0

I would like to make a local unencrypted service that listens on 127.0.0.1:8000 available via SSL on both IPv4 and IPv6 on port 8001.

Unfortunately, stunnel configuration

[Server]
accept = 8001
connect = 8000

binds only on IPv4, as I have checked via netstat and ncat:

~$ sudo netstat -an|grep 800 | grep LISTEN
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN

~$ ncat --ssl -v ::1 8001
Ncat: Version 6.46 ( http://nmap.org/ncat )
Ncat: Connection refused.

However, the port seems to be blocked also on IPv6. When I add

[Server IPv6]
accept = :::8001
connect = 8000

stunnel will not start, since the port is blocked:

[ ] Service [pyload Web] (FD=7) bound to 0.0.0.0:8001
[!] Error binding service [pyload Web IPv6] to :::8001
[!] bind: Address already in use (98)

I have tried both orders for the respective sections in my stunnel config file. I am using version 5.02 from the Ubuntu Utopic repository. Any ideas?

mcandril
  • 285
  • 3
  • 13

2 Answers2

3

Looks like I found an answer myself. Why doesn't this IPv6 listen directive also accept IPv4? states from the nginx doc that

In Linux by default any IPv6 TCP socket also accepts IPv4 traffic 
... the runtime parameter: net.ipv6.bindv6only which has the value 0 by default.

So I used ONLY the [Server IPv6]. This gives only a tcp6 entry in netstat, but I am also able to connect via IPv4.

This also explains the behaviour, since stunnel implicitly tries to bin to the IPv4 port in the v6 section. I am unsure if my solution is good practice and if one can rely in the net.ipv6 default. I think there should be a ipv6only option in stunnel, like there is for nginx and socat.

Community
  • 1
mcandril
  • 285
  • 3
  • 13
0

In order to get both ipv4 and ipv6 to work at the same time on my ubuntu 16.04 machine (a Linode) I had to configure stunnel to bind to all ipv6 addresses, like this:

accept = :::443

Specifying a particular ipv6 address would bind successfully to that one address, but would not allow ipv4 requests to go through.

accept = ipv6.sqlite.org:443  ;# Does not accept IPv4
Richard Hipp
  • 1