Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] webConfigurator do not answer IPv6 requests

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    27 Posts 4 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      You are clearly doing something wrong…

      
      $ sockstat -6 -l | grep lighttpd
      root     lighttpd   31281 11 tcp6   *:443                 *:*
      
      
      1 Reply Last reply Reply Quote 0
      • K Offline
        kejianshi
        last edited by

        What do you suppose it is that he might possibly be doing wrong?  haha

        1 Reply Last reply Reply Quote 0
        • D Offline
          doktornotor Banned
          last edited by

          @kejianshi:

          What do you suppose it is that he might possibly be doing wrong?  haha

          Considering the huge amount of information provided… I guess

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by

            If the rest of his IPV6 stuff is working, one might think he didn't select IPV6 in the firewall rules when he was allowing access to the GUI - Although, as you say, its all guessing.

            Does the "Allow IPV6" button in the advanced > networking kill IPV6 everywhere if checked or just that IPV6 flowing through the WAN?

            1 Reply Last reply Reply Quote 0
            • L Offline
              Luzemario
              last edited by

              Thanks for the quick reply guys…

              yes, My IPv6 setup is almost complete. Yes, "allow IPv6" is checked. Yes, running

              sockstat -6 -l | grep lighttpd
              

              returns wich lighttpd is listenning on tcp6, and yes, I receive a https response, but it gives me a blank page (sorry for not telling you this before…)  ;D

              webConfigurator was adjusted to answer only to https requests... and thanks to your quickly responses, I was urged to use a bit more of brain and matched the bug: it only happens when webConfigurator is setted up to https only and one tries to connect https via IPv6... it can be a Firefox bug, but I cannot test with other browsers right now.

              Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

              1 Reply Last reply Reply Quote 0
              • K Offline
                kejianshi
                last edited by

                Are you using it from within a VPN or SSH or something distantly or did you just forward open those ports on your WAN?

                You mention a tunnel?  Like a IPV6 tunnel broker like HE?

                1 Reply Last reply Reply Quote 0
                • L Offline
                  Luzemario
                  last edited by

                  Just now I am accessing from inside LAN. When I chose HTTPS with default webConfigurator certificate, FF appears to get a blank page (or not get the page at all). I am trying to open the address

                  https://[myInternalUniqueGlobalAlreadyWorkingIP]:myport
                  ```(a valid IPv6 address:port of course)
                  
                  But FF refuses to display the login page. It works as expected on my local https://192.168.xxx.yyy:pppp IPv4 address.

                  Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kejianshi
                    last edited by

                    Hmmm - No idea in that case.

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      Luzemario
                      last edited by

                      Yeah, I'm surprised, IT IS A FIREFOX 23.0 bug. I could sucessfully open the webConfigurator page using Konqueror…

                      I'm scared...  ???

                      Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

                      1 Reply Last reply Reply Quote 0
                      • L Offline
                        Luzemario
                        last edited by

                        Update: If you want to test your Firefox, try to open the address below (Google):

                        https://[2607:f8b0:4008:803::1015]

                        If you try http://[2607:f8b0:4008:803::1015]:443 Firefox says url is incorrect.

                        This behavior do not happen if you open IPv6 page by name (using DNS). Other browsers can open both addresses without trouble. Tested until Firefox ver 23.0

                        Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          kejianshi
                          last edited by

                          You sure?  Cuz I love guessing wrong what might be wrong…

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            doktornotor Banned
                            last edited by

                            @kejianshi:

                            You sure?

                            Yes. This bug has only been known for 2,5 years, with the guys doing zilch about; looks like it actually got worse meanwhile and not displaying any error message at all. SSL cannot set exceptions on IPv6 addresses

                            Also, other stupid regression, causing this to fail altogether, not just with untrusted SSL cert: - Firefox nightly doesn't connect to IPv6 literal

                            The development is going pretty much downhill, with useless crap such as the new social API and buttons, instead of focusing in something useful.

                            1 Reply Last reply Reply Quote 0
                            • L Offline
                              Luzemario
                              last edited by

                              Update: This issue was reported upstream:

                              https://bugzilla.mozilla.org/show_bug.cgi?id=903853

                              Crossing fingers to Firefox team to fix it as soon as possible. IPv6 deployment in my country is getting huge attention, as IPv4 blocks here are giving last signals of life…  ;)

                              Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

                              1 Reply Last reply Reply Quote 0
                              • K Offline
                                kejianshi
                                last edited by

                                Hmmmm.  Hopefully we can all go IPV6 soon, dump IPV4 before IPV9 comes out and then maybe Firefox would notice all the broken browsers.

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  @kejianshi:

                                  Hmmmm.   Hopefully we can all go IPV6 soon, dump IPV4 before IPV9 comes out and then maybe Firefox would notice all the broken browsers.

                                  The guys are just "amazing". The bug's been there for ages, just regressing badly recently, making it much worse (previously you'd just get the usual self-signed cert nagscreen, but you could not add an exception for IPv6 literal. Now you get a blank page…) Instead of fixing the darned thing, the guys discuss that they "intend to discourage certificates that include IP addresses." Apparently realizing that the user is not in a position to do anything about whatever certificate that the admin decided to use is way above the guys' heads. Clearly, browsers are not there to browse websites any more, they are there to nag users with stupid warnings (self-signed certs are baaad, mkay... CNNIC one's rock though, that's what Mozilla trusts.) And this idiocy is not limited to Mozilla, e.g. Chrome won't let you browse local XML files, since XSL stylesheets are extremely "dangerous". They are much safer when downloaded from web, mkay, riiight!

                                  1 Reply Last reply Reply Quote 0
                                  • K Offline
                                    kejianshi
                                    last edited by

                                    I doubt its a bug.  More likely its something designed to generate revenue by making people run out and grab "Good signed certs" that make pretty green banner colors when you browse to a site.  Exploiting stupidity is a time honoured tradition.  We all know that certs are so much more trustworthy when they were generated and signed by some yahoo you don't even know.

                                    1 Reply Last reply Reply Quote 0
                                    • L Offline
                                      Luzemario
                                      last edited by

                                      I agree with you both. Here government sites .gov.br are signed by a centralized government entity called "ICP Brasil". This entity is trusted, but browsers refuse to add it to your root cert list by unknown reasons. There are plenty of bug requests asking to add the ICP's root cert, but it seems it will never be done…

                                      Cheapest hosting - Bom e barato! - www.luzehost.com.br :D

                                      1 Reply Last reply Reply Quote 0
                                      • K Offline
                                        kejianshi
                                        last edited by

                                        Well - The Military here and government (Serious sites for serious people, not for public use) don't submit their certs to anybody.
                                        Shows up red just like any self signed cert I'd make unless the people who use them install the certs in their trusted cert store.
                                        Thats also how I handle certs. Handed out by hand for friends I'd trust to certain things.

                                        But really - Certs have become a huge racket.  I'd say issuing certs is like printing money except paper does cost SOMETHING.

                                        1 Reply Last reply Reply Quote 0
                                        • K Offline
                                          Klaws
                                          last edited by

                                          @kejianshi:

                                          But really - Certs have become a huge racket.  I'd say issuing certs is like printing money except paper does cost SOMETHING.

                                          You mean - you could operate a company which issues digital certificates from your parent's garage, and become a multi-millionaire? Amazing.

                                          http://en.wikipedia.org/wiki/Mark_Shuttleworth

                                          Of course, this is impossible to repeat nowadays. Shuttlework (Thawte) and Verisign were lucky enough to have their root certificates public key installed in the first Netscape browser. The rest is history.

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            doktornotor Banned
                                            last edited by

                                            @Klaws:

                                            You mean - you could operate a company which issues digital certificates from your parent's garage, and become a multi-millionaire? Amazing.

                                            Been tried and failed… Clearly, these days you need to pay $$$$$$$ to the right browser guys first, like CNNIC. ::)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.