• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Suggestion: CA instead of self-signed for https://ipv4.tunnelbroker.net/

Started by candlerb, May 13, 2011, 04:07:50 AM

Previous topic - Next topic


I use a Cisco 877W as my tunnel endpoint. Because I have a dynamic IPv4 address I also have it set up to do a HTTPS update whenever my IP address changes (see config below)

The problem is that ipv4.tunnelbroker.net insists on TLS, but it has a self-signed certificate, and the Cisco won't talk if it doesn't recognise the certificate. I can import this as a CA certificate, but when it changes (as it has done) then it breaks, and I have to manually recover by importing the new self-signed certificate.

It would be very helpful if ipv4.tunnelbroker.net were signed by a CA - even an internal Hurricane Electric one - since I could import this CA certificate once and know that it would work going forwards.

Most people using dynamic updates are presumably setting their client to ignore self-signed certificates, which leaves them open to MITM attacks. If HE had a certificate from a "well-known" CA then these users would only need to add or remove a flag and then they would be protected. It would cost a few tens of dollars.

How about it, HE?



crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none

crypto pki certificate chain tunnelbroker
... get the PEM using "openssl s_client -connect ipv4.tunnelbroker.net:443"
... paste in the PEM without BEGIN/END lines, end with a blank line

ip domain name localdomain
ip name-server
ip name-server
ip ddns update method he-ipv6
  ! Note: enter ctrl-V before the question-mark
  add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=<a>&pass=XXXX2&user_id=XXXX&tunnel_id=XXXX
interval maximum 1 0 0 0

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:XXXX:XXXX:XXXX::2/64
ipv6 enable
tunnel source Dialer1
tunnel destination
tunnel mode ipv6ip

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
hold-queue 224 in

interface Dialer1
ip ddns update he-ipv6
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXX@XXXX
ppp chap password 0 XXXX



I was wondering why my cisco router doesn't upgrade anymore the ip and now i found out.
I'm going to change the certificate but i agree it will be useful to have a permanent and signed one.


Seems the cert will expire on ‎April ‎19, ‎2021 13:42:20, but if a CA (even private one) exists, it would be cool indeed.