Security test results say IPv4 differs from IPv6 (internet.nl test), randomly

Hendrik · April 23, 2020, 8:34pm

I’ve strange results while testing. I use https://internet.nl test. Everything is OK except that I receive an error. IPv4 and IPv6 Nextcloud do not match.
But if I test again an hour later or so, I get 100% Ok. And the next day again 96% with a mismatch.

I tested 2 NC instances under the same account on our server. They both act similar.

After disabling Redis the test result stays 100%with no errors.
Test results with a Wordpress site on this account are always 100%.

So there must be something going wrong in the Redis communication with Nextcloud.
Does anyone know what could be wrong?
For each application an other Redis database is used, so that can not be conflicting. The problem is also on other accounts that have different Redis ports configured.

The only thing that I could discover was a part ‘nonce’ in the output code. That part is about 33% of the pagecode for the logon screen, it seems. That code is different for IPv4 and IPv6.
The error is thrown when there is more then 10% difference between IPv4 and IPv6.

KarlF12 · April 24, 2020, 6:13am

Are you actually having a problem resulting from this, or is the test just producing an irrational result?

Here are other security tests you can run. I get good results with these.

https://scan.nextcloud.com/

https://www.ssllabs.com/ssltest/

Hendrik · April 24, 2020, 2:32pm

Other tests are OK, A+. I use those that you mention also.
The test on internet.nl shows an error, only content for IPv4 not the same as IPv6 (score 96%). And this testresult is not always given.
We tested it with serveral machines on different locations and with different browsers. All with the same results. Sometimes 100% OK and later 96% and again later 100%.
And someone has actually looked at the code. He confirmed that the IPv6 and IPv4 code differ more then 33%.

Hendrik · July 14, 2020, 12:05am

I have had a response for this problem from internet.nl. It has nothing to do with my settings. They have investigated the problem and found that tis substest fails due to the nonces that Nextcloud uses. They have reported this on github.

Hendrik · July 28, 2020, 12:04am

Is there any reaction from Nextcloud team? What is done to solve this problem?