Why Does IPv6 QUIC Fail with TLS Error 0x6e? #5716
-
|
Description: Setup Overview:
IPv4 Status: ✅ Works end-to-end Issue Details:
IPv4 uses same certificate loading logic and succeeds. What We've Tried:
Questions:
To Reproduce: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Self answered: The TLS handshake failure was actually a network routing issue, not a certificate problem. Our netplan configuration used a /128 prefix: A /128 prefix creates a single-host route with no subnet capability. When clients sent Initial packets, the kernel couldn't route responses back because destinations were considered outside the directly-connected network. Solution: Changed to /64 prefix: After this fix, IPv6 handshake completed successfully. The error code 0x6e (TLS_HANDSHAKE_FAILURE) was misleading—it occurred because the connection failed at the network layer before TLS could properly negotiate. |
Beta Was this translation helpful? Give feedback.
Self answered:
Root Cause: IPv6 Routing Configuration (/128 vs /64 prefix)
The TLS handshake failure was actually a network routing issue, not a certificate problem. Our netplan configuration used a /128 prefix:
A /128 prefix creates a single-host route with no subnet capability. When clients sent Initial packets, the kernel couldn't route responses back because destinations were considered outside the directly-connected network.
Solution: Changed to /64 prefix:
After this fix, IPv6 handshake completed successfully. The error code 0x6e (TLS_HANDSHAKE_FAILURE) was misleading—it occurred because the connection failed at the network layer before TLS could properly negotiate.