Red Hat Bugzilla – Bug 98916
Listen statement in ssl.conf allows IPv4-mapped IPv6 addresses
Last modified: 2007-04-18 12:55:35 EDT
The default ssl.conf has a bad default of:
which means that, on a server with a public IPv6 interface configured,
the server will accept connections using IPv6 sockets from IPv4-mapped addresses
on the SSL port by default. This means that allow/deny address matching will
not work on IPv4 addresses; in a configuration like:
Allow from all
Deny from 10.20.30.*
the Deny directive will not match the IPv6-mapped addresses, so will allow
clients to connect from 10.20.30.* via SSL.
mod_ssl package in 8.0, 9
IPv6 not in widespread use.
It is more common to use address matching in deny,allow order, with address
ranges specified in "Allow" statements; a false negative match on an Allow
statement is not a security issue.
This affects non-SSL connections, the default httpd.conf has the same problem:
The theory was sound but the testing wasn't, there is code in 2.0 to deal with
this correctly; an "allow" or "deny" restriction based on an IPv4 address or
subnet is tested against IPv4-mapped IPv6 addresses in the expected manner.