feat: Add IPv6 support to OCSP responder

The OCSP responder in OpenSSL (in Alpine) only supports IPv4 so I've used socat as a proxy to listen in IPv4 and IPv6 then forward to the OCSP responder on localhost using IPv4.
2024-11-20 15:54:15 +00:00 · 2024-11-20 15:54:15 +00:00 · 836b0be3c2
parent bc7a1186bc
commit 836b0be3c2
6 changed files with 37 additions and 16 deletions
--- a/federation/docker-compose-federated.yml
+++ b/federation/docker-compose-federated.yml
@ -1,5 +1,3 @@
 version: '3.7'
 services:
  db1:
--- a/federation/docker-compose-network-dualstack.yml
+++ b/federation/docker-compose-network-dualstack.yml
@ -22,7 +22,7 @@ services:
      - "conference.xmpp1.localhost.example=fd23:d79:d076::10"
      - "xmpp2.localhost.example=fd23:d79:d076::20"
      - "conference.xmpp2.localhost.example=fd23:d79:d076::20"
-      - "ocsp.localhost.example:172.50.0.88"
+      - "ocsp.localhost.example:[fd23:d79:d076::88]"
  xmpp2:
    networks:
@ -34,7 +34,7 @@ services:
      - "conference.xmpp1.localhost.example=fd23:d79:d076::10"
      - "xmpp2.localhost.example=fd23:d79:d076::20"
      - "conference.xmpp2.localhost.example=fd23:d79:d076::20"
-      - "ocsp.localhost.example:172.50.0.88"
+      - "ocsp.localhost.example:[fd23:d79:d076::88]"
 networks:
  openfire-federated-net:
--- a/federation/docker-compose-ocsp-responder-ipv4.yml
+++ b/federation/docker-compose-ocsp-responder-ipv4.yml
@ -0,0 +1,5 @@
 services:
  ocsp-responder:
    networks:
      openfire-federated-net:
        ipv4_address: 172.50.0.88
--- a/federation/docker-compose-ocsp-responder-ipv6.yml
+++ b/federation/docker-compose-ocsp-responder-ipv6.yml
@ -0,0 +1,6 @@
 services:
  ocsp-responder:
    networks:
      openfire-federated-net:
        ipv4_address: 172.50.0.88
        ipv6_address: fd23:d79:d076::88
--- a/federation/docker-compose-ocsp-responder.yml
+++ b/federation/docker-compose-ocsp-responder.yml
@ -28,15 +28,21 @@ services:
      - /bin/sh
      - -c
      - |
-        apk add --no-cache openssl &&
+        apk add --no-cache openssl socat
-        openssl ocsp -port 8888 -text \
+
-        -index /ca/intermediate-ca/index.txt \
+        # Start OCSP responder on localhost using a different port
-        -CA /ca/intermediate-ca/intermediate.crt \
+        openssl ocsp -port 8887 -text \
-        -rkey /ca/ocsp-responder/ocsp.key \
+          -index /ca/intermediate-ca/index.txt \
-        -rsigner /ca/ocsp-responder/ocsp.crt \
+          -CA /ca/intermediate-ca/intermediate.crt \
-        -ndays 1
+          -rkey /ca/ocsp-responder/ocsp.key \
          -rsigner /ca/ocsp-responder/ocsp.crt \
          -ndays 1 &
        # Use socat to create IPv6 and IPv4 listeners that forward to the OCSP responder
        socat TCP6-LISTEN:8888,fork,ipv6-v6only=1 TCP4:127.0.0.1:8887 &
        socat TCP4-LISTEN:8888,fork TCP4:127.0.0.1:8887 &
        # Keep container running and log any errors
        wait
    ports:
-      - "8888:8888"
+      - "8888:8888"
    networks:
      openfire-federated-net:
        ipv4_address: 172.50.0.88
--- a/federation/start.sh
+++ b/federation/start.sh
@ -33,11 +33,12 @@ while getopts n:6oh o; do
        ;;
    6)
 				echo "Using IPv6"
 				USING_IPV6=true
 				NETWORK_COMPOSE_FILE="docker-compose-network-dualstack.yml"
        ;;
    o)
        echo "Enabling OCSP support"
-        export ENABLE_OCSP=true
+        ENABLE_OCSP=true
        ;;
    h)
        usage
@ -70,6 +71,11 @@ if [ "$ENABLE_OCSP" = true ]; then
  "$SCRIPTPATH"/scripts/generate-certificates.sh
  "$SCRIPTPATH"/scripts/import-certificates.sh
  COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder.yml")
  if [ "$USING_IPV6" = true ]; then
    COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder-ipv6.yml")
  else
    COMPOSE_FILE_COMMAND+=("-f" "docker-compose-ocsp-responder-ipv4.yml")
  fi
 fi
 "${COMPOSE_FILE_COMMAND[@]}" up -d || popd