Open Bug 1309201 Opened 5 years ago Updated 3 years ago
automated hsts update infrastructure can't connect to ipv6-only hosts
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20161010030204 Steps to reproduce: Found terrax.net on https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.errors https://dev.ssllabs.com/ssltest/analyze.html?d=terrax.net&hideResults=on Actual results: It is not preloaded in Firefox, but in Chrome. Expected results: Domain should have been preloaded. terrax.net is "IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1" only. (Yes, Port 80/HTTP is closed. That's what we all want with preloading.)
Summary: Preload list error [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only
From what I can tell, the infrastructure the update script runs on can't connect to ipv6-only hosts. I'll move this to a more appropriate component, but my understanding is we basically can't fix this until ec2 instances support ipv6-only hosts.
Component: Security: PSM → General Automation
Product: Core → Release Engineering
QA Contact: catlee
Summary: HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → automated hsts update infrastructure can't connect to ipv6-only hosts
Yeah, right now none of our infra is ipv6 aware. We'd have to make use of some kind of ipv6 gateway.
EC2 now supports ipv6 in some regions: https://aws.amazon.com/blogs/aws/new-ipv6-support-for-ec2-instances-in-virtual-private-clouds/
"Today I am happy to share the news that IPv6 support for EC2 instances in VPCs is now available in a total of fifteen regions, along with Application Load Balancer support for IPv6 in nine of those regions." https://aws.amazon.com/de/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/
See Also: 1401796 →
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.