[sslh] startup problem -- IPv6 and legacy listening sockets
Simon Iremonger
sslh at iremonger.me.uk
Wed Apr 8 17:24:38 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> /usr/sbin/sslh -p 0.0.0.0:443 [...] works fine,
NB: This means 'listen on all legacy IP addresses on port 443'.
> same with /usr/sbin/sslh -p [::]:443 [...]
NB: The behaviour of this depends on the configuration of the
IPv6-stack and any 'options' on the socket-opening used by sslh.
If "cat /proc/sys/net/ipv6/bindv6only" is showing '0' then
(unless overridden by application requesting the socket using
IPV6_V6ONLY socket option by the looks of things) -- the
[::]:443 socket actually causes IPv6 AND legacy connections
(on all IPv4 interfaces) to be 'listened for' in one go.
In this 'mode' legacy connections appear to 'come from' IPv6
address ::ffff:IP.v4.ad.dr -- IPv4 address embedded in
IPv6-space, and these addresses typically appear in logs as shown.
If "cat /proc/sys/net/ipv6/bindv6only" is '1' or the application
uses the IPV6_V6ONLY flag, then the socket will only listen for
IPv6 connections.
In THIS case, you'd need a separate 0.0.0.0:443 socket to listen
for legacy connections as well..
> starting sslh with /usr/sbin/sslh -p [::]:443 -p 0.0.0.0:443 [...]
> produce error: 0.0.0.0:https:bind: Address already in use
See above for reason why this doesn't work (looks like bindv6only=0).
> Thanks for support Christian
Hope that helps,
- --Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Topal (http://freshmeat.net/projects/topal)
iF4EAREIAAYFAlUlSEUACgkQA62i3HuJ2aFGMwD5AXMbIj2m7keBHe2J3R4jhz0k
vTZjZ8RS6HDm8gX0vakA/RkD7ejlHP+hx8x25R8+/WlMXCuEwDpkwukzS9Upsh9k
=Bjm1
-----END PGP SIGNATURE-----
More information about the sslh
mailing list