ROD's new TCP/IP stack.

Hello, world!
Your IP address is 2A01:CB08:8985:7E00:B58D:xxxx:xxxx:xxxx
2023-12-20 20:45:40

;)

What’s the server software?

What’s the server software?

It’s a bit of BASIC wot I wrote.

It is NOT a proper server, nor even a close approximation of one, but it shows that the stack is capable of server operation. How robust it will turn out to be is an entirely different matter.

It does suggest that, if anyone has access to last-modified source code for WebJames, it would be worth updating it for IPv6 compatibility.

I’ve written some noddy test code for an IPv6 plain HTTP client. I’ve tested it on a couple of IPv6-only sites (yes, there are some, and it seems certain to me that there will be more) with small payloads, because it isn’t good at doing anything with the returned data other than logging them. That’s a fault of my programming, not of the stack’s capability.

I’m sure I’ve done IPv6 encrypted client test software before, but I’m damned if I can find it.

So that’s the next exercise: extend the plain one to do encrypted.

My noddy IPv6 “server” has been visited by a Googlebot today.

You have been catalogued, you will now be deleted…

Right, the secure (!) IPv6 version of my noddy code should now be reachable at https://raspi-davidhigton.dynv6.net

Only when the machine is on (evenings, usually), and until something goes wrong.

Curiously, Firefox refuses to work; I think it doesn’t trust something on the certificate chain. If anyone knows better, please reply here! But the Brave browser works. I’m also wondering why some handshakes merely time out, while others that are going on at the same time succeed.

I also found it interesting that an HTTP-only browser can work with only one client socket open at a time (open, transact, close, next…), whereas an HTTPS one has to support at least two; browsers seem to connect once, then connect again while the first handshake is taking place, and won’t go back to completing the first one until the second one is done. I’m learning all the time.

Someone has DOS’d it, so it’s offline.

Curiously, Firefox refuses to work; I think it doesn’t trust something on the certificate chain.

Path #2 certificate chain, there’s an expired self-signed cert in there

https://www.ssllabs.com/ssltest/analyze.html?d=raspi-davidhigton.dynv6.net

Two paths reason
https://security.stackexchange.com/questions/92988/in-the-context-of-ssl-labs-where-is-the-trust-store

Oh, and I think I crashed your server with the scan.

Edit Or perhaps the denizens of the netherworlds did find you and break you. Either way, the certificate needs changing
I’m curious about the browser that does work though. Might not be as picky about certificates. Venerable old IE wasn’t either

Oh, and I think I crashed your server with the scan.

I’ve seen an SSL Labs scan before that wants to keep huge numbers of connections open (towards 90, if my (very unsafe!) memory serves me). My app only allows 10.

Curious about the certs; I only got them less than 3 weeks ago. I’ll see if I can force an update. Thanks for the info!

Have a look at the scan on SSL Labs and expand the certificate path info

The normal certs are fine and in date, it’s the self-signed at the base of the path #2 that’s the problem.

BTW. You might want to read this on the NMAP site and check the IPv6 config of your router/firewall

There are only two pinholes in the IPv6 config. nmap correctly only found port 80, because my original plain HTTP “Hello World” app is up. It didn’t find port 443 because there’s nothing running at the moment to respond.

The normal certs are fine and in date, it’s the self-signed at the base of the path #2 that’s the problem.

The cause wasn’t obvious, but deleting the last certificate in the chain that I supply fixed it. The clue was that the first (the good) chain showed two certs sent by server, and one in trust store. My chain had three certs. The good chain ignored the last one, the bad chain took it into account.

I have also fixed the “DNS CA” issue by creating CAA records for my dynv6 domains.

Firefox still objects, but one issue I still have to fix is the lack of SNI. The function that should do it is not implemented. More for me to study and get my head round. Dunno if that will fix it for Firefox, though. We’ll see.

Some more timeouts, and reducing the logging of normal “in progress” return values, has enabled me to get a complete SSL Labs scan without overflowing the log. Result is a B. I’m going to see if I can disable TLS1.0 and TLS1.1 in AcornSSL.

at https://raspi-davidhigton.dynv6.net

Rick says Hi! 🙋🏻

(no probs with Android Chrome and Android Firefox)

Dave says Hi to Rick! (Here, that is…)

I disabled TLS1.0 and TLS1.1 in the mbedTLS library, and now my site gets an A rating from SSL Labs. This does mean that the only protocol my version of AcornSSL supports is TLS1.2. Seems a bit minimalist… I’m aware that TLS1.3 support requires a newer version of mbedTLS, which has to be used a bit differently, i.e. it’s not just a 5 minute recompile.

In other news, I have been assured that there will be a way to get Wiresalmon working with ROD’s new stack. It’s not the top priority, but I’ve been asked to keep the pressure on them.

News update: as a result of some sterling work from the ROD team, they and I have been able to capture network traffic from a test version of the IPv6 stack, with a test version of Wiresalmon.

The new stack has a new interface that is easier to deal with than DCI4.

It will be a while before these things reach a releasable state, but I feel encouraged, and I hope you do too.

Good news :-)

Was there ever a RO prog that displayed the results?

Was there ever a RO prog that displayed the results?

No. Use Wireshark on a Linux box. It’s enormous, unlike our little capture code, which makes it not worth porting for the few people here who’d use it.

Unless you’d like to have a go?

When I’m analysing network traffic, I run Moonfish on the RasPi, and mount the resulting NFS drive (my RAMdisc) on my Linux box. I capture into a file on RAMdisc, and it’s straight there ready to open in Wireshark.