[Bug 274964] java/openjdk21 Dual-stack IPv4/IPv6 applications no longer work with sysctl net.inet6.ip6.v6only=1

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 274964] java/openjdk21 Dual-stack IPv4/IPv6 applications no longer work with sysctl net.inet6.ip6.v6only=1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 04 Dec 2023 14:18:40 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274964

--- Comment #4 from Daniel Neades <djn@araxis.com> ---
Hello Michael, thank you for your interest in this issue. I hope the following
information will prove helpful.

I initially reported the problem with our host running FreeBSD 13.2-RELEASE-p3.
I have just upgraded to FreeBSD 13.2-RELEASE-p6 (though the kernel is showing
p4) and can confirm that the problem still exists.

Our host has a number of jails. Jail id 3 contains the Tomcat application; jail
id 11 contains the Scala application. The following commands were run directly
on the host (i.e. not inside a jail):


```
# uname -a
FreeBSD <redacted> 13.2-RELEASE-p4 FreeBSD 13.2-RELEASE-p4 GENERIC amd64

# freebsd-version -kru -j 3 -j 11
13.2-RELEASE-p4
13.2-RELEASE-p4
13.2-RELEASE-p6
13.2-RELEASE-p6
13.2-RELEASE-p6

# sysctl net.inet6.ip6.v6only
net.inet6.ip6.v6only: 1
```

With OpenJDK 17, the Scala application listens on a dual-stack socket. The
following commands were run within jail id 11 with the Scala application
running on OpenJDK 17:


```
# pkg version -v | grep jdk
openjdk17-17.0.9+9.1               =   up-to-date with index

# service portal restart && sleep 5 && sockstat -l -6 -4 -p 8443
Stopping portal.
Waiting for PIDS: 43983.
Starting portal.
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
portal   java       44346 10 tcp46  *:8443                *:*

# ps -axww | grep openjdk | head -n 1 # show command used to run application
53030  -  IJ   0:05.07 /usr/local/openjdk17/bin/java
-Djava.net.preferIPv4Stack=false -Xms32m -Xmx64m
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.server.enableStatusRequestExtension=true
-Dlogback.configurationFile=/usr/local/portal/etc/logback.xml -jar
/usr/local/portal/lib/Portal2023.0.34.jar --dbHost=10.12.12.11 --dbPort=6432
```

With OpenJDK 21, the Scala application listens only on an IPv6 socket. The
following commands were run within the jail id 11, this time running the Scala
application on OpenJDK 21:

```
# pkg version -v | grep jdk
openjdk21-21.0.1+12.1              =   up-to-date with index

# service portal restart && sleep 5 && sockstat -l -6 -4 -p 8443
Stopping portal.
Waiting for PIDS: 48749.
Starting portal.
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
portal   java       49590 10 tcp6   <redacted>::7546:0:c:8443 *:*

# ps -axww | grep openjdk | head -n 1 # show command used to run application
49590  -  IJ   0:06.86 /usr/local/openjdk21/bin/java
-Djava.net.preferIPv4Stack=false -Xms32m -Xmx64m
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.server.enableStatusRequestExtension=true
-Dlogback.configurationFile=/usr/local/portal/etc/logback.xml -jar
/usr/local/portal/lib/Portal2023.0.34.jar --dbHost=10.12.12.11 --dbPort=6432
```

Now, to repeat the same exercise but using the Tomcat application running in
jail 3 …

