[IPV6] Qualys SSL Labs says: "Unable to connect to the server"
I would like to enable IPV6 on my linode.
I have followed a guide on how to enable IPV6 and it should be ok.
My internet provider does not give me the possibility to surf the web using ipv6 so I don't know how to test it.
I'm using this two site:
and this:
the first one says:
Congratulations, this website is IPv6 ready
the second one says:
Unable to connect to the server
who should I trust?
how can I test if my site is IPV6 ready?
Why qualys ssllabs says that it can't connect to my server using ipv6?
thanks
10 Replies
ssllabs is probably giving you that error because it can't connect via SSL, which is what ssllabs is all about, testing the quality/security of your SSL/TLS certificate. So not related directly to IPv6, but it does test both IPv4 and IPv6 addresses in case the certificates are different.
If ssllab is able to scan your IPv4 apache address but not your IPv6 address, then make sure apache is properly configured to listen to all interfaces/addresses on the server, by default that covers IPv6 as well.
IPv6 is fully enabled and working in CentOS, all daemons use IPv6 by default (at least the ones that I know of) and there is no need to do anything extra to get it working.
@IfThenElse:
If ssllab is able to scan your IPv4 apache address but not your IPv6 address, then make sure apache is properly configured to listen to all interfaces/addresses on the server, by default that covers IPv6 as well.
I really appreciate your answer, thanks.
In my /etc/httpd/conf/httpd.conf
I have
Listen 80
should I do something else to say apache to listen on IPV6?
Binding to Addresses and Ports
> … If only a port number is specified in the Listen directive, the server listens to the given port on all interfaces. If an IP address is given as well as a port, the server will listen on the given port and interface….
@IfThenElse:
from
: Binding to Addresses and Ports
> … If only a port number is specified in the Listen directive, the server listens to the given port on all interfaces. If an IP address is given as well as a port, the server will listen on the given port and interface….
thanks for the reply.
I tried this
Listen [1234:5678::0234:5678:0234:5678]:80
Listen 12.345.678.90:80
but it doesn't work
# ss -t -l |grep http
LISTEN 0 511 :::http :::*
LISTEN 0 511 :::https :::*
The above command ss -t -l | grep http shows apache listening on port 80 and 443 for all interfaces IPv4 and IPv6). So we know apache listens at the correct ports and all interfaces, the next step is to check that the firewall allows incoming connections, by using:
# firewall-cmd --info-zone=public | grep ' ports:'
ports: 25/tcp 80/tcp 443/tcp
Assuming our default incoming zone is public, we see that our firewall allows incoming connections to port 80 and 443, so all is good and proper. If you have made sure the above are ok and you still get errors from ssllabs, then check that apache is properly configured with SSL/TLS certificates, also check the apache logs for errors. There are too many unknown variables to be able to guess over a forum what is the problem, without knowing more about your system. Alternatively, open a support ticket and ask linode for help.
@IfThenElse:
First, make sure apache is listening by using
# ss -t -l |grep http LISTEN 0 511 :::http :::* LISTEN 0 511 :::https :::*
The above command ss -t -l | grep http shows apache listening on port 80 and 443 for all interfaces IPv4 and IPv6). So we know apache listens at the correct ports and all interfaces, the next step is to check that the firewall allows incoming connections, by using:
# firewall-cmd --info-zone=public | grep ' ports:' ports: 25/tcp 80/tcp 443/tcp
Assuming our default incoming zone is public, we see that our firewall allows incoming connections to port 80 and 443, so all is good and proper. If you have made sure the above are ok and you still get errors from ssllabs, then check that apache is properly configured with SSL/TLS certificates, also check the apache logs for errors. There are too many unknown variables to be able to guess over a forum what is the problem, without knowing more about your system. Alternatively, open a support ticket and ask linode for help.
you get it.
ss -t -l |grep http
LISTEN 0 128 myipv4:http *:*
LISTEN 0 50 myipv4:https *:*
LISTEN 0 128 myipv6:http :::*
LISTEN 0 128 :::pcsync-https :::*
it seems that there is no listener on IPV6 for https but why?
@IfThenElse:
Maybe you misspelled the port number? instead of 443 (https) you typed 8443 (pcsync-https) ?
Thanks to your suggestions I founded the problem… I use sslh multiplexer to use both SSH and SSL over 443 port.
This is very useful to access my server behind firewalls that restric port 22.
Thanks you very much my friend.
usually the restricted ports are up to port 1024.
@IfThenElse:
Why not move ssh to a high port? like 60998?
usually the restricted ports are up to port 1024.
most hotels here allows 80 and 443 only.
there are many other "service" who doesn't allow for ports different than http, https, imaps, imap, pop, pops