#2575 No IPv6 support in JSS SSLSocket and SSLServerSocket
Closed: invalid 6 years ago Opened 7 years ago by cheimes.

LdapJssSSLSocketFactory uses JSS's SSLSocket from org.mozilla.jss. As of now SSLSocket is limited to AF_INET (IPv4) connections [1]. The experimental JSS branch contains IPv6 support [2]. Other places like HttpConnFactory are probably affected, too.

TomcatJSS seems to be affected, too. SSLServerSocket.socketBind() is hard-coded to AF_INET as well. [3]

Also see https://github.com/freeipa/freeipa/pull/395 and https://fedorahosted.org/freeipa/ticket/6575

[1] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/SSLSocket.c#l443
[2] https://hg.mozilla.org/projects/jss/file/c76470016016/org/mozilla/jss/ssl/SSLSocket.c#l593
[3] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/common.c#l374


See also ticket #2570. The IPA issue with IPv6 could be addressed by changing the AJP hostname to "localhost" instead of "127.0.0.1" or "::1".

It took me a bit to realize that Fedora and RHEL packages of JSS come with additional patches. One of the patches provides IPv6 support, https://src.fedoraproject.org/cgit/rpms/jss.git/tree/jss-ipv6.patch?h=f25

As this will be addressed by upstream integration of JSS which is due in the 10.4 timeframe, I will move this ticket to 10.4 - critical

Metadata Update from @cheimes:
- Issue set to the milestone: 10.4

7 years ago

Upstream from Mozilla and downstream packages in Fedora have diverged. Fedora's downstream package source like http://pki.fedoraproject.org/pki/sources/jss/4.4.1/jss-4.4.1.tar.gz contain a patched version with proper AF_INET6 support. I'm closing this ticket.

Metadata Update from @cheimes:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None

6 years ago

Metadata Update from @cheimes:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.2 (was: 10.4)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2695

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata