Commit e4f5d75
committed
security/acme-client: fix IPv6 support HTTP-01 and TLS-ALPN-01 challenges
Underlying issue:
IPv6 features multiple scopes restricting where the IP address
is valid [1]. ::1 belongs to link-local scope which is not
allowed to be routed. As result FreeBSD will reject the
connection after rewriting, as it will come from global
scope (the internet) and going to ::1 [2]. This isn't allowed.
The fix / workaround:
Instead of redirecting to ::1, the following is tried:
* If there is a WAN interface with an IPv6 address defined,
redirect to this address.
I expect most setup with IPv6 to have a WAN interface with
a suitable (=allowed scope) IPv6 address.
* Else, only redirect the port and leave the address unchanged.
This will only work if we are issuing a certificate for
ourselves (rather than a host behind the firewall).
A better solution would be to pick an arbitrary IPv6 address
of the host with a suitable scope. However, I believe this
would be considerably more complex to implement and test.
I propose we use this simplified approach, at least for now,
which should already work for the vast majority of users.
[1]: https://en.wikipedia.org/wiki/IPv6_address#Address_scopes
[2]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=1935681 parent 926169c commit e4f5d75
3 files changed
Lines changed: 60 additions & 9 deletions
File tree
- security/acme-client/src/opnsense
- mvc/app/library/OPNsense/AcmeClient/LeValidation
- service/templates/OPNsense/AcmeClient
Lines changed: 28 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
86 | 86 | | |
87 | 87 | | |
88 | 88 | | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
89 | 116 | | |
90 | 117 | | |
91 | 118 | | |
| |||
99 | 126 | | |
100 | 127 | | |
101 | 128 | | |
102 | | - | |
| 129 | + | |
103 | 130 | | |
104 | 131 | | |
105 | 132 | | |
| |||
security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
Lines changed: 28 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
87 | 87 | | |
88 | 88 | | |
89 | 89 | | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
90 | 117 | | |
91 | 118 | | |
92 | 119 | | |
| |||
100 | 127 | | |
101 | 128 | | |
102 | 129 | | |
103 | | - | |
| 130 | + | |
104 | 131 | | |
105 | 132 | | |
106 | 133 | | |
| |||
Lines changed: 4 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | | - | |
| 10 | + | |
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| |||
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
64 | 63 | | |
65 | | - | |
66 | | - | |
67 | | - | |
68 | | - | |
69 | | - | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
70 | 67 | | |
71 | 68 | | |
72 | 69 | | |
| |||
0 commit comments