Web Filter + IPv6 flow label + SSL =failed connection
Hello,
Problem:
Using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to (some) websites:
steps for reproduction:
1. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"
2. wget.exe (Version 1.20) from [link]https://eternallybored.org/misc/wget/[/link]
3. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output: DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\nutzer\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:45:23-- [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x00000000029e8630 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 10054 SSL handshake failed. Closed fd 3 Unable to establish SSL connection.
4. On CLI do ""netsh int ipv6 set global flowlabel=disabled"
5. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
[ul]DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:52:01-- [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x0000000000b78570 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 0 Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60 certificate: subject: CN=r.ssl.fastly.net,O=Fastly\\, Inc,L=San Francisco,ST=California,C=US issuer: CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE X509 certificate successfully verified and matches host files.pythonhosted.org ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.20 (mingw32) Accept: */* Accept-Encoding: identity Host: files.pythonhosted.org Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0 seconds 900,00, Winsock error: 0 ---response begin--- HTTP/1.1 200 OK Content-Type: text/html Server: nginx/1.13.9 Content-Length: 1822 Accept-Ranges: bytes Date: Tue, 29 Jan 2019 11:52:01 GMT Age: 0 Connection: keep-alive X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN X-Cache: HIT, MISS X-Cache-Hits: 1, 0 X-Timer: S1548762722.675927,VS0,VE88 Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Header: noindex ---response end--- 200 OK Registered socket 3 for persistent reuse. Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true) Length: 1822 (1,8K) [text/html] Saving to: 'index.html.7' index.html.7 0%[ ] 0 --.-KB/s seconds 900,00, Winsock error: 0 index.html.7 100%[========================================================================================================================================>] 1,78K --.-KB/s in 0,002s 2019-01-29 12:52:02 (850 KB/s) - 'index.html.7' saved [1822/1822]
Why does Web Filter influence the connection?