#1111488 stunnel4: address already in use error when using systemd generator

Package:
stunnel4
Source:
stunnel4
Description:
Universal SSL tunnnel for network daemons - compatibility package
Submitter:
Jonathan Dowland
Date:
2026-03-17 04:03:02 UTC
Severity:
normal
#1111488#5
Date:
2025-08-18 15:02:37 UTC
From:
To:
I have a single configured tunnel, very simply

  $ cat /etc/stunnel/jon-znc.conf
  [jon-znc]
  accept = 1234
  connect = 127.0.0.1:1235
  cert = <redacted>
  key  = <redacted>

If I try to start this using the systemd generator, it fails with
"address already in use"

  # systemctl start stunnel@jon-znc.service
  # systemctl status stunnel@jon-znc.service
  …
  Aug 18 14:29:46 luv stunnel[1424926]: LOG5[ui]: Binding service [jon-znc] to :::1234: Address already in use (98)

There is nothing bound to port 1234. Starting the service by hand works:

  $ sudo /usr/bin/stunnel4 /etc/stunnel/jon-znc.conf
  $ sudo lsof -ni:1234
  COMMAND      PID USER FD   TYPE   DEVICE SIZE/OFF NODE NAME
  stunnel4 1424947 root 9u  IPv4 20106843      0t0  TCP *:1234 (LISTEN)

The host is dual stack.

If I configure the accept to my public IPv4 address, I get past that
specific error, but inexplicably the server terminates shortly
afterwards. Note: I'd rather not encode my public IPv4 in this file, but
I can't see another way to say "bind on IPv4 only":

Aug 18 15:00:06 luv systemd[1]: Started stunnel@jon-znc.service - TLS tunnel for network daemons - per-config-file service.
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: stunnel 5.74 on aarch64-unknown-linux-gnu platform
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Compiled with OpenSSL 3.4.0 22 Oct 2024
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Running  with OpenSSL 3.5.1 1 Jul 2025
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Reading configuration from file /etc/stunnel/jon-znc.conf
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: UTF-8 byte order mark not detected
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: FIPS mode disabled
Aug 18 15:00:06 luv stunnel[1425647]: LOG5[ui]: Configuration successful
Aug 18 15:00:06 luv stunnel[1425651]: LOG5[main]: Terminated
Aug 18 15:00:06 luv systemd[1]: stunnel@jon-znc.service: Deactivated successfully.
#1111488#10
Date:
2025-08-19 08:03:04 UTC
From:
To:
Aha! The bind problem wasn't fatal.

I'd missed (in README.md) that "foreground = yes" was required on the
_stunnel_ configuration; I'd attributed that to the _systemd service_,
since it's in the "Per-config-file systemd services" section. I've
raised an MR that I think clarifies this, for your consideration:

https://salsa.debian.org/debian/stunnel/-/merge_requests/4

With that, stunnel is working for me via generator, even with the bind
issue. More on that:

According to /usr/share/doc/stunnel4/stunnel.html (and stunnel(8)),

So, specifying "accept = 1234" should only attempt to bind on IPv4. But
that's not what is happening. Here's an strace which clarifies what it
is doing.

And (with accept = 1234):

So the documentation does not match the behaviour.

In my case, I don't mind it listening on IPv6, and I can ignore the bind
warning.

I'll retitle this bug to reflect the remaining issue.
#1111488#15
Date:
2026-03-17 04:01:41 UTC
From:
To:
Although stunnel has been working fine, it looks like I developed the
same problem when upgrading my forky system this past weekend. I
starting noticing that mail wasn't going out:

    Mar 16 20:04:16 olgas postfix/smtp[45485]: 9F44A6FA0032:
    to=<user@example.com>, relay=none, delay=23393,
    delays=23393/0.04/0/0, tls=may?, dsn=4.4.1, status=deferred (connect
    to 127.0.0.1[127.0.0.1]:12345: Connection refused)

Sure enough, nothing was listening on 12345 (not the real port) and
stunnel wasn't running. When I ran systemctl status on stunnel.target
and stunnel@stunnel.service, stunnel was listed as disabled. So I
enabled it and restarted it with systemctl. Still no joy. Here is what
status shows now:

    [wohler@olgas stunnel]$ sudo systemctl status stunnel.target
    ● stunnel.target - TLS tunnels for network services - per-config-file target
	 Loaded: loaded (/usr/lib/systemd/system/stunnel.target; enabled; preset: enabled)
	 Active: active since Mon 2026-03-16 20:08:23 PDT; 3min 44s ago
     Invocation: b1aa7e266eae4a76945c6f0073b45a8a

    Mar 16 20:08:23 olgas systemd[1]: Stopping stunnel.target - TLS tunnels for network services - per-config-file target...
    Mar 16 20:08:23 olgas systemd[1]: Reached target stunnel.target - TLS tunnels for network services - per-config-file target.

    [wohler@olgas stunnel4]$ sudo systemctl status stunnel@stunnel.service
    ○ stunnel@stunnel.service - TLS tunnel for network daemons - per-config-file service
	 Loaded: loaded (/usr/lib/systemd/system/stunnel@.service; enabled; preset: enabled)
	 Active: inactive (dead) since Mon 2026-03-16 20:14:33 PDT; 5min ago
       Duration: 78ms
     Invocation: 05777fb2ed6c4a2e87713026c1874819
	   Docs: man:stunnel4(8)
	Process: 46582 ExecStart=/usr/bin/stunnel4 /etc/stunnel/stunnel.conf (code=exited, status=0/SUCCESS)
       Main PID: 46582 (code=exited, status=0/SUCCESS)
       Mem peak: 3.4M
	    CPU: 29ms

    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: Compiled/running with OpenSSL 3.5.5 27 Jan 2026
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: UTF-8 byte order mark not detected
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: FIPS provider disabled
    Mar 16 20:14:33 olgas stunnel[46582]: LOG4[ui]: Service [smtp-tls-wrapper] needs authentication to prevent MITM attacks
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: Configuration successful
    Mar 16 20:14:33 olgas stunnel[46582]: LOG5[ui]: Binding service [smtp-tls-wrapper] to :::12345: Address already in use (98)
    Mar 16 20:14:33 olgas stunnel[46601]: LOG5[main]: Terminated
    Mar 16 20:14:33 olgas systemd[1]: stunnel@stunnel.service: Deactivated successfully.

Note that I get the "Address already in use message" also. However,
looking back at the logs, I've been getting these since I installed
forky in December and stunnel has been working fine, so that's probably
a red herring.

I took Jonathan's suggestion and started the daemon manually. This time
the log didn't show the last two lines above starting with "Terminated"
and stunnel kept running and kept listening:

    [wohler@olgas stunnel]$ sudo /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
    [wohler@olgas stunnel]$ pgrep -a stunnel
    49058 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
    [wohler@olgas stunnel]$ sudo lsof -ni:12345
    COMMAND    PID USER FD   TYPE DEVICE SIZE/OFF NODE NAME
    stunnel4 49058 root 9u  IPv4  87661      0t0  TCP *:11125 (LISTEN)
    [wohler@olgas stunnel]$ sudo ss -tulpn | grep :12345
    tcp   LISTEN 0      4096         0.0.0.0:12345      0.0.0.0:*    users:(("stunnel4",pid=49058,fd=9))

p.s. Any quick recipes to address the MITM warning appreciated.