Bug 98916 - Listen statement in ssl.conf allows IPv4-mapped IPv6 addresses
Summary: Listen statement in ssl.conf allows IPv4-mapped IPv6 addresses
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: httpd
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-07-10 11:52 UTC by Joe Orton
Modified: 2007-04-18 16:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-08-25 18:00:39 UTC
Embargoed:


Attachments (Terms of Use)

Description Joe Orton 2003-07-10 11:52:36 UTC
Description:
The default ssl.conf has a bad default of:

  Listen 443

which means that, on a server with a public IPv6 interface configured,
the server will accept connections using IPv6 sockets from IPv4-mapped addresses
on the SSL port by default.  This means that allow/deny address matching will
not work on IPv4 addresses; in a configuration like:

  <Location /secrets>
    Order allow,deny
    Allow from all
    Deny from 10.20.30.*
  </Location>

the Deny directive will not match the IPv6-mapped addresses, so will allow
clients to connect from 10.20.30.* via SSL.

Affects: 
mod_ssl package in 8.0, 9

Mitigating factors:
IPv6 not in widespread use.

It is more common to use address matching in deny,allow order, with address
ranges specified in "Allow" statements; a false negative match on an Allow
statement is not a security issue.

Comment 1 Joe Orton 2003-07-10 12:03:47 UTC
This affects non-SSL connections, the default httpd.conf has the same problem:
  Listen 80


Comment 2 Joe Orton 2003-08-25 18:00:39 UTC
The theory was sound but the testing wasn't, there is code in 2.0 to deal with
this correctly; an "allow" or "deny" restriction based on an IPv4 address or
subnet is tested against IPv4-mapped IPv6 addresses in the expected manner.


Note You need to log in before you can comment on or make changes to this bug.