Bug 98916
| Summary: | Listen statement in ssl.conf allows IPv4-mapped IPv6 addresses | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Joe Orton <jorton> |
| Component: | httpd | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | dr, mitr, mjc |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-08-25 18:00:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This affects non-SSL connections, the default httpd.conf has the same problem: Listen 80 The theory was sound but the testing wasn't, there is code in 2.0 to deal with this correctly; an "allow" or "deny" restriction based on an IPv4 address or subnet is tested against IPv4-mapped IPv6 addresses in the expected manner. |
Description: The default ssl.conf has a bad default of: Listen 443 which means that, on a server with a public IPv6 interface configured, the server will accept connections using IPv6 sockets from IPv4-mapped addresses on the SSL port by default. This means that allow/deny address matching will not work on IPv4 addresses; in a configuration like: <Location /secrets> Order allow,deny Allow from all Deny from 10.20.30.* </Location> the Deny directive will not match the IPv6-mapped addresses, so will allow clients to connect from 10.20.30.* via SSL. Affects: mod_ssl package in 8.0, 9 Mitigating factors: IPv6 not in widespread use. It is more common to use address matching in deny,allow order, with address ranges specified in "Allow" statements; a false negative match on an Allow statement is not a security issue.