-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check TLS certificates with IPv6 addresses #52
Comments
It already support IPv6:
But you need to have working IPv6 stack on the host performing check and to activate IPv6 on docker daemon:
Currently web frontend is not "IPv6 ready" because of confusion about |
As stated in the Docker documentation:
So I migrated Docker from Mac platform to ArchLinux and I followed your advice for {
"ipv6": true,
"fixed-cidr-v6": "xxxx:xxxx:xxxx:xxxx::/56"
} And it worked in CLI. Regarding the web frontend, I would presume the confusion can be fixed with the fact that RFC 3986, section 3.2.2 clarifies that:
The Cloudflare DNS service is accessible in IPv6 on:
If we use in CLI the
|
I assume But I will try to disable HSTS on naked IP address to be compliant with the RFC. |
I presume the Docker build is using I want to check the TLS certificate of Cloudflare at URI docker run --rm aeris22/cryptcheck tls 2606:4700:4700::1111 443 I am getting: docker run --rm aeris22/cryptcheck tls 2606:4700:4700::1111 443
2606:4700:4700::1111:443
Supported methods
Method TLSv1_2
Method TLSv1_1
Method TLSv1
Supported ciphers
Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA256 []
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA384 []
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA [sha1]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA [sha1]
PFS : ECC 256 bits
Cipher TLSv1_1 ECDHE-ECDSA-AES128-SHA [sha1]
PFS : ECC 256 bits
Cipher TLSv1_1 ECDHE-ECDSA-AES256-SHA [sha1]
PFS : ECC 256 bits
Cipher TLSv1 ECDHE-ECDSA-AES128-SHA [sha1]
PFS : ECC 256 bits
Cipher TLSv1 ECDHE-ECDSA-AES256-SHA [sha1]
PFS : ECC 256 bits
Cipher suite preferences
TLSv1_2 : ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-ECDSA-CHACHA20-POLY1305-D, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384
TLSv1_1 : ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA
TLSv1 : ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA
Supported elliptic curves
ECC curve secp256k1
ECC curve prime256v1
Curves preference : prime256v1, secp256k1
Fallback SCSV : not supported
Certificates
Certificate /C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=cloudflare-dns.com [2393062632280249844899714234728687389] issued by /C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
Key : ECC prime256v1 256 bits
Identity : invalid
Trust : trusted
Grade : V
{
:critical => {
:mdc2_sign => false,
:md2_sign => false,
:md4_sign => false,
:md5_sign => false,
:sha_sign => false,
:sha1_sign => false,
:ecc => false,
:sslv2 => false,
:sslv3 => false,
:dss => false,
:anonymous => false,
:null => false,
:export => false,
:des => false,
:md5 => false,
:rc4 => false,
:sweet32 => false
},
:error => {
:ecc => false,
:tlsv1_0 => true,
:tlsv1_1 => true,
:pfs => false
},
:warning => {
:ecc => false,
:sha1 => true,
:dhe => false
},
:good => {
:fallback_scsv => false,
:aead => true
},
:great => {},
:best => {}
} I wonder why the Identity is invalid.
Does that mean with the current Docker build, it is returning false to show in the CLI the Identity is invalid? When I am using openssl s_client -showcerts -connect [2606:4700:4700::1111]:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >cert.pem I am getting:
irb require 'openssl'
raw = File.read "cert.pem"
cert = OpenSSL::X509::Certificate.new raw
::OpenSSL::SSL.verify_certificate_identity cert, '2606:4700:4700::1111'
=> true #and not false For this latter test, the |
There is a bug in Ruby OpenSSL v2.1.2 binding. Comparison is done with string without any normalization before comparison. |
I quote you:
Yusuke Endoh from the
Happily, your huge rework (unless it is |
It's not related to the full rewrite of openssl dep 😂 |
As
acme-ip
is not yet implemented intoboulder
, I generate TLS certificates for IP addresses withminica
that facilitates issuance of self-signed certificates.So I do:
And I get:
Do you plan to support the TLS certificates with IPv6 addresses check in the future?
I see it works for IPv4 addresses like
1.1.1.1
: https://cryptcheck.fr/https/1.1.1.1Thanks,
HLFH
The text was updated successfully, but these errors were encountered: