SixXS::Sunset 2017-06-06

problems with HTTPS-server, that use COMODO certificates
[at] Carmen Sandiego on Wednesday, 09 December 2015 13:41:40
This is a very strange situation; at this URL: http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt the issuing certificate can be loaded; at my setup I'm using the AICCU daemon on a CentOS VM; I'm using several Linux VMs which all use this one CentOS VM as IPv6 gate; when ruinning the following wget http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt --no-proxy on any of these Linux VMs this hangs; when doing this on the CentOS IPv6 gate this works; running tracepath6 / traceroute6 on this CentOS IPv6 gate results in this: 1?: [LOCALHOST] pmtu 1280 1: gw-2005.mbx-01.si.sixxs.net 16.652ms 1: gw-2005.mbx-01.si.sixxs.net 17.403ms 2: simbx01.sixxs.net 15.077ms asymm 1 3: mx-mb1-te-1-2-0-v4.amis.net 17.305ms asymm 2 4: mx-mb1-te-1-3-1.amis.net 15.943ms asymm 3 5: mx-lj1-te-1-2-1.amis.net 17.990ms asymm 4 6: 2001:978:2:7e::1:1 24.888ms asymm 5 7: te0-0-2-2.rcr11.lju01.atlas.cogentco.com 18.810ms asymm 6 8: te0-7-0-1.ccr21.vie01.atlas.cogentco.com 24.772ms asymm 7 9: be2200.ccr21.muc03.atlas.cogentco.com 33.026ms asymm 8 10: be2228.ccr41.fra03.atlas.cogentco.com 37.799ms asymm 9 11: be2261.ccr41.ams03.atlas.cogentco.com 43.948ms asymm 10 12: be2182.ccr21.lpl01.atlas.cogentco.com 53.208ms asymm 11 13: be2190.ccr21.man01.atlas.cogentco.com 54.444ms asymm 12 14: 2001:978:2:24::5:2 55.098ms asymm 13 15: ge-1-0-7-2013.h6edccrt.hex67.lon.edge.ccanet.co.uk 56.704ms 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply 31: no reply Too many hops: pmtu 1280 Resume: pmtu 1280 and traceroute to crt.comodoca.com (2a02:1788:2fd::b2ff:5302), 30 hops max, 80 byte packets 1 gw-2005.mbx-01.si.sixxs.net (2001:15c0:65ff:7d4::1) 16.130 ms 16.030 ms 15.979 ms 2 simbx01.sixxs.net (2001:15c0:ffff:7::2) 15.894 ms 16.958 ms 16.909 ms 3 mx-mb1-te-1-2-0-v4.amis.net (2001:15c0:ffff:7::1) 16.847 ms 17.201 ms 17.228 ms 4 mx-mb1-te-1-3-1.amis.net (2001:15c0:ffff:d::c) 17.265 ms 17.496 ms 17.409 ms 5 mx-lj1-te-2-3-1-0.amis.net (2001:15c0:ffff:d::37) 19.066 ms 19.016 ms 19.483 ms 6 2001:978:2:7e::1:1 (2001:978:2:7e::1:1) 20.246 ms 18.173 ms 18.183 ms 7 te0-0-2-2.rcr11.lju01.atlas.cogentco.com (2001:550:0:1000::9a19:355) 20.024 ms te0-0-2-2.rcr12.lju01.atlas.cogentco.com (2001:550:0:1000::9a19:359) 20.207 ms te0-0-2-2.rcr11.lju01.atlas.cogentco.com (2001:550:0:1000::9a19:355) 19.557 ms 8 * te0-1-0-0.ccr21.vie01.atlas.cogentco.com (2001:550:0:1000::8275:169) 25.436 ms * 9 be2200.ccr21.muc03.atlas.cogentco.com (2001:550:0:1000::8275:3101) 31.757 ms be2223.ccr22.muc03.atlas.cogentco.com (2001:550:0:1000::8275:3189) 31.491 ms be2200.ccr21.muc03.atlas.cogentco.com (2001:550:0:1000::8275:3101) 31.304 ms 10 be2228.ccr41.fra03.atlas.cogentco.com (2001:550:0:1000::9a36:2631) 