With OpenJDK 17, Tomcat listens on a dual-stack socket. The following commands
were run within jail id 3 with Tomcat running on OpenJDK 17 (OpenJDK 11 and 8
are installed as Tomcat/APR dependencies):

```
# pkg version -v | grep -E '(openjdk|tomcat)' 
openjdk11-11.0.21+9.1              =   up-to-date with index
openjdk17-17.0.9+9.1               =   up-to-date with index
openjdk8-8.392.08.1                =   up-to-date with index
tomcat-native-1.2.38               =   up-to-date with index
tomcat101-10.1.16                  =   up-to-date with index

# service tomcat101 restart && sleep 5 && sockstat -l -6 -4 -p 8443,8180
Stopping tomcat101.
Waiting for PIDS: 58204.
Starting tomcat101.
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      jsvc       59982 44 tcp46  *:8180                *:*
www      jsvc       59982 48 tcp46  *:8443                *:*

# ps -axww | grep jsvc | head -n1 # show command used to run application
59981  -  IsJ  0:00.00 /usr/local/bin/jsvc -java-home /usr/local/openjdk17
-server -user www -umask 0077 -pidfile /var/run/tomcat101.pid -wait 30 -outfile
/usr/local/apache-tomcat-10.1/logs/catalina.out -errfile &1 -classpath
/usr/local/apache-tomcat-10.1/bin/bootstrap.jar:/usr/local/share/java/classes/commons-daemon.jar:/usr/local/apache-tomcat-10.1/bin/tomcat-juli.jar
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/usr/local/apache-tomcat-10.1/conf/logging.properties
-Xms128m -Xmx256m -Djava.net.preferIPv4Stack=false
-Dcatalina.home=/usr/local/apache-tomcat-10.1
-Dcatalina.base=/usr/local/apache-tomcat-10.1
-Djava.io.tmpdir=/usr/local/apache-tomcat-10.1/temp
org.apache.catalina.startup.Bootstrap
```

With OpenJDK 21, Tomcat listens only an IPv6 socket. The following commands
were run within jail id 3 with Tomcat running on OpenJDK 21:


```
# pkg version -v | grep -E '(openjdk|tomcat)'
openjdk11-11.0.21+9.1              =   up-to-date with index
openjdk21-21.0.1+12.1              =   up-to-date with index
openjdk8-8.392.08.1                =   up-to-date with index
tomcat-native-1.2.38               =   up-to-date with index
tomcat101-10.1.16                  =   up-to-date with index

# service tomcat101 restart && sleep 5 && sockstat -l -6 -4 -p 8443,8180
Stopping tomcat101.
Waiting for PIDS: 62706.
Starting tomcat101.
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      jsvc       63327 45 tcp6   <redacted>::7546:0:3:8180 *:*
www      jsvc       63327 49 tcp6   <redacted>::7546:0:3:8443 *:*

# ps -axww | grep jsvc | head -n1 # show command used to run application
63326  -  IsJ  0:00.00 /usr/local/bin/jsvc -java-home /usr/local/openjdk21
-server -user www -umask 0077 -pidfile /var/run/tomcat101.pid -wait 30 -outfile
/usr/local/apache-tomcat-10.1/logs/catalina.out -errfile &1 -classpath
/usr/local/apache-tomcat-10.1/bin/bootstrap.jar:/usr/local/share/java/classes/commons-daemon.jar:/usr/local/apache-tomcat-10.1/bin/tomcat-juli.jar
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/usr/local/apache-tomcat-10.1/conf/logging.properties
-Xms128m -Xmx256m -Djava.net.preferIPv4Stack=false
-Dcatalina.home=/usr/local/apache-tomcat-10.1
-Dcatalina.base=/usr/local/apache-tomcat-10.1
-Djava.io.tmpdir=/usr/local/apache-tomcat-10.1/temp
org.apache.catalina.startup.Bootstrap
```

Here is the connector for the 8443 HTTPS socket from the Tomcat `server.xml`
file showing the use of the APR-provided OpenSSL implementation:

```
   <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
              
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               scheme="https"
               port="8443"
               maxThreads="150"
               URIEncoding="UTF-8"
               secure="true"
               SSLEnabled="true">
        <SSLHostConfig protocols="TLSv1.2+TLSv1.3"
                       disableCompression="true"
                       disableSessionTickets="true"
                       honorCipherOrder="false"
                      
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384">
            <Certificate certificateFile="redacted.crt"
                         certificateChainFile="redacted.issuer.crt"
                         certificateKeyFile="redacted.key"/>
        </SSLHostConfig>
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
                         overheadDataThreshold="0" />
     </Connector>
```

-- 
You are receiving this mail because:
You are the assignee for the bug.