I would like to make a local unencrypted service that listens on 127.0.0.1:8000 available via SSL on both IPv4 and IPv6 on port 8001.
Unfortunately, stunnel configuration
[Server]
accept = 8001
connect = 8000
binds only on IPv4, as I have checked via netstat and ncat:
~$ sudo netstat -an|grep 800 | grep LISTEN
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
~$ ncat --ssl -v ::1 8001
Ncat: Version 6.46 ( http://nmap.org/ncat )
Ncat: Connection refused.
However, the port seems to be blocked also on IPv6. When I add
[Server IPv6]
accept = :::8001
connect = 8000
stunnel will not start, since the port is blocked:
[ ] Service [pyload Web] (FD=7) bound to 0.0.0.0:8001
[!] Error binding service [pyload Web IPv6] to :::8001
[!] bind: Address already in use (98)
I have tried both orders for the respective sections in my stunnel config file. I am using version 5.02 from the Ubuntu Utopic repository. Any ideas?
Best Answer
Looks like I found an answer myself. Why doesn't this IPv6 listen directive also accept IPv4? states from the nginx doc that
So I used ONLY the [Server IPv6]. This gives only a tcp6 entry in netstat, but I am also able to connect via IPv4.
This also explains the behaviour, since stunnel implicitly tries to bin to the IPv4 port in the v6 section. I am unsure if my solution is good practice and if one can rely in the net.ipv6 default. I think there should be a ipv6only option in stunnel, like there is for nginx and socat.