The `kat_ssl_certificates`-boefje is broken for IPv6

[originalsouth]

Describe the bug The kat_ssl_certificates-boefje is broken for IPv6 resulting in:

1. Successfully failed task
2. A wrong Finding

To Reproduce Steps to reproduce the behavior:

1. On a clean install with IPv6 support enable these boefjes

   • DNSRecords
   • Nmap TCP
   • SSLCertificates
   • WebpageAnalysis

2. Create aan URL OOI for a TLS supporting IPv6 enabled domain like openkat.nl

3. Get coffee

4. See a successful SSLCertificates passed task with empty content

5. See a wrong finding

Screenshots In case the of metaplus.kennisnet.nl:

error Command '['s_client', '-host', '2001:610:2d8:401::33:18', '-port', '443', '-prexit', '-showcerts', '-servername', 'metaplus.kennisnet.nl']' in image 'alpine/openssl:latest' returned non-zero exit status 1: b'286B7F75C3760000:error:80000065:system library:BIO_connect:Network unreachable:crypto/bio/bio_sock2.c:178:calling connect()\n286B7F75C3760000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:\nconnect:errno=101\n'

Case study In docker exec --privileged -u 0 -it nl-kat-coordination-boefje-1 bash running openssl s_client -host 2a00:d00:123:456:62:204:64:191 -port 443 -prexit -showcerts -servername "openkat.nl" yields:

Connecting to 2a00:d00:123:456:62:204:64:191
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=openkat.nl
verify return:1
---
Certificate chain
 0 s:CN=openkat.nl
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 14 03:47:15 2024 GMT; NotAfter: Oct 12 03:47:14 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISA+ydDCOAaiXcCE72Qe5Z1s1DMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNzE0MDM0NzE1WhcNMjQxMDEyMDM0NzE0WjAVMRMwEQYDVQQD
EwpvcGVua2F0Lm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeyI
Dw39c6ApxhlbOpp4gb5ile5sX9nFvbvFq/XKBiLg1+7oyuCEjSTYfCeKcLQ6HVvW
6aSSbiV3zZA27LCawYluyuqFXByo/L6vON/7pMklCUpCUiUATbNH7oPL2d2zYvAa
42X3z5/tHVjgwjDigdcfFX08PrbusVckvxOBmc+Ie0L+oGlOambGh+Szc5aC31SV
Mb3u3Peoo0+KFv2l5fo2FsbC8ujUwGSMOiSQN9jtCuqxMdOkCypi0EiNDu7LcHWA
LyKCezGIfBn0+FlsOFeZlGKNot7qvHCTpV+xI3DQ7cBXmGHXtHz/Sdcgo24DqX4g
kCxNl7/wGe4Qn3vaNwIDAQABo4ICHjCCAhowDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBR7iorZZup1gFMOeuUEtP59jhS+EzAfBgNVHSMEGDAWgBS7vMNHpeS8qcbDpHIM
EI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0dHA6Ly9yMTAu
by5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTAuaS5sZW5jci5vcmcv
MCUGA1UdEQQeMByCCm9wZW5rYXQubmyCDnd3dy5vcGVua2F0Lm5sMBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUASLDja9qmRzQP
5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGQr5EHnAAABAMARjBEAiAkR1JDarDO
qvKusBowDX75dHf1U9PCMzY3KvSJIYK3uAIgBmlflguw636/u/M0zEAl07FP2yXv
d3IKkJIG7Noxnt8AdwA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAA
AZCvkQefAAAEAwBIMEYCIQCxyFSug5BO7999s7h7wKCOcV4s6RnzT/kWE/k1Kr4C
0AIhAPUwRd/Ubz/05aiUc/RfXTVDhRtsStJT1pCPf08AMawEMA0GCSqGSIb3DQEB
CwUAA4IBAQBpNJjHSINj0VxsByi/OjbhhfeEuIgP97QEbD7U5YpjoFBACNZcRzte
2pT3/VCtti8t/RKcpNTgJQbvW2SoQzZXQgyLgmd95w4adV3Zz2/HvGzGy1sPnx+f
IUo+ICIkboN/fsaIROPC62kmRZ2CE36nXrRQubCTXq2c0TpQ/+vred3eEAbVikAV
H3jIYcs6IjOtlDIma5JGmK5rBxUUygnetGiRGDaIWSG+SL5iZuFyJsbUoJL/RC3K
bqJ1xyYfaCLg334DibEp43ELDc5TsxmcLXGUIaizj2lEBkMa9F/6qmCZO+BzxShJ
XUi8EYofM8Z2dAk0vV3kzPN2r+HGDIq0
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=openkat.nl
issuer=C=US, O=Let's Encrypt, CN=R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3126 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: AE86CB8F3AB2C6526FCF7780817975AC5CB4F1E4ABC13C7184710B5CB39DE30C
    Session-ID-ctx:
    Resumption PSK: 5A64DA15F4A33BE0C14A67E970A3F28BDEB678B168214F2E66078012D520E68D68A5BE2CBCB6C91CD3F313E8FB0C679C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fd 40 02 12 64 4f 8e 4d-ea 4c b2 ae 67 16 ee 5e   .@..dO.M.L..g..^
    0010 - af 2e e6 16 0e 91 a5 3c-36 a6 f4 96 2b d4 15 6b   .......<6...+..k
    0020 - 28 70 14 ce c4 ff 88 cc-11 b2 06 2c f2 65 b0 4a   (p.........,.e.J
    0030 - b6 ed 08 eb 70 ac fe 9d-02 7b 9c 42 f5 1a f2 60   ....p....{.B...`
    0040 - 2b 7e 38 c4 ed 9f d7 5d-f2 20 bb 8d 23 7a 5a 65   +~8....]. ..#zZe
    0050 - a6 e0 70 7e 63 62 7a b9-c8 5a 28 e4 04 83 a2 b8   ..p~cbz..Z(.....
    0060 - 39 e0 1b 0a 33 5b 29 4b-bc 70 93 06 9e 63 38 e7   9...3[)K.p...c8.
    0070 - a6 57 4a 1c 96 6b 6d 11-b2 f7 6a 4c 27 9b a4 28   .WJ..km...jL'..(
    0080 - 61 fc b3 27 7d be fe 77-19 d1 35 9c ef 19 e1 20   a..'}..w..5....
    0090 - c4 f8 65 aa 42 66 58 13-9d 3d fd df cf 37 fb f6   ..e.BfX..=...7..
    00a0 - 82 bd cc 4e 2b 2b 73 08-55 1e 0a 3d 18 99 39 00   ...N++s.U..=..9.
    00b0 - 55 db bc d4 98 d5 9d 08-7c 6a 0a 38 5d 0f 37 32   U.......|j.8].72
    00c0 - 32 c5 78 cf 10 be d0 c1-69 ec 2b 3c af 95 cc a3   2.x.....i.+<....
    00d0 - 59 2c 41 b5 b8 1e a5 6c-fe 4b 3b e0 ea d9 0c f8   Y,A....l.K;.....
    00e0 - b4 4e 65 6e 00 c9 b6 0d-00 a9 ff 2d 43 70 6e 24   .Nen.......-Cpn$

