automated hsts update infrastructure can't connect to ipv6-only hosts

UNCONFIRMED
Unassigned

Status

Release Engineering
General Automation
UNCONFIRMED
a year ago
3 months ago

People

(Reporter: darkspirit, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20161010030204

Steps to reproduce:

Found terrax.net on https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.errors

https://dev.ssllabs.com/ssltest/analyze.html?d=terrax.net&hideResults=on


Actual results:

It is not preloaded in Firefox, but in Chrome.


Expected results:

Domain should have been preloaded.
terrax.net is "IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1" only. (Yes, Port 80/HTTP is closed. That's what we all want with preloading.)
(Reporter)

Updated

a year ago
OS: Unspecified → All
Hardware: Unspecified → All
Comment hidden (obsolete)
(Reporter)

Updated

a year ago
Summary: Preload list error [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only
From what I can tell, the infrastructure the update script runs on can't connect to ipv6-only hosts. I'll move this to a more appropriate component, but my understanding is we basically can't fix this until ec2 instances support ipv6-only hosts.
Component: Security: PSM → General Automation
Product: Core → Release Engineering
QA Contact: catlee
Summary: HSTS Preload list problems [IPv6 + Port 443 + ECDHE-RSA-AES256-GCM-SHA384 + secp521r1] only → automated hsts update infrastructure can't connect to ipv6-only hosts
Yeah, right now none of our infra is ipv6 aware. We'd have to make use of some kind of ipv6 gateway.
EC2 now supports ipv6 in some regions:
https://aws.amazon.com/blogs/aws/new-ipv6-support-for-ec2-instances-in-virtual-private-clouds/
(Reporter)

Updated

8 months ago
Blocks: 136898
(Reporter)

Comment 5

8 months ago
"Today I am happy to share the news that IPv6 support for EC2 instances in VPCs is now available in a total of fifteen regions, along with Application Load Balancer support for IPv6 in nine of those regions."
https://aws.amazon.com/de/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/
(Reporter)

Updated

3 months ago
See Also: → bug 1401796
See Also: bug 1401796
You need to log in before you can comment on or make changes to this bug.