IPv6 issue on searx.be using the docker image aeris22/cryptcheck
Closed this issue · 17 comments
dalf commented
cryptcheck docker image seems to not be able to connect to searx.be using IPv6 ( with the option --network host to avoid any docker issue).
- the results are:
- sometimes
TLS seems not supported on this server - Timeout when connecting to 2a00:6d40:60:b060::1:443 (max 10 seconds)
- On another machine, I have a
[BUG] Illegal instruction( see https://gist.github.com/dalf/46f06e9211570c79099bd42e7b73d9ef )
- sometimes
- curl works as intended (with an IPv6 address)
- https://cryptcheck.fr/ has no issue
related to dalf/cryptcheck-backend#1 (comment)
I can't figure out if this related to the network connection / hardware or if it is a cryptcheck issue.
docker
$ docker pull aeris22/cryptcheck
Using default tag: latest
latest: Pulling from aeris22/cryptcheck
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Image is up to date for aeris22/cryptcheck:latest
docker.io/aeris22/cryptcheck:latest
$ docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
Using default tag: latest
latest: Pulling from aeris22/cryptcheck
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Image is up to date for aeris22/cryptcheck:latest
docker.io/aeris22/cryptcheck:latest
root@al-f:~# docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
2a00:6d40:60:b060::1:443 [searx.be]
Supported methods
TLS seems not supported on this server
94.177.213.96:443 [searx.be]
Supported methods
Method TLSv1_2
Supported ciphers
Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
...
curl
$ curl -6 -v https://searx.be/
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5605ed949e80)
* Connected to searx.be (2a00:6d40:60:b060::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: Apr 17 23:04:37 2020 GMT
* expire date: Oct 15 21:59:00 2020 GMT
* subjectAltName: host "searx.be" matched cert's "searx.be"
* issuer: C=NO; O=Buypass AS-983163327; CN=Buypass Class 2 CA 5
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5605ed949e80)
aeris commented
Is the curl command run into docker ?
You have to enable IPv6 on the docker daemon too : https://docs.docker.com/config/daemon/ipv6/
And perhaps to assign an IPv6 : docker/docs#9676
dalf commented
Even with --network host ?
[EDIT]
- https://docs.docker.com/network/network-tutorial-host/
- curl is not into docker.
aeris commented
I don't know, but I guess yes.
dalf commented
docker run --rm -ti --network host alpine apk add curl; curl -v -6 https://searx.be
Same output than on the host (without ipv6 configuration):
...
* Connected to searx.be (2a00:6d40:60:b060::1) port 443 (#0)
...
< HTTP/2 200
aeris commented
Put the command with quote, here you execute curl on your host :D
docker run --rm -ti --network host alpine sh -c "apk add curl; curl -v -6 https://searx.be"
aeris commented
And no problem on my side with IPv6
$ docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
Unable to find image 'aeris22/cryptcheck:latest' locally
latest: Pulling from aeris22/cryptcheck
cbdbe7a5bc2a: Already exists
f401a2de47d4: Pull complete
65415a3831f1: Pull complete
be23029dc3f2: Pull complete
11f4cccc9e86: Pull complete
e8e64d3f9fd6: Pull complete
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Downloaded newer image for aeris22/cryptcheck:latest
2a00:6d40:60:b060::1:443 [searx.be]
Supported methods
Method TLSv1_2
Supported ciphers
Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
PFS : ECC 256 bits
dalf commented
Put the command with quote, here you execute curl on your host :D
thanks !
docker run --rm -ti --network host alpine sh -c "apk add curl; curl -v -6 https://searx.be; cat /etc/alpine-release"
Same output for curl even on docker
dalf commented
So it can be either my setup or the OVH network.
aeris commented
Try with more debug:
docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
dalf commented
Not very helpful:
2a00:6d40:60:b060::1:443 [searx.be]
Supported methods
Method TLSv1_2 : not supported
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
TLS seems not supported on this server
94.177.213.96:443 [searx.be]
Supported methods
Method TLSv1_2
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
Supported ciphers
Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
SuperSandro2000 commented
Works on my end on Ubuntu 20.04 and IPv6 enabled Docker-ce without userland proxy.
aeris commented
Could you capture traffic with Wireshark and post pcap here?
dalf commented
tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 -w searxbe.ko.pcap
https://seafile.al-f.net/d/958ff611b5b046358981/
searx.ok.pcap: on a host where it works.
searx.ko.pcap: on a host where it doesn't work.
aeris commented
The ko version seems strange. I see a first try on 1.2 OK, then 1.1/1.0/3.0/2.0 KO (as expected), then enumeration of 1.2 ciphers suites. So at least you must not have Method TLSv1_2 : not supported because if this is the case, there is no 1.2 enumeration. I also see multiple HTTPS request but with reply in plain text (113.432871 timecode).
Seems there are interleaving CryptCheck invocations on this pcap, and so difficult to spot a trouble.
dalf commented
The previous pcap was made using cryptcheck-backend, sorry for the noise.
Maybe these two new pcap are not better, I don't understand what is going on...
I think it is not related to cryptcheck but rather a network problem.
searx.ko.1.pcap
(same link https://seafile.al-f.net/d/958ff611b5b046358981/ )
tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 -w searxbe.ko.1.pcap
docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
2a00:6d40:60:b060::1:443 [searx.be]
Supported methods
Method TLSv1_2 : not supported
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
TLS seems not supported on this server
94.177.213.96:443 [searx.be]
Supported methods
Method TLSv1_2
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
Supported ciphers
Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported
Fallback SCSV : not applicable
Certificates
Certificate [207483412387225913038490] issued by /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
Key : RSA 2048 bits
Identity : valid
Trust : trusted
execution expired
No HSTS
Grade : E
{
:critical => {
:mdc2_sign => false,
:md2_sign => false,
:md4_sign => false,
:md5_sign => false,
:sha_sign => false,
:sha1_sign => false,
:rsa => false,
:sslv2 => false,
:sslv3 => false,
:dss => false,
:anonymous => false,
:null => false,
:export => false,
:des => false,
:md5 => false,
:rc4 => false,
:sweet32 => false
},
:error => {
:rsa => false,
:tlsv1_0 => false,
:tlsv1_1 => false,
:pfs => false
},
:warning => {
:hsts => true,
:sha1 => false,
:dhe => false
},
:good => {
:fallback_scsv => nil,
:hsts => false,
:aead => true
},
:great => {
:hsts => false
},
:best => {}
}
searx.ko.2.pcap
Same but with the addition of or 94.177.213.96 and IPv6 works (I've tried few times with and without, it is consistent)
tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 or 94.177.213.96 -w searxbe.ko.2.pcap
docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
2a00:6d40:60:b060::1:443 [searx.be]
Supported methods
Method TLSv1_2
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
Supported ciphers
Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305-D [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA256 [] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA384 [] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES128-SHA256 [] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES256-SHA384 [] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-GCM-SHA256 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-SHA256 [dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-GCM-SHA384 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-SHA256 [dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CAMELLIA128-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CAMELLIA256-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305-D [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-SEED-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA [sha1] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA [sha1] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-DES-CBC3-SHA [sha1] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES128-SHA [sha1] : not supported
...
Cipher TLSv1_2 EXP-DES-CBC-SHA [export des sweet32 pfs sha1] : not supported
Cipher TLSv1_2 EXP-EDH-DSS-DES-CBC-SHA [dss export des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-EDH-RSA-DES-CBC-SHA [export des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-RC2-CBC-MD5 [export md5 sweet32 pfs] : not supported
Cipher TLSv1_2 EXP-RC4-MD5 [export md5 rc4 pfs] : not supported
Cipher TLSv1_2 NULL-MD5 [null md5 sweet32 pfs] : not supported
Cipher TLSv1_2 NULL-SHA [null sweet32 pfs sha1] : not supported
Cipher TLSv1_2 NULL-SHA256 [null sweet32 pfs] : not supported
Cipher TLSv1_2 PSK-RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 RC4-MD5 [md5 rc4 pfs] : not supported
Cipher TLSv1_2 RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-3DES-EDE-CBC-SHA [dss pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-AES-128-CBC-SHA [dss pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-AES-256-CBC-SHA [dss pfs sha1] : not supported
Cipher suite preferences
Timeout when connecting to 2a00:6d40:60:b060::1:443 (max 10 seconds)
94.177.213.96:443 [searx.be]
Supported methods
Method TLSv1_2
Method TLSv1_1 : not supported
Method TLSv1 : not supported
Method SSLv3 : not supported
Method SSLv2 : not supported
Supported ciphers
Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
PFS : ECC 256 bits
Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305-D [aead] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA256 [] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA384 [] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES128-SHA256 [] : not supported
Cipher TLSv1_2 ECDHE-RSA-AES256-SHA384 [] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-GCM-SHA256 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES128-SHA256 [dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-GCM-SHA384 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-AES256-SHA256 [dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CAMELLIA128-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CAMELLIA256-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305 [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305-D [dhe aead] : not supported
Cipher TLSv1_2 DHE-RSA-SEED-SHA [sha1 dhe] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA [sha1] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA [sha1] : not supported
...
