No IPv6 support in JSS SSLSocket and SSLServerSocket

[pki-bot]

This issue was migrated from Pagure Issue #2575. Originally filed by cheimes (@tiran) on 2017-01-13 17:15:50:

• Closed at 2017-04-10 02:23:13 as invalid
• Assigned to nobody

---

LdapJssSSLSocketFactory uses JSS's SSLSocket from org.mozilla.jss. As of now SSLSocket is limited to AF_INET (IPv4) connections [1]. The experimental JSS branch contains IPv6 support [2]. Other places like HttpConnFactory are probably affected, too.

TomcatJSS seems to be affected, too. SSLServerSocket.socketBind() is hard-coded to AF_INET as well. [3]

Also see freeipa/freeipa#395 and https://fedorahosted.org/freeipa/ticket/6575

[1] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/SSLSocket.c#l443
[2] https://hg.mozilla.org/projects/jss/file/c76470016016/org/mozilla/jss/ssl/SSLSocket.c#l593
[3] https://hg.mozilla.org/projects/jss/file/1a96a08e6f3d/org/mozilla/jss/ssl/common.c#l374

[pki-bot]

Comment from edewata (@edewata) at 2017-01-13 21:18:09

See also ticket 2570. The IPA issue with IPv6 could be addressed by changing the AJP hostname to "localhost" instead of "127.0.0.1" or "::1".

[pki-bot]

Comment from cheimes (@tiran) at 2017-01-19 12:43:37

It took me a bit to realize that Fedora and RHEL packages of JSS come with additional patches. One of the patches provides IPv6 support, https://src.fedoraproject.org/cgit/rpms/jss.git/tree/jss-ipv6.patch?h=f25

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-01-26 19:47:02

As this will be addressed by upstream integration of JSS which is due in the 10.4 timeframe, I will move this ticket to 10.4 - critical

[pki-bot]

Comment from cheimes (@tiran) at 2017-02-27 14:11:56

Metadata Update from @tiran:

• Issue set to the milestone: 10.4

[pki-bot]

Comment from cheimes (@tiran) at 2017-04-10 02:22:52

Upstream from Mozilla and downstream packages in Fedora have diverged. Fedora's downstream package source like http://pki.fedoraproject.org/pki/sources/jss/4.4.1/jss-4.4.1.tar.gz contain a patched version with proper AF_INET6 support. I'm closing this ticket.

[pki-bot]

Comment from cheimes (@tiran) at 2017-04-10 02:22:55

Metadata Update from @tiran:

• Custom field feature adjusted to ''
• Custom field proposedmilestone adjusted to ''
• Custom field proposedpriority adjusted to ''
• Custom field reviewer adjusted to ''
• Custom field version adjusted to ''
• Issue close_status updated to: None

[pki-bot]

Comment from cheimes (@tiran) at 2017-04-10 02:23:16

Metadata Update from @tiran:

• Issue close_status updated to: invalid
• Issue status updated to: Closed (was: Open)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-04-13 12:37:39

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.4.2 (was: 10.4)