LdapJssSSLSocketFactory uses JSS's SSLSocket from org.mozilla.jss. As of now SSLSocket is limited to AF_INET (IPv4) connections [1]. The experimental JSS branch contains IPv6 support [2]. Other places like HttpConnFactory are probably affected, too.
LdapJssSSLSocketFactory
SSLSocket
org.mozilla.jss
HttpConnFactory
TomcatJSS seems to be affected, too. SSLServerSocket.socketBind() is hard-coded to AF_INET as well. [3]
Also see https://github.com/freeipa/freeipa/pull/395 and https://fedorahosted.org/freeipa/ticket/6575
[1] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/SSLSocket.c#l443 [2] https://hg.mozilla.org/projects/jss/file/c76470016016/org/mozilla/jss/ssl/SSLSocket.c#l593 [3] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/common.c#l374
See also ticket #2570. The IPA issue with IPv6 could be addressed by changing the AJP hostname to "localhost" instead of "127.0.0.1" or "::1".
It took me a bit to realize that Fedora and RHEL packages of JSS come with additional patches. One of the patches provides IPv6 support, https://src.fedoraproject.org/cgit/rpms/jss.git/tree/jss-ipv6.patch?h=f25
As this will be addressed by upstream integration of JSS which is due in the 10.4 timeframe, I will move this ticket to 10.4 - critical
Metadata Update from @cheimes: - Issue set to the milestone: 10.4
Upstream from Mozilla and downstream packages in Fedora have diverged. Fedora's downstream package source like http://pki.fedoraproject.org/pki/sources/jss/4.4.1/jss-4.4.1.tar.gz contain a patched version with proper AF_INET6 support. I'm closing this ticket.
Metadata Update from @cheimes: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None
Metadata Update from @cheimes: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.2 (was: 10.4)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2695
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.