SSL over IPv6 broken in Firefox for Windows...

Andrew Yourtchenko ayourtch at cisco.com
Wed Dec 2 23:18:10 CET 2009


On Tue, 1 Dec 2009, Martin Hotze wrote:

> https://timatio.com/ bringt einen Fehler: "SSL hat einen Eintrag
> erhalten, der die maximal erlaubte Länge überschritten hat.
> (Fehlercode: ssl_error_rx_record_too_long)"

This example looks like a glitch with the behaviour of the v6-to-v4 
proxy that enables the ipv6 connectivity for the site.

So the server side interprets browser's Client Hello as a "request",
and barfs in cleartext, which the browser tries to interpret as as a TLS 
record, and the first check that fails on that happens to be the length 
check, and the user sees the cryptic error message.


wireshark, try to connect, get the error, "follow tcp stream":

client->server:
...........K....#....b.__(.2.........,.R8$...F.
.......9.8.......5.........E.D.3.2...........A...../.........
.....
...*.........timatio.com.
.................#..


server->client:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>... to / not supported.<br />
</p>
<hr>
<address>Apache/2.2.9 Server at 188.40.65.74 Port 80</address>
</body></html>

client->server: (TLS Alert, unexpected message)
......

Then the connection gets reset.


Since the error code reveals the IPv4 address and port, I assume that 
there's the proxy/load balancer, that ends up doing just L4 forwarding 
between the port 443 on the IPv6 side and the port 80 on the IPv4 side, 
and for some reason does not do the TLS offloading.

I've sent the folks a message via the "feedback" form on their site.

cheers,
andrew

>
> Lg, Martin
>
>> -----Original Message-----
>> From: ipv6-ops-bounces+martin=hotze.com at lists.cluenet.de
> [mailto:ipv6-ops-
>> bounces+martin=hotze.com at lists.cluenet.de] On Behalf Of Alexander
>> Mayrhofer
>> Sent: Tuesday, December 01, 2009 3:43 PM
>> To: ipv6-ops at lists.cluenet.de
>> Subject: SSL over IPv6 broken in Firefox for Windows...
>>
>> Hello,
>>
>> A colleague of mine has recently found out that the popular Firefox
> web
>> browser fails on https-URLs over IPv6, but only on Windows (Linux
> works
>> fine). The only way to get https sites working is to disable IPv6 in
> the
>> browser - not very useful for fostering IPv6 deployment. The full
> bug
>> report is here:
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=513659
>>
>> I think this is a major issues - however, i do understand that the
> focus
>> of the Mozilla developers is not necessarily on IPv6 yet. However,
> feel
>> free to vote for the bug if you think that it deserves more
> attention ;)
>>
>> Thanks,
>>
>> Alex
>


More information about the ipv6-ops mailing list