Commit 1d2b56e
committed
security/acme-client: fix IPv6 support HTTP-01 and TLS-ALPN-01 challenges
Underlying issue:
IPv6 features multiple scopes restricting where the IP address
is valid [1]. ::1 belongs to link-local scope which is not
allowed to be routed. As result FreeBSD will reject the
connection after rewriting, as it will come from global
scope (the internet) and going to ::1 [2]. This isn't allowed.
The fix / workaround:
Instead of redirecting to ::1, the following is tried:
* If there is a WAN interface with an IPv6 address defined,
redirect to this address.
I expect most setup with IPv6 to have a WAN interface with
a suitable (=allowed scope) IPv6 address.
* Else, only redirect the port and leave the address unchanged.
This will only work if we are issuing a certificate for
ourselves (rather than a host behind the firewall).
A better solution would be to pick an arbitrary IPv6 address
of the host with a suitable scope. However, I believe this
would be considerably more complex to implement and test.
I propose we use this simplified approach, at least for now,
which should already work for the vast majority of users.
[1]: https://en.wikipedia.org/wiki/IPv6_address#Address_scopes
[2]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=1935681 parent e46a70e commit 1d2b56e
3 files changed
Lines changed: 59 additions & 10 deletions
File tree
- security/acme-client/src/opnsense
- mvc/app/library/OPNsense/AcmeClient/LeValidation
- service/templates/OPNsense/AcmeClient
Lines changed: 29 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
91 | 91 | | |
92 | 92 | | |
93 | 93 | | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
94 | 122 | | |
95 | 123 | | |
96 | 124 | | |
| |||
104 | 132 | | |
105 | 133 | | |
106 | 134 | | |
107 | | - | |
| 135 | + | |
108 | 136 | | |
109 | 137 | | |
110 | 138 | | |
| |||
security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
Lines changed: 29 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
92 | 92 | | |
93 | 93 | | |
94 | 94 | | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
95 | 123 | | |
96 | 124 | | |
97 | 125 | | |
| |||
105 | 133 | | |
106 | 134 | | |
107 | 135 | | |
108 | | - | |
| 136 | + | |
109 | 137 | | |
110 | 138 | | |
111 | 139 | | |
| |||
Lines changed: 1 addition & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | | - | |
| 10 | + | |
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| |||
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
64 | 63 | | |
65 | | - | |
66 | | - | |
67 | | - | |
68 | | - | |
69 | | - | |
70 | | - | |
71 | 64 | | |
72 | 65 | | |
73 | 66 | | |
| |||
0 commit comments