Commit 3768e9a3e3 for openssl.org
commit 3768e9a3e3d9321c2bfcf857c19d2671bc0da85f
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date: Thu Mar 26 05:52:40 2026 +0100
Avoid creating TLSProxy on IPv6 loopback address is IPv6 is disabled
Add a parameter to TLSProxy::Proxy->new()
and TLSProxy::Proxy->new_dtls() that indicates IPv6 usage preference
and pass have_IPv6() to it, so IPv6 usage is avoided when it is disabled.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:33 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
diff --git a/test/recipes/70-test_certtypeext.t b/test/recipes/70-test_certtypeext.t
index cdfc5ae7cc..a310524ee8 100644
--- a/test/recipes/70-test_certtypeext.t
+++ b/test/recipes/70-test_certtypeext.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
\&certtype_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t
index 2e4b288e51..c8e37f4cc3 100644
--- a/test/recipes/70-test_comp.t
+++ b/test/recipes/70-test_comp.t
@@ -85,7 +85,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
diff --git a/test/recipes/70-test_expected_rpk.t b/test/recipes/70-test_expected_rpk.t
index 1fb3a67ca6..5165ed9263 100644
--- a/test/recipes/70-test_expected_rpk.t
+++ b/test/recipes/70-test_expected_rpk.t
@@ -32,7 +32,8 @@ my $proxy = TLSProxy::Proxy->new(
sub { return; },
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
SKIP: {
diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t
index 812023252a..afd769c9b0 100644
--- a/test/recipes/70-test_key_share.t
+++ b/test/recipes/70-test_key_share.t
@@ -73,7 +73,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#We assume that test_ssl_new and friends will test the happy path for this,
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
index e1d058dbb6..13ac6fc48d 100644
--- a/test/recipes/70-test_npn.t
+++ b/test/recipes/70-test_npn.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t
index 4a8728e2f6..d0ab0fcbe1 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
sub success_or_closenotify
diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t
index 83fc8ab91c..29b35baf39 100644
--- a/test/recipes/70-test_sslcbcpadding.t
+++ b/test/recipes/70-test_sslcbcpadding.t
@@ -35,7 +35,8 @@ my $proxy = TLSProxy::Proxy->new(
\&add_maximal_padding_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
# TODO: We could test all 256 values, but then the log file gets too large for
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index c6aca567f7..4c384ff49e 100644
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -37,7 +37,8 @@ my $proxy = TLSProxy::Proxy->new(
\&certstatus_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Test 1: Sending a status_request extension in both ClientHello and
diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t
index 31e494134a..3327df474e 100644
--- a/test/recipes/70-test_sslextension.t
+++ b/test/recipes/70-test_sslextension.t
@@ -48,7 +48,8 @@ my $proxy = TLSProxy::Proxy->new(
\&inject_duplicate_extension_clienthello,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index e34909fcf0..3b2756de8b 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
@handmessages = (
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index 5ab746f4b7..093cbf7065 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -59,14 +59,16 @@ sub run_tests
\&add_empty_recs_filter,
cmdstr(app([ "openssl" ]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
} else {
$proxy = TLSProxy::Proxy->new(
\&add_empty_recs_filter,
cmdstr(app([ "openssl" ]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
}
diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t
index 59bd677d53..8ebbbf2cb9 100644
--- a/test/recipes/70-test_sslsessiontick.t
+++ b/test/recipes/70-test_sslsessiontick.t
@@ -43,7 +43,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Test 1: By default with no existing session we should get a session ticket
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 3d0b55fc71..c4c22df06e 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t
index 0d1b3584e9..27a1ad5f7f 100644
--- a/test/recipes/70-test_sslsignature.t
+++ b/test/recipes/70-test_sslsignature.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t
index 49f26c1cab..8b6569a5f4 100644
--- a/test/recipes/70-test_sslskewith0p.t
+++ b/test/recipes/70-test_sslskewith0p.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
\&ske_0_p_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#We must use an anon DHE cipher for this test
diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t
index e9c2d4ff2c..6ec62ab4af 100644
--- a/test/recipes/70-test_sslversions.t
+++ b/test/recipes/70-test_sslversions.t
@@ -49,7 +49,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#We're just testing various negative and unusual scenarios here. ssltest with
diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t
index 7ae56229db..8462818ac2 100644
--- a/test/recipes/70-test_sslvertol.t
+++ b/test/recipes/70-test_sslvertol.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
\&vers_tolerance_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
my @available_tls_versions = ();
diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t
index 1858a8d4f2..a3849ccc36 100644
--- a/test/recipes/70-test_tls13alerts.t
+++ b/test/recipes/70-test_tls13alerts.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Test 1: We test that a server can handle an unencrypted alert when normally the
diff --git a/test/recipes/70-test_tls13certcomp.t b/test/recipes/70-test_tls13certcomp.t
index cd40fca24f..f58c285281 100644
--- a/test/recipes/70-test_tls13certcomp.t
+++ b/test/recipes/70-test_tls13certcomp.t
@@ -214,7 +214,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t
index e1c65f2fa4..dfbe7edc33 100644
--- a/test/recipes/70-test_tls13cookie.t
+++ b/test/recipes/70-test_tls13cookie.t
@@ -38,7 +38,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
my $cookieseen = 0;
diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t
index 6802fbc8ec..7d750a292b 100644
--- a/test/recipes/70-test_tls13downgrade.t
+++ b/test/recipes/70-test_tls13downgrade.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
index 0ed006a167..ff2f6dbdd1 100644
--- a/test/recipes/70-test_tls13hrr.t
+++ b/test/recipes/70-test_tls13hrr.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t
index 203f506326..685adcd5a9 100644
--- a/test/recipes/70-test_tls13kexmodes.t
+++ b/test/recipes/70-test_tls13kexmodes.t
@@ -193,7 +193,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Test 1: First get a session
diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index 059f1b466c..f3a3f4789f 100644
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -208,7 +208,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Test 1: Check we get all the right messages for a default handshake
diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t
index 3de688ec74..83ce3b1ef1 100644
--- a/test/recipes/70-test_tls13psk.t
+++ b/test/recipes/70-test_tls13psk.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
use constant {
diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t
index feccd5a888..0e5f5d44b8 100644
--- a/test/recipes/70-test_tlsextms.t
+++ b/test/recipes/70-test_tlsextms.t
@@ -44,7 +44,8 @@ my $proxy = TLSProxy::Proxy->new(
\&extms_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
- (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
);
#Note that EXTMS is only relevant for <TLS1.3
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 52b9117960..eccdc98cf6 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -82,8 +82,9 @@ sub new {
my ($filter,
$execute,
$cert,
- $debug) = @_;
- return init($class, $filter, $execute, $cert, $debug, 0);
+ $debug,
+ $use_IPv6) = @_;
+ return init($class, $filter, $execute, $cert, $debug, 0, $use_IPv6);
}
sub new_dtls {
@@ -91,8 +92,9 @@ sub new_dtls {
my ($filter,
$execute,
$cert,
- $debug) = @_;
- return init($class, $filter, $execute, $cert, $debug, 1);
+ $debug,
+ $use_IPv6) = @_;
+ return init($class, $filter, $execute, $cert, $debug, 1, $use_IPv6);
}
sub init
@@ -119,7 +121,9 @@ sub init
$execute,
$cert,
$debug,
- $isdtls) = @_;
+ $isdtls,
+ $use_IPv6) = @_;
+ $use_IPv6 //= $have_IPv6;
my $test_client_port;
@@ -128,12 +132,12 @@ sub init
# this test to fail, so lets harden ourselves against that by doing
# a test bind to the randomly selected port, and only continue once we
# find a port that's available.
- my $test_client_addr = $have_IPv6 ? "[::1]" : "127.0.0.1";
+ my $test_client_addr = $use_IPv6 ? "[::1]" : "127.0.0.1";
my $found_port = 0;
for (my $i = 0; $i <= 10; $i++) {
$test_client_port = 49152 + int(rand(65535 - 49152));
my $test_sock;
- if ($useINET6 == 0) {
+ if ($use_IPv6 == 0 || $useINET6 == 0) {
if ($useSockInet == 0) {
$test_sock = IO::Socket::IP->new(LocalPort => $test_client_port,
LocalAddr => $test_client_addr);