[EXT] SubjectConfirmationData Address & IPv6

Aaron Howell aaron.howell at deakin.edu.au
Wed Jul 31 01:43:21 EDT 2019

For anyone looking in future:

This was tracked down to a Jetty bug - https://github.com/eclipse/jetty.project/issues/1503

We have a patched version - but the setting is disabled by default in the 9.x branch (will be true by default on 10.x)

Took me an inordinate amount of time trying to work out how to actually set the systems property “org.eclipse.jetty.util.HostPort.STRIP_IPV6" to true. We are using modules to configure jetty - so I have done it in a .mod file by adding the following lines:

On 29 Jul 2019, at 9:20 am, Aaron Howell <aaron.howell at deakin.edu.au<mailto:aaron.howell at deakin.edu.au>> wrote:

Cheers - I have logged a bug for this issue: IDP-1477<https://issues.shibboleth.net/jira/browse/IDP-1477>

I would say there isn’t much to know about IPv6 at a programming level - it is mostly just the formatting rules for addresses are different. Realistically an application shouldn’t need to do too much to support the protocol - it's just a different courier company.

I presume that most SPs are following the recommendation of section 5.1 in https://tools.ietf.org/html/rfc4038. Which pretty much boils down to, be liberal in the format that is accepted.

As for the other input - firstly I don’t think this is the default format - my guess on this is that it is Jetty can return different formats of IPv6 addresses depending on circumstances, and the IdP is simply passing it through unaltered. So different configurations, and different servlet engines may have different results. Secondly it would be extremely surprising to find that something only accepted the square bracket format - as because of the first point they would only likely work with a subset of IdP implementations. Thirdly, even if the rest weren’t true, any that did only support square brackets - it would be against spec anyway - so they should really fix the issue.


On 27 Jul 2019, at 3:22 am, Yeargan, Yancey <Yancey.Yeargan at untsystem.edu<mailto:Yancey.Yeargan at untsystem.edu>> wrote:

If the default format for IPv6 addresses should change in new versions of the IdP, legacy installs would need to continue using the old format indefinitely. In that scenario, some way to choose (override) the format on a per relying party level within the IdP would be appropriate. New versions of the SP could accept an IPv6 address with or without the brackets. Perhaps the SP does that already.

Yancey Yeargan
IT Manager
IT Shared Services
Office: 940.369.7521

On Jul 26, 2019, at 11:01 AM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:

I know roughly nothing about IPv6 but if the standard is reasonably explicit about what to do then I'm quite comfortable treating it as a bug.

It's odd that the Shibboleth SP doesn't notice this though, so I'd have to look into why. Perhaps the brackets are the norm when reading REMOTE_ADDR anyway. So the problem is that I suspect if we "fix" this it will just break our SP in the bargain without patches there.

-- Scott

For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7C7a7fcd024c734905000d08d711e2c71a%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C636997538007850965&sdata=6JokxKU%2Bdl89VfdC1JnA5SrzgFQMycnLlUpPkLiCLYk%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190731/99da9b19/attachment.html>

More information about the users mailing list