36.567 ms 36.528 ms be2229.ccr42.fra03.atlas.cogentco.com (2001:550:0:1000::9a36:2639) 37.357 ms 11 be2262.ccr42.ams03.atlas.cogentco.com (2001:550:0:1000::9a36:2521) 43.174 ms be2261.ccr41.ams03.atlas.cogentco.com (2001:550:0:1000::9a36:251d) 42.350 ms 44.430 ms 12 be2182.ccr21.lpl01.atlas.cogentco.com (2001:550:0:1000::9a36:4df6) 54.897 ms 52.693 ms be2183.ccr22.lpl01.atlas.cogentco.com (2001:550:0:1000::9a36:3a45) 56.672 ms 13 be2190.ccr21.man01.atlas.cogentco.com (2001:550:0:1000::8275:166) 58.589 ms 53.638 ms 54.704 ms 14 2001:978:2:24::5:2 (2001:978:2:24::5:2) 54.278 ms 2001:978:2:24::6:2 (2001:978:2:24::6:2) 56.020 ms 2001:978:2:24::5:2 (2001:978:2:24::5:2) 54.587 ms 15 ge-1-0-4.dwdcccrt2.dela.clif.dc.ccanet.co.uk (2a02:1788:ff:51e4::b2ff:51e4) 126.240 ms 126.117 ms ge-1-0-4.dwdcccrt1.dela.clif.dc.ccanet.co.uk (2a02:1788:ff:51e6::b2ff:51e6) 122.764 ms 16 ge-1-0-6.t8edccrt.telx.8th.edge.ccanet.co.uk (2a02:1788:ff:51dc::b2ff:51dc) 129.313 ms crl.comodoca.com (2a02:1788:2fd::b2ff:5302) 54.492 ms ge-1-0-6.t8edccrt.telx.8th.edge.ccanet.co.uk (2a02:1788:ff:51dc::b2ff:51dc) 124.274 ms running tracepath6 / traceroute6 on the other Linux VMs results in this: 1?: [LOCALHOST] pmtu 1500 1: lxgatevm.local 0.223ms 1: lxgatevm.local 0.095ms 2: lxgatevm.local 0.102ms pmtu 1280 2: gw-2005.mbx-01.si.sixxs.net 15.562ms 2: gw-2005.mbx-01.si.sixxs.net 16.553ms 3: simbx01.sixxs.net 16.017ms asymm 2 4: mx-mb1-te-1-2-0-v4.amis.net 16.766ms asymm 3 5: mx-mb1-te-1-3-1.amis.net 15.967ms asymm 4 6: mx-lj1-te-1-2-1.amis.net 17.809ms asymm 5 7: 2001:978:2:7e::1:1 19.086ms asymm 6 8: te0-0-2-2.rcr12.lju01.atlas.cogentco.com 20.180ms asymm 7 9: te0-1-0-0.ccr21.vie01.atlas.cogentco.com 26.100ms asymm 8 10: be2200.ccr21.muc03.atlas.cogentco.com 31.934ms asymm 9 11: be2228.ccr41.fra03.atlas.cogentco.com 38.272ms asymm 10 12: be2261.ccr41.ams03.atlas.cogentco.com 44.148ms asymm 11 13: be2182.ccr21.lpl01.atlas.cogentco.com 54.565ms asymm 12 14: be2190.ccr21.man01.atlas.cogentco.com 54.929ms asymm 13 15: 2001:978:2:24::5:2 55.098ms asymm 14 16: ge-1-0-7-2013.h6edccrt.hex67.lon.edge.ccanet.co.uk 55.966ms 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply 31: no reply Too many hops: pmtu 1280 Resume: pmtu 1280 and traceroute to crt.comodoca.com (2a02:1788:2fd::b2ff:5302), 30 hops max, 80 byte packets 1 lxgatevm.local (2001:15c0:65ff:87d4::1) 0.237 ms 0.198 ms 0.218 ms 2 gw-2005.mbx-01.si.sixxs.net (2001:15c0:65ff:7d4::1) 21.555 ms 21.920 ms 21.886 ms 3 simbx01.sixxs.net (2001:15c0:ffff:7::2) 16.008 ms 21.327 ms 21.470 ms 4 mx-mb1-te-1-2-0-v4.amis.net (2001:15c0:ffff:7::1) 21.399 ms 21.348 ms 21.325 ms 5 mx-mb1-te-1-3-1.amis.net (2001:15c0:ffff:d::c) 21.331 ms 21.342 ms 21.433 ms 6 mx-lj1-te-2-3-1-0.amis.net (2001:15c0:ffff:d::37) 21.861 ms 21.696 ms 21.714 ms 7 2001:978:2:7e::1:1 (2001:978:2:7e::1:1) 23.340 ms 