From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Thu, 26 Mar 2026 04:52:40 +0000 (+0100)
Subject: Avoid creating TLSProxy on IPv6 loopback address is IPv6 is disabled
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3768e9a3e3d9321c2bfcf857c19d2671bc0da85f;p=thirdparty%2Fopenssl.git

Avoid creating TLSProxy on IPv6 loopback address is IPv6 is disabled

Add a parameter to TLSProxy::Proxy->new()
and TLSProxy::Proxy->new_dtls() that indicates IPv6 usage preference
and pass have_IPv6() to it, so IPv6 usage is avoided when it is disabled.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:33 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
---

diff --git a/test/recipes/70-test_certtypeext.t b/test/recipes/70-test_certtypeext.t
index cdfc5ae7cc1..a310524ee89 100644
--- a/test/recipes/70-test_certtypeext.t
+++ b/test/recipes/70-test_certtypeext.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&certtype_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t
index 2e4b288e51e..c8e37f4cc32 100644
--- a/test/recipes/70-test_comp.t
+++ b/test/recipes/70-test_comp.t
@@ -85,7 +85,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
diff --git a/test/recipes/70-test_expected_rpk.t b/test/recipes/70-test_expected_rpk.t
index 1fb3a67ca66..5165ed92634 100644
--- a/test/recipes/70-test_expected_rpk.t
+++ b/test/recipes/70-test_expected_rpk.t
@@ -32,7 +32,8 @@ my $proxy = TLSProxy::Proxy->new(
     sub { return; },
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 SKIP: {
diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t
index 812023252a0..afd769c9b06 100644
--- a/test/recipes/70-test_key_share.t
+++ b/test/recipes/70-test_key_share.t
@@ -73,7 +73,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #We assume that test_ssl_new and friends will test the happy path for this,
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
index e1d058dbb63..13ac6fc48d8 100644
--- a/test/recipes/70-test_npn.t
+++ b/test/recipes/70-test_npn.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t
index 4a8728e2f6d..d0ab0fcbe14 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 sub success_or_closenotify
diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t
index 83fc8ab91cd..29b35baf39e 100644
--- a/test/recipes/70-test_sslcbcpadding.t
+++ b/test/recipes/70-test_sslcbcpadding.t
@@ -35,7 +35,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&add_maximal_padding_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 # TODO: We could test all 256 values, but then the log file gets too large for
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index c6aca567f71..4c384ff49ef 100644
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -37,7 +37,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&certstatus_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Test 1: Sending a status_request extension in both ClientHello and
diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t
index 31e494134a8..3327df474e1 100644
--- a/test/recipes/70-test_sslextension.t
+++ b/test/recipes/70-test_sslextension.t
@@ -48,7 +48,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&inject_duplicate_extension_clienthello,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index e34909fcf0a..3b2756de8b0 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 @handmessages = (
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index 5ab746f4b75..093cbf70656 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -59,14 +59,16 @@ sub run_tests
             \&add_empty_recs_filter,
             cmdstr(app([ "openssl" ]), display => 1),
             srctop_file("apps", "server.pem"),
-            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+            have_IPv6()
         );
     } else {
         $proxy = TLSProxy::Proxy->new(
             \&add_empty_recs_filter,
             cmdstr(app([ "openssl" ]), display => 1),
             srctop_file("apps", "server.pem"),
-            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+            have_IPv6()
         );
     }
 
diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t
index 59bd677d535..8ebbbf2cb92 100644
--- a/test/recipes/70-test_sslsessiontick.t
+++ b/test/recipes/70-test_sslsessiontick.t
@@ -43,7 +43,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Test 1: By default with no existing session we should get a session ticket
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 3d0b55fc714..c4c22df06eb 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t
index 0d1b3584e96..27a1ad5f7f5 100644
--- a/test/recipes/70-test_sslsignature.t
+++ b/test/recipes/70-test_sslsignature.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t
index 49f26c1cab9..8b6569a5f4e 100644
--- a/test/recipes/70-test_sslskewith0p.t
+++ b/test/recipes/70-test_sslskewith0p.t
@@ -36,7 +36,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&ske_0_p_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #We must use an anon DHE cipher for this test
diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t
index e9c2d4ff2cf..6ec62ab4af4 100644
--- a/test/recipes/70-test_sslversions.t
+++ b/test/recipes/70-test_sslversions.t
@@ -49,7 +49,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #We're just testing various negative and unusual scenarios here. ssltest with
diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t
index 7ae56229db3..8462818ac22 100644
--- a/test/recipes/70-test_sslvertol.t
+++ b/test/recipes/70-test_sslvertol.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&vers_tolerance_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 my @available_tls_versions = ();
diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t
index 1858a8d4f2c..a3849ccc367 100644
--- a/test/recipes/70-test_tls13alerts.t
+++ b/test/recipes/70-test_tls13alerts.t
@@ -33,7 +33,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Test 1: We test that a server can handle an unencrypted alert when normally the
diff --git a/test/recipes/70-test_tls13certcomp.t b/test/recipes/70-test_tls13certcomp.t
index cd40fca24fe..f58c285281f 100644
--- a/test/recipes/70-test_tls13certcomp.t
+++ b/test/recipes/70-test_tls13certcomp.t
@@ -214,7 +214,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 
diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t
index e1c65f2fa4d..dfbe7edc33d 100644
--- a/test/recipes/70-test_tls13cookie.t
+++ b/test/recipes/70-test_tls13cookie.t
@@ -38,7 +38,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 my $cookieseen = 0;
diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t
index 6802fbc8ecf..7d750a292bc 100644
--- a/test/recipes/70-test_tls13downgrade.t
+++ b/test/recipes/70-test_tls13downgrade.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
index 0ed006a167f..ff2f6dbdd18 100644
--- a/test/recipes/70-test_tls13hrr.t
+++ b/test/recipes/70-test_tls13hrr.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t
index 203f5063266..685adcd5a96 100644
--- a/test/recipes/70-test_tls13kexmodes.t
+++ b/test/recipes/70-test_tls13kexmodes.t
@@ -193,7 +193,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Test 1: First get a session
diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index 059f1b466ce..f3a3f4789f9 100644
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -208,7 +208,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Test 1: Check we get all the right messages for a default handshake
diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t
index 3de688ec74f..83ce3b1ef13 100644
--- a/test/recipes/70-test_tls13psk.t
+++ b/test/recipes/70-test_tls13psk.t
@@ -34,7 +34,8 @@ my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 use constant {
diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t
index feccd5a8888..0e5f5d44b86 100644
--- a/test/recipes/70-test_tlsextms.t
+++ b/test/recipes/70-test_tlsextms.t
@@ -44,7 +44,8 @@ my $proxy = TLSProxy::Proxy->new(
     \&extms_filter,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+    have_IPv6()
 );
 
 #Note that EXTMS is only relevant for <TLS1.3
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 52b9117960a..eccdc98cf69 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -82,8 +82,9 @@ sub new {
     my ($filter,
         $execute,
         $cert,
-        $debug) = @_;
-    return init($class, $filter, $execute, $cert, $debug, 0);
+        $debug,
+        $use_IPv6) = @_;
+    return init($class, $filter, $execute, $cert, $debug, 0, $use_IPv6);
 }
 
 sub new_dtls {
@@ -91,8 +92,9 @@ sub new_dtls {
     my ($filter,
         $execute,
         $cert,
-        $debug) = @_;
-    return init($class, $filter, $execute, $cert, $debug, 1);
+        $debug,
+        $use_IPv6) = @_;
+    return init($class, $filter, $execute, $cert, $debug, 1, $use_IPv6);
 }
 
 sub init
@@ -119,7 +121,9 @@ sub init
         $execute,
         $cert,
         $debug,
-        $isdtls) = @_;
+        $isdtls,
+        $use_IPv6) = @_;
+    $use_IPv6 //= $have_IPv6;
 
     my $test_client_port;
 
@@ -128,12 +132,12 @@ sub init
     # this test to fail, so lets harden ourselves against that by doing
     # a test bind to the randomly selected port, and only continue once we
     # find a port that's available.
-    my $test_client_addr = $have_IPv6 ? "[::1]" : "127.0.0.1";
+    my $test_client_addr = $use_IPv6 ? "[::1]" : "127.0.0.1";
     my $found_port = 0;
     for (my $i = 0; $i <= 10; $i++) {
         $test_client_port = 49152 + int(rand(65535 - 49152));
         my $test_sock;
-        if ($useINET6 == 0) {
+        if ($use_IPv6 == 0 || $useINET6 == 0) {
             if ($useSockInet == 0) {
                 $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port,
                                                  LocalAddr => $test_client_addr);