[sslh] startup problem -- IPv6 and legacy listening sockets
Simon Iremonger
sslh at iremonger.me.uk
Tue Apr 21 07:52:42 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
>> If "cat /proc/sys/net/ipv6/bindv6only" is showing '0' then
>> (unless overridden by application requesting the socket using
>> IPV6_V6ONLY socket option by the looks of things) -- the
>> [::]:443 socket actually causes IPv6 AND legacy connections
>> (on all IPv4 interfaces) to be 'listened for' in one go.
> setting inside /etc/sysctl.conf - "net.ipv6.bindv6only=1"
> followed by sysctl -p command fixes the problem.
Thinking about it, be aware this will then affect other
services etc...! Is there actually some problem with just
using a single [::]:443 socket (with IPv4-compatibility)
to do the same job rather than 2 'listens' at once??
> I'm wondering why sslh is not setting IPV6_V6ONLY when opening
> the socket.
Maybe this was never carefully-considered before?
> I never run into this problem before with other services.
Did you setup explicit separate sockets with other services etc.?
Some services like openssh definitely open both types of
sockets and some like courier-imap-ssl don't and use the
IPv4-compatibilty, I don't see why that difference matters,
sslh can just be in the latter-variety etc...
If you start changing bindv6only you may start 'breaking'
things which expect (implicitly or by-design) ipv4-
compatibilty to be enabled on the socket...
> thanks Christian
- --Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Topal (http://freshmeat.net/projects/topal)
iF4EAREIAAYFAlU15bkACgkQA62i3HuJ2aEKkAD8CshFNpsHX0da+DMknpGmMLlb
vOozFjpJpUBjKx6YHLoA/R+U3wbMdEylK/Jk/QrPAEMT+s91eYQxUGsBbNHhc5Iy
=8gMt
-----END PGP SIGNATURE-----
More information about the sslh
mailing list