Bug 362550

Summary: Community, Forum, Userbase, and Techbase timeout on IPv6
Product: [Websites] www.kde.org Reporter: Sean O'Connell <sean>
Component: generalAssignee: kde-www mailing-list <kde-www>
Status: RESOLVED NOT A BUG    
Severity: normal CC: denis.revin
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
URL: https://community.kde.org/Main_Page
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Sean O'Connell 2016-05-01 14:48:02 UTC
When accessing any of the following sites from a computer with dual stack IPv4/IPv6, the connection times out before the page is loaded:

https://community.kde.org/
https://forum.kde.org/
https://userbase.kde.org/
https://techbase.kde.org/

If IPv6 is disabled, or if the following entries are added to the local hosts file (forcing connectivity via IPv4) the sites load normally:

192.230.74.89   forum.kde.org
192.230.74.89   community.kde.org
192.230.74.89   cdn.kde.org
192.230.74.99   userbase.kde.org
192.230.74.99   techbase.kde.org


Reproducible: Always

Steps to Reproduce:
1. Configure computer with dual stack IPv4/IPv6 connectivity, set to prefer IPv6.
2. Access one of the URLs above.


Actual Results:  
Page timeouts before loading.

Expected Results:  
Page loads normally.
Comment 1 Ben Cooksley 2016-05-02 07:52:14 UTC
This occurs with certain providers of IPv6 unfortunately - your provider (or their upstream) has defects in their setup of IPv6 which make Incapsula hosted sites inaccessible over IPv6. Numerous tests we've performed indicate that PMTUD is functioning correctly with Incapsula.

Please take this up with your internet service provider.
Comment 2 Denis Revin 2016-08-27 15:59:03 UTC
Hello, dear admins. I have same issue as Sean, and I don't think that its provider problem. Let me explain.

When you trying access to community.kde.org DNS returns 2a02:e980:e::da and that's wrong:
----------------------
[dut@void ~]$ openssl s_client -connect 2a02:e980:e::da:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
-----------------------------


After some debugging with dns and ssl tools i've found that community.kde.org must return 2a02:e980:15::da ('e' must be changed to '15'). After that all works fine.

Same issue with forum.kde.org and so on:
[dut@void ~]$ wget https://forum.kde.org/
--2016-08-27 19:53:35--  https://forum.kde.org/
Resolving forum.kde.org (forum.kde.org)... 2a02:e980:e::22, 192.230.77.34
Connecting to forum.kde.org (forum.kde.org)|2a02:e980:e::22|:443... connected.
Unable to establish SSL connection.

[dut@void ~]$ wget --header="Host: forum.kde.org" https://[2a02:e980:e::22]/
--2016-08-27 19:55:38--  https://[2a02:e980:e::22]/
Connecting to [2a02:e980:e::22]:443... connected.
Unable to establish SSL connection.


[dut@void ~]$ wget --no-check-certificate --header="Host: forum.kde.org" https://[2a02:e980:15::22]/
--2016-08-27 19:56:08--  https://[2a02:e980:15::22]/
Connecting to [2a02:e980:15::22]:443... connected.
    WARNING: certificate common name ‘incapsula.com’ doesn't match requested host name ‘2a02:e980:15::22’.
HTTP request sent, awaiting response... 200 OK
Cookie coming from 2a02:e980:15::22 attempted to set domain to forum.kde.org
Cookie coming from 2a02:e980:15::22 attempted to set domain to forum.kde.org
Cookie coming from 2a02:e980:15::22 attempted to set domain to forum.kde.org
Cookie coming from 2a02:e980:15::22 attempted to set domain to kde.org
Cookie coming from 2a02:e980:15::22 attempted to set domain to kde.org
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html              [   <=>              ]  58.04K   122KB/s    in 0.5s    

2016-08-27 19:56:11 (122 KB/s) - ‘index.html’ saved [59438]

Can you, please, try to check it? Thanks.

Sean, for temporary workaround you can just add forum.kde.org community.kde.org and so on to /etc/hosts with appropriate ipv6 addresses.