[sslh] SSLH 1.16 issue: Cannot bind for IPv4 and IPv6 simultaneously

[Maddes]

On 13.05.2016 23:32, Simon Iremonger wrote:
>>>> If I check with netstat then there's nothing on port 444 bound.
>>>> And when I start 2 instances, one for IPv4 and the other for IPv6, then
>>>> second fails too.
>>> According to another Matt, it works:
>>> http://rutschle.net/pipermail/sslh/2015-February/000569.html
> 
> This basically depends on the setting of   /proc/sys/net/ipv6/bindv6only
> -- normally set to '0' ...  Such that a [::]:444  socket will
> listen for IPv6 *and* IPv4 sockets in a single socket, so
> may be perfectly sufficient.
> 
> 
>>> I don't usually bind to 0.0.0.0 but are you sure that
>>> doesn't also bind the IPv6 addresses? That would explain
> No, the other way around... binding to :: tends to 'include'
> listening to 0.0.0.0 essentially...
> 
> 
> In some cases the application will be unhappy with the formatting
> of IPv4 addresses on IPv6 sockets, look like ::ffff:[ipv4 address]
> and other complications...
> 
> Some daemons (e.g. openssh), seem to open their ipv6 socket
> with the V6ONLY socket option set (overriding any global
> bindv6only=0) and hence open a [::]:22 and 0.0.0.0:22 sockets
> simultaneously anyway.
> 
> Others, e.g. mysqld only allow a single socket and expect you
> to have bindv6only=0 and use the socket v4 compatibility in
> order to listen for both IPv6 and IPv4 connections...
> 
> 
> Hope that clarifies,
> 
> --Simon

Did not expect a solution directly the next morning. Simon, many thanks
for clarification.

I was only checking with netstat and there you only see "tcp6 [::]:444
sslh", but indeed SSLH is also listening on "tcp 0.0.0.0:444". My
unmodified Debian had "bindv6only" set to 0 as mentioned.

Yves, can you add this valuable info to the man pages in the --listen
section.

Thanks all
Maddes