feat: Add IPv6 support to OCSP responder

The OCSP responder in OpenSSL (in Alpine) only supports IPv4 so I've used socat as a proxy to listen in IPv4 and IPv6 then forward to the OCSP responder on localhost using IPv4.
surevine · Nov 20, 2024 · c50f24c · c50f24c
1 parent fccc330
commit c50f24c
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 16 deletions.
diff --git a/federation/docker-compose-federated.yml b/federation/docker-compose-federated.yml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
 
   db1:

diff --git a/federation/docker-compose-network-dualstack.yml b/federation/docker-compose-network-dualstack.yml
@@ -22,7 +22,7 @@ services:
       - "conference.xmpp1.localhost.example=fd23:d79:d076::10"
       - "xmpp2.localhost.example=fd23:d79:d076::20"
       - "conference.xmpp2.localhost.example=fd23:d79:d076::20"
-      - "ocsp.localhost.example:172.50.0.88"
+      - "ocsp.localhost.example:[fd23:d79:d076::88]"
 
   xmpp2:
     networks:
@@ -34,7 +34,7 @@ services:
       - "conference.xmpp1.localhost.example=fd23:d79:d076::10"
       - "xmpp2.localhost.example=fd23:d79:d076::20"
       - "conference.xmpp2.localhost.example=fd23:d79:d076::20"
-      - "ocsp.localhost.example:172.50.0.88"
+      - "ocsp.localhost.example:[fd23:d79:d076::88]"
 
 networks:
   openfire-federated-net:

diff --git a/federation/docker-compose-ocsp-responder.yml b/federation/docker-compose-ocsp-responder.yml
@@ -28,15 +28,21 @@ services:
       - /bin/sh
       - -c
       - |
-        apk add --no-cache openssl &&
-        openssl ocsp -port 8888 -text \
-        -index /ca/intermediate-ca/index.txt \
-        -CA /ca/intermediate-ca/intermediate.crt \
-        -rkey /ca/ocsp-responder/ocsp.key \
-        -rsigner /ca/ocsp-responder/ocsp.crt \
-        -ndays 1
+        apk add --no-cache openssl socat
+
+        # Start OCSP responder on localhost using a different port
+        openssl ocsp -port 8887 -text \
+          -index /ca/intermediate-ca/index.txt \
+          -CA /ca/intermediate-ca/intermediate.crt \
+          -rkey /ca/ocsp-responder/ocsp.key \
+          -rsigner /ca/ocsp-responder/ocsp.crt \
+          -ndays 1 &
+
+        # Use socat to create IPv6 and IPv4 listeners that forward to the OCSP responder
+        socat TCP6-LISTEN:8888,fork,ipv6-v6only=1 TCP4:127.0.0.1:8887 &
+        socat TCP4-LISTEN:8888,fork TCP4:127.0.0.1:8887 &
+
+        # Keep container running and log any errors
+        wait
     ports:
-      - "8888:8888"
-    networks:
-      openfire-federated-net:
-        ipv4_address: 172.50.0.88
+      - "8888:8888"
diff --git a/federation/start.sh b/federation/start.sh
@@ -33,11 +33,12 @@ while getopts n:6oh o; do
         ;;
     6)
 				echo "Using IPv6"
+				USING_IPV6=true
 				NETWORK_COMPOSE_FILE="docker-compose-network-dualstack.yml"
         ;;
     o)
         echo "Enabling OCSP support"
-        export ENABLE_OCSP=true
+        ENABLE_OCSP=true
         ;;
     h)
         usage
@@ -70,6 +71,11 @@ if [ "$ENABLE_OCSP" = true ]; then
   "$SCRIPTPATH"/scripts/generate-certificates.sh
   "$SCRIPTPATH"/scripts/import-certificates.sh
   COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder.yml")
+  if [ "$USING_IPV6" = true ]; then
+    COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder-ipv6.yml")
+  else
+    COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder-ipv4.yml")
+  fi
 fi
 
 "${COMPOSE_FILE_COMMAND[@]}" up -d || popd