Since some weeks ago (months?) I could not get the newsfeed from news.opensuse.org, but I did not give this much thought. Yesterday, during a YaST Online Update, I was curious about a bugzilla entry. I clicked on the link, but could not connect. I could not even connect via the url https://bugzilla.opensuse.org:
Firefox 35.0 reports: The connection was reset
Konqueror 4.14.4 reports: SSL negotiation failed
Chromium 39.0.2171.65 reports: Error code: ERR_CONNECTION_RESET
A bit of research in the console:
Get the IPv4 address:
> dig bugzilla.opensuse.org a | egrep -v '^(;|$)'
bugzilla.opensuse.org. 260 IN CNAME www.opensuse.org.
www.opensuse.org. 260 IN A 130.57.66.6
Connect via IPv4 (succeeds):
> openssl s_client -connect 130.57.66.6:443 -state -servername bugzilla.opensuse.org -quiet <<<$'.
.'
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, L = Provo, ST = Utah, O = "Novell, Inc.", CN = *.opensuse.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
read:errno=0
SSL3 alert write:warning:close notify
Get the IPv6 address:
> dig bugzilla.opensuse.org aaaa | egrep -v '^(;|$)'
bugzilla.opensuse.org. 259 IN CNAME www.opensuse.org.
www.opensuse.org. 600 IN AAAA 2620:113:8044:66:130:57:66:6
Connect via IPv6 (fails):
> openssl s_client -connect '[2620:113:8044:66:130:57:66:6]:443' -state -servername bugzilla.opensuse.org
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 291 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I have this problem with other sites too like news.opensuse.org, www.opensuse.org and forums.opensuse.org. I could only login to forums.opensuse.org by setting network.dns.disableIPv6 to true in Firefox. Using network.dns.ipv4OnlyDomains also works, but these are work-arounds, not solutions.
Firefox seems smart enough to fall back to IPv4 (www.opensuse.org), but not always (e.g. bugzilla).
So in short:
- the server is reachable via IPv4 and IPv6
- the webserver is reachable on port 443 via IPv4 but not via IPv6
Could somebody please confirm?
Kind regards,
Leen