Cipher TLSv1_2 DHE-DSS-AES256-SHA256 [dss dhe] : not supported
Cipher TLSv1_2 DHE-DSS-CAMELLIA128-SHA [dss sha1 dhe] : not supported
Cipher TLSv1_2 DHE-DSS-CAMELLIA256-SHA [dss sha1 dhe] : not supported
Cipher TLSv1_2 DHE-DSS-SEED-SHA [dss sha1 dhe] : not supported
Cipher TLSv1_2 ECDH-ECDSA-NULL-SHA [null sweet32 pfs sha1] : not supported
Cipher TLSv1_2 ECDH-ECDSA-RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 ECDH-RSA-NULL-SHA [null sweet32 pfs sha1] : not supported
Cipher TLSv1_2 ECDH-RSA-RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-NULL-SHA [null sweet32 sha1] : not supported
Cipher TLSv1_2 ECDHE-ECDSA-RC4-SHA [rc4 sha1] : not supported
Cipher TLSv1_2 ECDHE-RSA-NULL-SHA [null sweet32 sha1] : not supported
Cipher TLSv1_2 ECDHE-RSA-RC4-SHA [rc4 sha1] : not supported
Cipher TLSv1_2 EDH-DSS-DES-CBC-SHA [dss des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EDH-DSS-DES-CBC3-SHA [dss sha1 dhe] : not supported
Cipher TLSv1_2 EDH-RSA-DES-CBC-SHA [des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-ADH-DES-CBC-SHA [anonymous export des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-ADH-RC4-MD5 [anonymous export md5 rc4 dhe] : not supported
Cipher TLSv1_2 EXP-DES-CBC-SHA [export des sweet32 pfs sha1] : not supported
Cipher TLSv1_2 EXP-EDH-DSS-DES-CBC-SHA [dss export des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-EDH-RSA-DES-CBC-SHA [export des sweet32 sha1 dhe] : not supported
Cipher TLSv1_2 EXP-RC2-CBC-MD5 [export md5 sweet32 pfs] : not supported
Cipher TLSv1_2 EXP-RC4-MD5 [export md5 rc4 pfs] : not supported
Cipher TLSv1_2 NULL-MD5 [null md5 sweet32 pfs] : not supported
Cipher TLSv1_2 NULL-SHA [null sweet32 pfs sha1] : not supported
Cipher TLSv1_2 NULL-SHA256 [null sweet32 pfs] : not supported
Cipher TLSv1_2 PSK-RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 RC4-MD5 [md5 rc4 pfs] : not supported
Cipher TLSv1_2 RC4-SHA [rc4 pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-3DES-EDE-CBC-SHA [dss pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-AES-128-CBC-SHA [dss pfs sha1] : not supported
Cipher TLSv1_2 SRP-DSS-AES-256-CBC-SHA [dss pfs sha1] : not supported
Cipher suite preferences
TLSv1_2 : ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305
Supported elliptic curves
ECC curve secp256k1 : not supported
ECC curve sect283k1 : not supported
ECC curve sect283r1 : not supported
ECC curve secp384r1
ECC curve sect409k1 : not supported
ECC curve sect409r1 : not supported
ECC curve secp521r1
ECC curve sect571k1 : not supported
ECC curve sect571r1 : not supported
ECC curve prime192v1 : not supported
ECC curve prime256v1
ECC curve brainpoolP256r1 : not supported
ECC curve brainpoolP384r1 : not supported
ECC curve brainpoolP512r1 : not supported
ECC curve x25519 : not supported
Curves preference : prime256v1, secp521r1, secp384r1
Fallback SCSV : not applicable
Certificates
Certificate [207483412387225913038490] issued by /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
Key : RSA 2048 bits
Identity : valid
Trust : trusted
execution expired
No HSTS
Grade : E
{
:critical => {
:mdc2_sign => false,
:md2_sign => false,
:md4_sign => false,
:md5_sign => false,
:sha_sign => false,
:sha1_sign => false,
:rsa => false,
:sslv2 => false,
:sslv3 => false,
:dss => false,
:anonymous => false,
:null => false,
:export => false,
:des => false,
:md5 => false,
:rc4 => false,
:sweet32 => false
},
:error => {
:rsa => false,
:tlsv1_0 => false,
:tlsv1_1 => false,
:pfs => false
},
:warning => {
:hsts => true,
:sha1 => false,
:dhe => false
},
:good => {
:fallback_scsv => nil,
:hsts => false,
:aead => true
},
:great => {
:hsts => false
},
:best => {}
}
aeris commented
I guess for a network trouble somewhere with IPv6, perhaps docker related.
You got a bunch of SYN retry on TLSv1.2 test. TLSv1.1 too. TLSv1 starts passing, but hit SYN retry too. And then again at the end, bunch of SYN retry. In all cases, TCP connection was not able to be established.
dalf commented
I close the issue since it is not related to cryptcheck.