ROD's new TCP/IP stack.
Pages: 1 2 3 4 5 6 7 8 9 10 11
Rick Murray (539) 13742 posts |
Hello, world! Your IP address is 2A01:CB08:8985:7E00:B58D:xxxx:xxxx:xxxx 2023-12-20 20:45:40 ;) What’s the server software? |
Dave Higton (1515) 3477 posts |
It’s a bit of BASIC wot I wrote. It is NOT a proper server, nor even a close approximation of one, but it shows that the stack is capable of server operation. How robust it will turn out to be is an entirely different matter. |
Dave Higton (1515) 3477 posts |
It does suggest that, if anyone has access to last-modified source code for WebJames, it would be worth updating it for IPv6 compatibility. |
Dave Higton (1515) 3477 posts |
I’ve written some noddy test code for an IPv6 plain HTTP client. I’ve tested it on a couple of IPv6-only sites (yes, there are some, and it seems certain to me that there will be more) with small payloads, because it isn’t good at doing anything with the returned data other than logging them. That’s a fault of my programming, not of the stack’s capability. I’m sure I’ve done IPv6 encrypted client test software before, but I’m damned if I can find it. So that’s the next exercise: extend the plain one to do encrypted. |
Dave Higton (1515) 3477 posts |
My noddy IPv6 “server” has been visited by a Googlebot today. |
James Pankhurst (8374) 126 posts |
You have been catalogued, you will now be deleted… |
Dave Higton (1515) 3477 posts |
Right, the secure (!) IPv6 version of my noddy code should now be reachable at https://raspi-davidhigton.dynv6.net Only when the machine is on (evenings, usually), and until something goes wrong. Curiously, Firefox refuses to work; I think it doesn’t trust something on the certificate chain. If anyone knows better, please reply here! But the Brave browser works. I’m also wondering why some handshakes merely time out, while others that are going on at the same time succeed. I also found it interesting that an HTTP-only browser can work with only one client socket open at a time (open, transact, close, next…), whereas an HTTPS one has to support at least two; browsers seem to connect once, then connect again while the first handshake is taking place, and won’t go back to completing the first one until the second one is done. I’m learning all the time. |
Dave Higton (1515) 3477 posts |
Someone has DOS’d it, so it’s offline. |
Steve Pampling (1551) 8124 posts |
Path #2 certificate chain, there’s an expired self-signed cert in there https://www.ssllabs.com/ssltest/analyze.html?d=raspi-davidhigton.dynv6.net Two paths reason Oh, and I think I crashed your server with the scan. Edit Or perhaps the denizens of the netherworlds did find you and break you. Either way, the certificate needs changing |
Dave Higton (1515) 3477 posts |
I’ve seen an SSL Labs scan before that wants to keep huge numbers of connections open (towards 90, if my (very unsafe!) memory serves me). My app only allows 10. Curious about the certs; I only got them less than 3 weeks ago. I’ll see if I can force an update. Thanks for the info! |
Steve Pampling (1551) 8124 posts |
Have a look at the scan on SSL Labs and expand the certificate path info The normal certs are fine and in date, it’s the self-signed at the base of the path #2 that’s the problem. |
Steve Pampling (1551) 8124 posts |
BTW. You might want to read this on the NMAP site and check the IPv6 config of your router/firewall |
Dave Higton (1515) 3477 posts |
There are only two pinholes in the IPv6 config. nmap correctly only found port 80, because my original plain HTTP “Hello World” app is up. It didn’t find port 443 because there’s nothing running at the moment to respond. |
Dave Higton (1515) 3477 posts |
The cause wasn’t obvious, but deleting the last certificate in the chain that I supply fixed it. The clue was that the first (the good) chain showed two certs sent by server, and one in trust store. My chain had three certs. The good chain ignored the last one, the bad chain took it into account. I have also fixed the “DNS CA” issue by creating CAA records for my dynv6 domains. Firefox still objects, but one issue I still have to fix is the lack of SNI. The function that should do it is not implemented. More for me to study and get my head round. Dunno if that will fix it for Firefox, though. We’ll see. Some more timeouts, and reducing the logging of normal “in progress” return values, has enabled me to get a complete SSL Labs scan without overflowing the log. Result is a B. I’m going to see if I can disable TLS1.0 and TLS1.1 in AcornSSL. |
Rick Murray (539) 13742 posts |
Rick says Hi! 🙋🏻 (no probs with Android Chrome and Android Firefox) |
Dave Higton (1515) 3477 posts |
Dave says Hi to Rick! (Here, that is…) I disabled TLS1.0 and TLS1.1 in the mbedTLS library, and now my site gets an A rating from SSL Labs. This does mean that the only protocol my version of AcornSSL supports is TLS1.2. Seems a bit minimalist… I’m aware that TLS1.3 support requires a newer version of mbedTLS, which has to be used a bit differently, i.e. it’s not just a 5 minute recompile. In other news, I have been assured that there will be a way to get Wiresalmon working with ROD’s new stack. It’s not the top priority, but I’ve been asked to keep the pressure on them. |
Dave Higton (1515) 3477 posts |
News update: as a result of some sterling work from the ROD team, they and I have been able to capture network traffic from a test version of the IPv6 stack, with a test version of Wiresalmon. The new stack has a new interface that is easier to deal with than DCI4. It will be a while before these things reach a releasable state, but I feel encouraged, and I hope you do too. |
Colin Ferris (399) 1797 posts |
Good news :-) Was there ever a RO prog that displayed the results? |
Dave Higton (1515) 3477 posts |
No. Use Wireshark on a Linux box. It’s enormous, unlike our little capture code, which makes it not worth porting for the few people here who’d use it. Unless you’d like to have a go? |
Dave Higton (1515) 3477 posts |
When I’m analysing network traffic, I run Moonfish on the RasPi, and mount the resulting NFS drive (my RAMdisc) on my Linux box. I capture into a file on RAMdisc, and it’s straight there ready to open in Wireshark. |
Pages: 1 2 3 4 5 6 7 8 9 10 11