error, failed. No server side logging.
-----+-------+-------------------------------------------------------
IPv6 | works | self signed certificate warning, but works as expected

Apparently the SSL tunnel isn't even set up, which accounts for the Apache logs being empty. But why does it work fine for IPv6 and fail for IPv4? My question is why is this OpenSSL error being thrown and how can I solve it?

Below is some extra information about the setup.

IPv6 https

Command used to reproduce IPv6/https behaviour:

$ wget --no-check-certificate -O /dev/null -6 https://blog.linformatronics.nl
--2012-11-03 15:46:48--  https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 2001:980:1b7f:1:a00:27ff:fea6:a2e7
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|2001:980:1b7f:1:a00:27ff:fea6:a2e7|:443... connected.
WARNING: cannot verify blog.linformatronics.nl's certificate, issued by `/CN=localhost':
  Self-signed certificate encountered.
    WARNING: certificate common name `localhost' doesn't match requested host name `blog.linformatronics.nl'.
HTTP request sent, awaiting response... 200 OK
Length: 4556 (4.4K) [text/html]
Saving to: `/dev/null'

100%[=======================================================================>] 4,556       --.-K/s   in 0s      

2012-11-03 15:46:49 (62.5 MB/s) - `/dev/null' saved [4556/4556]

IPv4 https

Command used to reproduce IPv6/https behaviour:

$ wget --no-check-certificate -O /dev/null -4 https://blog.linformatronics.nl
--2012-11-03 15:47:28--  https://blog.linformatronics.nl/
Resolving blog.linformatronics.nl (blog.linformatronics.nl)... 82.95.251.247
Connecting to blog.linformatronics.nl (blog.linformatronics.nl)|82.95.251.247|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

Notes

  • I am on Ubuntu Server 12.04.1 LTS
jippie
  • 163
  • 8

1 Answers1

6

You have some serious firewall/NAT misconfigurations. You aren't actually running a web server on port 443...

$ telnet 82.95.251.247 443
Trying 82.95.251.247...
Connected to 82.95.251.247.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1

And your IPv6 service seems to be firewalled off...

$ telnet 2001:980:1b7f:1:a00:27ff:fea6:a2e7 443
Trying 2001:980:1b7f:1:a00:27ff:fea6:a2e7...
telnet: connect to address 2001:980:1b7f:1:a00:27ff:fea6:a2e7: Permission denied

Fix your firewall and/or service-on-the-wrong-port issues, and you should find things start working.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Shoot! I forgot to reroute the SSH server from port 443 to a different one. Boy is my face red :$ – jippie Nov 03 '12 at 15:43
  • And indeed open port 443 for IPv6. I'll probably come back in a few days asking why I cannot connect to SSH all of a sudden, because I forgot to reconfigure a remote client ;o) – jippie Nov 03 '12 at 15:54
  • Well, now you can just ssh over IPv6 and forget about needing a different port... :) – Michael Hampton Nov 03 '12 at 16:51
  • True, but most remote locations are not IPv6 ready :( – jippie Nov 03 '12 at 16:53
  • @jippie You can use a Teredo client on the machine where you need to run the ssh client. Using Teredo will only be reliable if you install a Teredo relay on the server, but if you do it can be very reliable. Installing Miredo and configuring it to work as a Teredo relay takes less than five minutes. – kasperd Jun 06 '15 at 18:16