Hot!Web Filter + IPv6 flow label + SSL =failed connection

Author
snobs
Silver Member
  • Total Posts : 63
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/02/19 22:41:39
  • Status: offline
2019/01/29 03:57:11 (permalink)
0

Web Filter + IPv6 flow label + SSL =failed connection

Hello,
 
Problem:
Using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to (some) websites:
 
 
steps for reproduction:
 
1. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"
2. wget.exe (Version 1.20) from https://eternallybored.org/misc/wget/
3. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.

Reading HSTS entries from c:\Users\nutzer\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:45:23--  https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x00000000029e8630 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 10054
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
 
4. On CLI do ""netsh int ipv6 set global flowlabel=disabled"
5. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.

Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:52:01--  https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x0000000000b78570 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 0
Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60
certificate:
  subject: CN=r.ssl.fastly.net,O=Fastly\\, Inc,L=San Francisco,ST=California,C=US
  issuer:  CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
X509 certificate successfully verified and matches host files.pythonhosted.org

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.20 (mingw32)
Accept: */*
Accept-Encoding: identity
Host: files.pythonhosted.org
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0
seconds 900,00, Winsock error: 0

---response begin---
HTTP/1.1 200 OK
Content-Type: text/html
Server: nginx/1.13.9
Content-Length: 1822
Accept-Ranges: bytes
Date: Tue, 29 Jan 2019 11:52:01 GMT
Age: 0
Connection: keep-alive
X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN
X-Cache: HIT, MISS
X-Cache-Hits: 1, 0
X-Timer: S1548762722.675927,VS0,VE88
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Robots-Header: noindex

---response end---
200 OK
Registered socket 3 for persistent reuse.
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true
Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true)
Length: 1822 (1,8K) [text/html]
Saving to: 'index.html.7'

index.html.7                                                  0%[                                                                                                                                         ]       0  --.-KB/s               seconds 900,00, Winsock error: 0
index.html.7                                                100%[========================================================================================================================================>]   1,78K  --.-KB/s    in 0,002s

2019-01-29 12:52:02 (850 KB/s) - 'index.html.7' saved [1822/1822]



 
 
 
  • Web Filter + certificate-inspection is enabled for that policy
  • Lookup-Rating for domain https://files.pythonhosted.org: Category: General Interest - Business / Sub-Category: Information Technology which is not blocked
Why does Web Filter influence the connection?
 
#1

2 Replies Related Threads

    snobs
    Silver Member
    • Total Posts : 63
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/02/19 22:41:39
    • Status: offline
    Re: Web Filter + IPv6 flow label + SSL =failed connection 2019/02/13 23:28:13 (permalink)
    0
    Update: The problem seems to exist only for sites using IPv6 anycast addresses, e,g. mentioned *python*.org server
    #2
    emnoc
    Expert Member
    • Total Posts : 5108
    • Scores: 318
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Web Filter + IPv6 flow label + SSL =failed connection 2019/02/14 04:02:31 (permalink)
    0
    Do you really need flow-label? This header is still not  widely supported. I 'm wondering if you have a means in the policy6  settings for each policy.id to clear that  value back to . "0". Can you look
     
    e.g
     
    show config firewall policy6
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5