AnsweredAssumed Answered

IPv6: Unable to connect

Question asked by Mikael Hakali on Sep 28, 2018
Latest reply on Sep 28, 2018 by Mikael Hakali

Hi.

 

I've recently added AAAA records for some of my sites. 

 

Checking the SSL Labs however I am just getting "Unable to connect to the server" over IPv6 and IPv4 returns an A grade.

 

Doing a tcpdump while testing on the firewall I see;

 

13:17:47.961623 IP6 2600:c02:1020:4202::ac10:8269.46518 > 2a01:298:fe:f::80.443: Flags [S], seq 4175564453, win 14400, options [mss 1380,sackOK,TS val 2004379876 ecr 0,nop,wscale 7], length 0
13:17:47.961903 IP6 2a01:298:fe:f::80.443 > 2600:c02:1020:4202::ac10:8269.46518: Flags [S.], seq 1945363800, ack 4175564454, win 28560, options [mss 1440,sackOK,TS val 495847974 ecr 2004379876,nop,wscale 7], length 0
13:17:47.964057 IP6 2003:d7:bbc4:b700:1bf:f3d5:2840:d52e.61384 > 2a01:298:fe:f::80.443: Flags [.], seq 0:1, ack 1, win 1308, length 1
13:17:47.964291 IP6 2a01:298:fe:f::80.443 > 2003:d7:bbc4:b700:1bf:f3d5:2840:d52e.61384: Flags [.], ack 1, win 275, options [nop,nop,sack 1 {0:1}], length 0
13:17:48.133007 IP6 2600:c02:1020:4202::ac10:8269.46518 > 2a01:298:fe:f::80.443: Flags [.], ack 1, win 113, options

[...]

 

Checking who owns this IP:

 

ASN: AS27385
Country: US
Registration Date: 2003-02-25
Registrar: arin
Owner: QUALYS - QUALYS, Inc., US

 

As such it would seem like Qualys can connect and getting a SYN, SYN-ACK- ACK. As such I am a bit curious as to why the report reads "Unable to connect to the server". Is there any way to get more information from the scanner? Or if someone here from Qualys could kindly check under the hood? :-)

 

Could anyone of you with native IPv6 connection attempt a connection test?

 

The site is https://dsibrew.org

 

Report link:

 

SSL Server Test: dsibrew.org (Powered by Qualys SSL Labs) 

 

The IPv6 and IPv4 listners are configured in the same VHost using SNI. Now I could probably do separate IPs for IPv6 vhosts. But SNI should work fine over IPv6?

 

Any input would be appreciated. :-)

 

Thanks.

 

/Mikael

Outcomes