[sslh] sslh in transparent mode - weird observation

Sven Dreyer sven at dreyer-net.de
Thu May 9 15:33:32 UTC 2019 

Hi list,

I was using sslh for some years now in non-transparent mode. It worked 
great. I now decided to switch to transparent mode because I wanted the 
real source IP addresses to show up in application logs.

My setup:
- Debian Stretch (9.9) amd64
- sslh 1.18-1 (vanilla Debian package)
- sslh listening on port 5000

Of course I did the "ip rule" / "ip route" / "iptables" stuff as 
mentioned in the readme. And I don't use 127.0.0.1 or ::1 as --ssl/--ssh 
argument, but a hostname that has IPv4 and IPv6 entries in the hosts file.

I use sslh to connect to SSH as well as HTTPS.

The weird thing now is:
- I can ssh to port 5000 using IPv4 and IPv6. I see the correct source 
IPs in syslog
- I can do HTTPS to port 5000 over IPv4 to my apache and get my webpage 
loaded
- I _cannot_ do HTTPS to port 5000 over IPv6, wget/Firefox/curl run into 
a timeout. Syslogs says "forward to ssl failed:connect: Connection timed 
out" and "connect: Connection timed out".

Both SSH and HTTPS run on the local machine, so I think this shouldn't 
be a routing issue because only the destination ports differ.

The only difference I see is that SSH listens on tcp4 AND tcp6 while 
apache only listens on tcp6, but since apache supports IPv4-mapped IPv6 
addresses (see https://httpd.apache.org/docs/2.4/en/bind.html#ipv6), it 
answers to tcp4 too, although it has only opened a tcp6 socket:

# netstat -ltnp | grep :22
tcp        0      0 0.0.0.0:22    0.0.0.0:*     LISTEN      21295/sshd
tcp6       0      0 :::22         :::*          LISTEN      21295/sshd

# netstat -ltnp | grep :443
tcp6       0      0 :::443        :::*          LISTEN      3981/apache2

To change apache's behaviour, it must be recompiled, so that's not an 
option.

tcpdumping the external interface (with ip6 address 2001:db8:1::1) while 
a client (2001:db8:9999::2) is trying to connect shows that the local 
system tries to send an ACK to the client, which then gets repeated:

1 0.000000000 2001:db8:9999::2 → 2001:db8:1::1 TCP 80 57544 → 5000 [SYN] 
Seq=0 Win=28640 Len=0 MSS=1432 SACK_PERM=1 TSval=250389022 TSecr=0 WS=128
2 0.000070352 2001:db8:1::1 → 2001:db8:9999::2 TCP 80 5000 → 57544 [SYN, 
ACK] Seq=0 Ack=1 Win=28000 Len=0 MSS=1412 SACK_PERM=1 TSval=220558414 
TSecr=250389022 WS=128
3 0.061653966 2001:db8:9999::2 → 2001:db8:1::1 TCP 72 57544 → 5000 [ACK] 
Seq=1 Ack=1 Win=28672 Len=0 TSval=250389037 TSecr=220558414
4 0.062273343 2001:db8:9999::2 → 2001:db8:1::1 TLSv1 297 Client Hello
5 0.062306960 2001:db8:1::1 → 2001:db8:9999::2 TCP 72 5000 → 57544 [ACK] 
Seq=1 Ack=226 Win=29184 Len=0 TSval=220558429 TSecr=250389037
6 0.063067043 2001:db8:1::1 → 2001:db8:9999::2 TCP 72 [TCP Dup ACK 5#1] 
5000 → 57544 [ACK] Seq=1 Ack=226 Win=29184 Len=0 TSval=220558430 
TSecr=250389037
7 1.094584387 2001:db8:1::1 → 2001:db8:9999::2 TCP 72 [TCP Dup ACK 5#2] 
5000 → 57544 [ACK] Seq=1 Ack=226 Win=29184 Len=0 TSval=220558688 
TSecr=250389037
8 3.110579143 2001:db8:1::1 → 2001:db8:9999::2 TCP 72 [TCP Dup ACK 5#3] 
5000 → 57544 [ACK] Seq=1 Ack=226 Win=29184 Len=0 TSval=220559192 
TSecr=250389037
9 7.366592942 2001:db8:1::1 → 2001:db8:9999::2 TCP 72 [TCP Dup ACK 5#4] 
5000 → 57544 [ACK] Seq=1 Ack=226 Win=29184 Len=0 TSval=220560256 
TSecr=250389037

I also tried a self-compiled sslh v1.20, but with the same results.

Does anybody have an idea how this problem could be solved or what the 
root cause is?

Thanks and best regards,
Sven

More information about the sslh mailing list