Skip to content

socat rejects TCP-LISTEN on ipv6 only networks #6499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 5, 2025
Merged

socat rejects TCP-LISTEN on ipv6 only networks #6499

merged 1 commit into from
Sep 5, 2025

Conversation

@OnyxMsi
Copy link
Contributor

@OnyxMsi OnyxMsi commented Sep 2, 2025

I figured this issue by trying to run http-01 challenge on a FreeBSD 14 macfine on a IPv6 only environment.

Context

My host is running on Freebsd 14.2 with acme.sh 3.1.1 installed.

I use the following command :

acme.sh --issue --standalone -d host.test.orage
        --server https://web-acme.test.orage/acme/acme/directory
        --ca-bundle /tmp/web_ca.crt
        --fullchain-file foo.crt

tcpdump show this :

onyx@Savary:~ $ doas tcpdump -i epair1b port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on epair1b, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:15:24.510644 IP6 fd11:d19b:85d0:1:bc27:17ff:fe4c:4d7a.50960 > fd11:d19b:85d0:1:9057:35ff:feda:72e9.http: Flags [S], seq 3803954916, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 4044250837 ecr 0], length 0
22:15:24.510660 IP6 fd11:d19b:85d0:1:9057:35ff:feda:72e9.http > fd11:d19b:85d0:1:bc27:17ff:fe4c:4d7a.50960: Flags [R.], seq 0, ack 3803954917, win 0, length 0

It appears socat is rejecting packets, i have no firewall running on the host.

I found this and this that are related to my problem.

I haven't try the solution of the second link (to rollback to socat 1.7), but instead I propose to support it.

The fix

Just use the --listen-v6 flag to overwrite the socat command with the right options

@Neilpang Neilpang merged commit 1deb52f into acmesh-official:dev Sep 5, 2025
30 of 32 checks passed
@vmmello
Copy link
Contributor

vmmello commented Sep 5, 2025

https://github.com/acmesh-official/acme.sh/pull/6499/files#diff-fa7257dd71a86f5ff7ef038e113cc6805e916286786dabe7213070945a46e737R2539

  if [ "$Le_Listen_V6" ]; then
    _NC="$_NC -6"
    SOCAT_OPTIONS=TCP6-LISTEN
  else
    _NC="$_NC -4"
    SOCAT_OPTIONS=TCP4-LISTEN
  fi

I'm just reviewing the code, I got the impression that with this change, in a dual stack it'll never use the IPv6 address unless -6 is explicitly passed on command line. And if it's passed it'll only use IPv6. This change apparently breaks the dual stack in either v4 or v6, not the usual v6 then v4 fallback (one of it will return 'connection refused'). Correct? (I haven't tested, I just got this impression by reading the code)

I don't mind much, though I'm only pointing because I'm not sure if this is desired or not (i.e due to a bug in a possibly less common IPv6-only use case, you're breaking the backwards behavior of a probably more common use case that is of a dual stack. What's may be not what you want).

Maybe the best, not to break the dual stack fallback would be something like:

  if [ "$Le_Listen_V6" ]; then
    _NC="$_NC -6"
    SOCAT_OPTIONS=TCP6-LISTEN
  elif [ "$Le_Listen_V4" ]; then
    _NC="$_NC -4"
    SOCAT_OPTIONS=TCP4-LISTEN
  else
    SOCAT_OPTIONS=TCP-LISTEN
  fi

Neilpang pushed a commit that referenced this pull request Sep 7, 2025
fix #6499 (comment)
30faf50
@Neilpang
Copy link
Member

Neilpang commented Sep 7, 2025

@vmmello fixed, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OnyxMsi @vmmello @Neilpang