    Start Time: 1724369303
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 061A9D9C730D9E7059A81F54B8AC071FC6EC23AC4E3C7754D9CC48737ABA82F6
    Session-ID-ctx:
    Resumption PSK: 6048DDFF4D25B71101D9DF6DCC60C8491EFAFA36FC04EE50FB390B364ADD81A8D46797C8DFA82588327ABEF1BE1F55D0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fd 40 02 12 64 4f 8e 4d-ea 4c b2 ae 67 16 ee 5e   .@..dO.M.L..g..^
    0010 - 67 bf 29 38 0c 77 0b 64-f7 52 dd 27 28 b3 0f ab   g.)8.w.d.R.'(...
    0020 - d8 30 e6 dc 3a 21 e1 ed-6d 48 e4 68 c1 5c 4c b5   .0..:!..mH.h.\L.
    0030 - 96 2f ae 5d ba 7d a7 13-b7 c0 c2 7a a9 ad 4c 8c   ./.].}.....z..L.
    0040 - 61 ef 1a ad 0c 07 0f d6-ce af 4a dd f1 c3 f3 1b   a.........J.....
    0050 - c1 df df 0d ee 06 b3 3f-41 24 77 cd 64 1e 9f 81   .......?A$w.d...
    0060 - ce 47 13 b4 2c bd 1d 2f-bb d1 a9 f6 4a 4a 38 82   .G..,../....JJ8.
    0070 - fd 65 f3 a2 ae 30 ab b3-89 7c 6e 11 75 7a 78 0f   .e...0...|n.uzx.
    0080 - 8f 4a a7 99 36 31 50 de-fa 61 80 73 06 46 fd 9c   .J..61P..a.s.F..
    0090 - d5 fd 7d 4b 3f 2d b8 19-68 dc b0 bd 21 71 b4 e5   ..}K?-..h...!q..
    00a0 - b7 c2 53 86 ff 90 68 ea-7f 98 fb 09 c2 70 fc 25   ..S...h......p.%
    00b0 - cf c0 7b 31 2c 25 72 ff-d8 02 59 06 e8 76 04 a5   ..{1,%r...Y..v..
    00c0 - fa 3b c0 9b 80 a4 21 f3-30 79 e2 ba 53 da 37 6c   .;....!.0y..S.7l
    00d0 - c3 4e d5 a1 c2 2f 74 f0-bf a7 be 2c 87 ef 7c 79   .N.../t....,..|y
    00e0 - 8c c7 60 c8 54 17 f9 45-c5 f4 42 3c 71 f3 49 4a   ..`.T..E..B<q.IJ

    Start Time: 1724369303
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
---
Certificate chain
 0 s:CN=openkat.nl
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 14 03:47:15 2024 GMT; NotAfter: Oct 12 03:47:14 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISA+ydDCOAaiXcCE72Qe5Z1s1DMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNzE0MDM0NzE1WhcNMjQxMDEyMDM0NzE0WjAVMRMwEQYDVQQD
EwpvcGVua2F0Lm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeyI
Dw39c6ApxhlbOpp4gb5ile5sX9nFvbvFq/XKBiLg1+7oyuCEjSTYfCeKcLQ6HVvW
6aSSbiV3zZA27LCawYluyuqFXByo/L6vON/7pMklCUpCUiUATbNH7oPL2d2zYvAa
42X3z5/tHVjgwjDigdcfFX08PrbusVckvxOBmc+Ie0L+oGlOambGh+Szc5aC31SV
Mb3u3Peoo0+KFv2l5fo2FsbC8ujUwGSMOiSQN9jtCuqxMdOkCypi0EiNDu7LcHWA
LyKCezGIfBn0+FlsOFeZlGKNot7qvHCTpV+xI3DQ7cBXmGHXtHz/Sdcgo24DqX4g
kCxNl7/wGe4Qn3vaNwIDAQABo4ICHjCCAhowDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBR7iorZZup1gFMOeuUEtP59jhS+EzAfBgNVHSMEGDAWgBS7vMNHpeS8qcbDpHIM
EI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0dHA6Ly9yMTAu
by5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTAuaS5sZW5jci5vcmcv
MCUGA1UdEQQeMByCCm9wZW5rYXQubmyCDnd3dy5vcGVua2F0Lm5sMBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUASLDja9qmRzQP
5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGQr5EHnAAABAMARjBEAiAkR1JDarDO
qvKusBowDX75dHf1U9PCMzY3KvSJIYK3uAIgBmlflguw636/u/M0zEAl07FP2yXv
d3IKkJIG7Noxnt8AdwA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAA
AZCvkQefAAAEAwBIMEYCIQCxyFSug5BO7999s7h7wKCOcV4s6RnzT/kWE/k1Kr4C
0AIhAPUwRd/Ubz/05aiUc/RfXTVDhRtsStJT1pCPf08AMawEMA0GCSqGSIb3DQEB
CwUAA4IBAQBpNJjHSINj0VxsByi/OjbhhfeEuIgP97QEbD7U5YpjoFBACNZcRzte
2pT3/VCtti8t/RKcpNTgJQbvW2SoQzZXQgyLgmd95w4adV3Zz2/HvGzGy1sPnx+f
IUo+ICIkboN/fsaIROPC62kmRZ2CE36nXrRQubCTXq2c0TpQ/+vred3eEAbVikAV
H3jIYcs6IjOtlDIma5JGmK5rBxUUygnetGiRGDaIWSG+SL5iZuFyJsbUoJL/RC3K
bqJ1xyYfaCLg334DibEp43ELDc5TsxmcLXGUIaizj2lEBkMa9F/6qmCZO+BzxShJ
XUi8EYofM8Z2dAk0vV3kzPN2r+HGDIq0
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=openkat.nl
issuer=C=US, O=Let's Encrypt, CN=R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3724 bytes and written 422 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Where docker run alpine/openssl:latest s_client -host 2a00:d00:123:456:62:204:64:191 -port 443 -prexit -showcerts -servername "openkat.nl" yields:

"openkat.nl"
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
282B967576770000:error:80000065:system library:BIO_connect:Network unreachable:crypto/bio/bio_sock2.c:178:calling connect()
282B967576770000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
connect:errno=101

Which is what the kat_ssl_certificates-boefje is using https://github.com/minvws/nl-kat-coordination/blob/929b44326887d5ded90f1f444b67e7f9e9570237/boefjes/boefjes/plugins/kat_ssl_certificates/main.py#L5 and thus might possibly be in need for replacement. The behavior is similar for other hosts in the same scenario.

Expected behavior Retrieve Certificate for IPv6 successfully and fail the task if the retrieval was unsuccessful.

OpenKAT version main (b93157de143adfb01cdab9495b49cf7cb16594f8)

Desktop:

• OS: Linux computer 6.10.6-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:05 +0000 x86_64 GNU/Linux

[originalsouth]

Problem is that the kat IPv6 is not aggregated to boefjes sub-containers. If network="nl-kat-coordination_default" is given as an argument to the docker run (inside a boefje the problems are resolved). Thanks @noamblitz for digging through this.

[originalsouth]

Pending on #2833

[originalsouth]

--- a/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
+++ b/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
@@ -31,6 +31,7 @@ def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]:
                 hostname,
             ],
             remove=True,
+            network="nl-kat-coordination_default",
         )
     except docker.errors.ContainerError as e:
         output = f"error {str(e)}"

Would be a temporary workaround

[dekkers]

--- a/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
+++ b/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
@@ -31,6 +31,7 @@ def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]:
                 hostname,
             ],
             remove=True,
+            network="nl-kat-coordination_default",
         )
     except docker.errors.ContainerError as e:
         output = f"error {str(e)}"

Would be a temporary workaround

Only for the development setup and this would fail for production setups, because those won't have a network called "nl-kat-coordination_default"