25.341 ms 19.562 ms 8 te0-0-2-2.rcr11.lju01.atlas.cogentco.com (2001:550:0:1000::9a19:355) 19.520 ms 18.810 ms 18.806 ms 9 * * * 10 be2223.ccr22.muc03.atlas.cogentco.com (2001:550:0:1000::8275:3189) 33.682 ms be2200.ccr21.muc03.atlas.cogentco.com (2001:550:0:1000::8275:3101) 31.531 ms * 11 be2229.ccr42.fra03.atlas.cogentco.com (2001:550:0:1000::9a36:2639) 40.435 ms 40.233 ms * 12 be2261.ccr41.ams03.atlas.cogentco.com (2001:550:0:1000::9a36:251d) 47.012 ms be2262.ccr42.ams03.atlas.cogentco.com (2001:550:0:1000::9a36:2521) 45.753 ms be2261.ccr41.ams03.atlas.cogentco.com (2001:550:0:1000::9a36:251d) 43.156 ms 13 be2182.ccr21.lpl01.atlas.cogentco.com (2001:550:0:1000::9a36:4df6) 52.490 ms be2183.ccr22.lpl01.atlas.cogentco.com (2001:550:0:1000::9a36:3a45) 52.471 ms 53.469 ms 14 * * be2190.ccr21.man01.atlas.cogentco.com (2001:550:0:1000::8275:166) 57.120 ms 15 2001:978:2:24::5:2 (2001:978:2:24::5:2) 54.114 ms 2001:978:2:24::6:2 (2001:978:2:24::6:2) 54.143 ms 53.523 ms 16 ge-1-0-7-2012.h6edccrt.hex67.lon.edge.ccanet.co.uk (2a02:1788:ff:51ae::b2ff:51ae) 55.177 ms ge-1-0-4.dwdcccrt1.dela.clif.dc.ccanet.co.uk (2a02:1788:ff:51e6::b2ff:51e6) 125.411 ms 124.808 ms 17 ge-1-0-6.t8edccrt.telx.8th.edge.ccanet.co.uk (2a02:1788:ff:51dc::b2ff:51dc) 123.434 ms 124.449 ms 123.454 ms 18 crl.comodoca.com (2a02:1788:2fd::b2ff:5302) 56.710 ms 122.697 ms 55.084 ms on the Linux-VMs the wget command itself looks like this: [root@localhost ~]# wget http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt --no-proxy --2015-12-09 14:38:02-- http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt Resolving crt.comodoca.com... 2a02:1788:2fd::b2ff:5302, 178.255.83.2 Connecting to crt.comodoca.com|2a02:1788:2fd::b2ff:5302|:80... connected. HTTP request sent, awaiting response... a wget somewhere else works fine on any of my Linux-VMs, e.g. [root@localhost ~]# wget http://ipv6.google.com/ --no-proxy --2015-12-09 14:39:21-- http://ipv6.google.com/ Resolving ipv6.google.com... 2a00:1450:4013:c01::71 Connecting to ipv6.google.com|2a00:1450:4013:c01::71|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: index.html [ <=> ] 19,002 --.-K/s in 0.06s 2015-12-09 14:39:21 (317 KB/s) - index.html saved [19002] is this caused on my side or on the side of COMODO? Thanks, Walter
problems with HTTPS-server, that use COMODO certificates
[ch] Jeroen Massar SixXS Staff on Wednesday, 09 December 2015 13:53:57
Remote side is dropping ICMPv6, and thus you get yourself in a Path MTU Black hole. Contact the remote site and try to explain them that ICMPv6 is really a requirement for a properly functioning IPv6 stack. Note that this has nothing to do with Comodo, this has everything to do with large packets not being properly chunked up in smaller bits that fit the pipe towards you.

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker