socat rejects TCP-LISTEN on ipv6 only networks

[OnyxMsi]

I figured this issue by trying to run http-01 challenge on a FreeBSD 14 macfine on a IPv6 only environment.

Context

My host is running on Freebsd 14.2 with acme.sh 3.1.1 installed.

I use the following command :

acme.sh --issue --standalone -d host.test.orage
        --server https://web-acme.test.orage/acme/acme/directory
        --ca-bundle /tmp/web_ca.crt
        --fullchain-file foo.crt

tcpdump show this :

onyx@Savary:~ $ doas tcpdump -i epair1b port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on epair1b, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:15:24.510644 IP6 fd11:d19b:85d0:1:bc27:17ff:fe4c:4d7a.50960 > fd11:d19b:85d0:1:9057:35ff:feda:72e9.http: Flags [S], seq 3803954916, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 4044250837 ecr 0], length 0
22:15:24.510660 IP6 fd11:d19b:85d0:1:9057:35ff:feda:72e9.http > fd11:d19b:85d0:1:bc27:17ff:fe4c:4d7a.50960: Flags [R.], seq 0, ack 3803954917, win 0, length 0

It appears socat is rejecting packets, i have no firewall running on the host.

I found this and this that are related to my problem.

I haven't try the solution of the second link (to rollback to socat 1.7), but instead I propose to support it.

The fix

Just use the --listen-v6 flag to overwrite the socat command with the right options

[vmmello]

https://github.com/acmesh-official/acme.sh/pull/6499/files#diff-fa7257dd71a86f5ff7ef038e113cc6805e916286786dabe7213070945a46e737R2539

  if [ "$Le_Listen_V6" ]; then
    _NC="$_NC -6"
    SOCAT_OPTIONS=TCP6-LISTEN
  else
    _NC="$_NC -4"
    SOCAT_OPTIONS=TCP4-LISTEN
  fi

I'm just reviewing the code, I got the impression that with this change, in a dual stack it'll never use the IPv6 address unless -6 is explicitly passed on command line. And if it's passed it'll only use IPv6. This change apparently breaks the dual stack in either v4 or v6, not the usual v6 then v4 fallback (one of it will return 'connection refused'). Correct? (I haven't tested, I just got this impression by reading the code)

I don't mind much, though I'm only pointing because I'm not sure if this is desired or not (i.e due to a bug in a possibly less common IPv6-only use case, you're breaking the backwards behavior of a probably more common use case that is of a dual stack. What's may be not what you want).

Maybe the best, not to break the dual stack fallback would be something like:

  if [ "$Le_Listen_V6" ]; then
    _NC="$_NC -6"
    SOCAT_OPTIONS=TCP6-LISTEN
  elif [ "$Le_Listen_V4" ]; then
    _NC="$_NC -4"
    SOCAT_OPTIONS=TCP4-LISTEN
  else
    SOCAT_OPTIONS=TCP-LISTEN
  fi

[neilpang]

@vmmello fixed, thanks.