Closed Bug 1309201 Opened 8 years ago Closed 1 years ago

automated hsts update infrastructure can't connect to ipv6-only hosts

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jan, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20161010030204 Steps to reproduce: Found terrax.net on https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.errors https://dev.ssllabs.com/ssltest/analyze.html?d=terrax.net&hideResults=on Actual results: It is not preloaded in Firefox, but in Chrome. Expected results: Domain should have been preloaded. terrax.net is "IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1" only. (Yes, Port 80/HTTP is closed. That's what we all want with preloading.)
OS: Unspecified → All
Hardware: Unspecified → All
Summary: Preload list error [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only
From what I can tell, the infrastructure the update script runs on can't connect to ipv6-only hosts. I'll move this to a more appropriate component, but my understanding is we basically can't fix this until ec2 instances support ipv6-only hosts.
Component: Security: PSM → General Automation
Product: Core → Release Engineering
QA Contact: catlee
Summary: HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → automated hsts update infrastructure can't connect to ipv6-only hosts
Yeah, right now none of our infra is ipv6 aware. We'd have to make use of some kind of ipv6 gateway.
Blocks: IPv6
"Today I am happy to share the news that IPv6 support for EC2 instances in VPCs is now available in a total of fifteen regions, along with Application Load Balancer support for IPv6 in nine of those regions." https://aws.amazon.com/de/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/
See Also: → 1401796
Component: General Automation → General

I believe this is long fixed, and I see terrax.net in the preload list (https://searchfox.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc) now.

Status: UNCONFIRMED → RESOLVED
Closed: 1 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.