Hot!Web Filter + IPv6 flow label + SSL =failed connection

Author
snobs
Silver Member
  • Total Posts : 71
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/02/19 22:41:39
  • Status: offline
2019/01/29 03:57:11 (permalink)
0

Web Filter + IPv6 flow label + SSL =failed connection

Hello,
 
Problem:
Using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to (some) websites:
 
 
steps for reproduction:
 
1. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"
2. wget.exe (Version 1.20) from https://eternallybored.org/misc/wget/
3. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.

Reading HSTS entries from c:\Users\nutzer\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:45:23--  https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x00000000029e8630 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 10054
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
 
4. On CLI do ""netsh int ipv6 set global flowlabel=disabled"
5. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.

Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:52:01--  https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x0000000000b78570 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 0
Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60
certificate:
  subject: CN=r.ssl.fastly.net,O=Fastly\\, Inc,L=San Francisco,ST=California,C=US
  issuer:  CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
X509 certificate successfully verified and matches host files.pythonhosted.org

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.20 (mingw32)
Accept: */*
Accept-Encoding: identity
Host: files.pythonhosted.org
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0
seconds 900,00, Winsock error: 0

---response begin---
HTTP/1.1 200 OK
Content-Type: text/html
Server: nginx/1.13.9
Content-Length: 1822
Accept-Ranges: bytes
Date: Tue, 29 Jan 2019 11:52:01 GMT
Age: 0
Connection: keep-alive
X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN
X-Cache: HIT, MISS
X-Cache-Hits: 1, 0
X-Timer: S1548762722.675927,VS0,VE88
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Robots-Header: noindex

---response end---
200 OK
Registered socket 3 for persistent reuse.
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true
Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true)
Length: 1822 (1,8K) [text/html]
Saving to: 'index.html.7'

index.html.7                                                  0%[                                                                                                                                         ]       0  --.-KB/s               seconds 900,00, Winsock error: 0
index.html.7                                                100%[========================================================================================================================================>]   1,78K  --.-KB/s    in 0,002s

2019-01-29 12:52:02 (850 KB/s) - 'index.html.7' saved [1822/1822]



 
 
 
  • Web Filter + certificate-inspection is enabled for that policy
  • Lookup-Rating for domain https://files.pythonhosted.org: Category: General Interest - Business / Sub-Category: Information Technology which is not blocked
Why does Web Filter influence the connection?
 
#1

3 Replies Related Threads

    snobs
    Silver Member
    • Total Posts : 71
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/02/19 22:41:39
    • Status: offline
    Re: Web Filter + IPv6 flow label + SSL =failed connection 2019/02/13 23:28:13 (permalink)
    0
    Update: The problem seems to exist only for sites using IPv6 anycast addresses, e,g. mentioned *python*.org server
    #2
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Web Filter + IPv6 flow label + SSL =failed connection 2019/02/14 04:02:31 (permalink)
    0
    Do you really need flow-label? This header is still not  widely supported. I 'm wondering if you have a means in the policy6  settings for each policy.id to clear that  value back to . "0". Can you look
     
    e.g
     
    show config firewall policy6
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    snobs
    Silver Member
    • Total Posts : 71
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/02/19 22:41:39
    • Status: offline
    Re: Web Filter + IPv6 flow label + SSL =failed connection 2019/02/21 01:35:22 (permalink)
    0
    Update: The FortiGate doesn´t change the flow label at all. But a RST packet is just sent to the client as if the webfilter profile was triggered. This happens only if IPv6 flow label is enabled on the client.
     
    Talking about IPv6 flow label in general: It is used unfortunately, even if some vendors have problems, e.g.:
    https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
    https://www.youtube.com/watch?v=b0CRjOpnT7w
    Disabling IPv6 flow label on client seems to be the only way to cope with it.
     
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5