How to use a specific ip interface while testing TLS/SSL connectivity.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use a specific ip interface while testing TLS/SSL connectivity.

Rajinder Pal Singh
Hi, 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 


Wondering if its possible? 


Regards,
Rajinder. 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Rajinder Pal Singh
> Sent: Friday, February 08, 2019 12:20

> I want to use a specific ip interface (out of several available ethernet interfaces available
> on my server) to test TLS/SSL connectivity to a remote server.

This isn't an OpenSSL question; it's a networking-API question.

For IPv4: Create your socket, bind it to the local interface you want to use (specifying a port of 0 if you want an ephemeral port assigned as in the usual case), then connect to the peer. You'll probably want to enable SO_REUSEADDR on the socket before calling bind. Once the connection is established, create the OpenSSL socket BIO and associate it with your socket.

For IPv6: You should be able to use a scope zone ID to force a particular local interface. The easiest way to do this is to specify the appropriate zone ID suffix (which might look like e.g. "%15" or "%eth1") on the text representation of the peer's address, then use getaddrinfo with the AI_NUMERICHOST hint to convert it to a sockaddr_in6 structure with the correct scope zone ID field value. Then connect using that, create BIO, etc.

Note that all of this will only work if the peer can actually be reached using that interface.

Another alternative is to configure your routing table with a host route to the peer using the desired interface.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Viktor Dukhovni
> On Feb 8, 2019, at 12:55 PM, Michael Wojcik <[hidden email]> wrote:
>
> For IPv4: Create your socket, bind it to the local interface you want to use (specifying a port of 0 if you want an ephemeral port assigned as in the usual case), then connect to the peer. You'll probably want to enable SO_REUSEADDR on the socket before calling bind.

For the record, one should *not* use SO_REUSEADDR for client sockets used in
outbound connections.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

FooCrypt
In reply to this post by Rajinder Pal Singh
Hi Rajinder

There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.


Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:

Hi, 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 


Wondering if its possible? 


Regards,
Rajinder. 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Michael Wojcik
In reply to this post by Viktor Dukhovni
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Viktor Dukhovni
> Sent: Friday, February 08, 2019 13:00
>
> > On Feb 8, 2019, at 12:55 PM, Michael Wojcik <[hidden email]>
> wrote:
> >
> > For IPv4: Create your socket, bind it to the local interface you want to
> use (specifying a port of 0 if you want an ephemeral port assigned as in the
> usual case), then connect to the peer. You'll probably want to enable
> SO_REUSEADDR on the socket before calling bind.
>
> For the record, one should *not* use SO_REUSEADDR for client sockets used in
> outbound connections.

Not usually, but in the specific case of testing connections bound to specific local addresses - an artificial use case - it will either avoid having to wait for the 2MSL timer to expire (if you bind to a specific local port) or exhausing the ephemeral port space (if you use a stack-assigned ephemeral port) if you're making a lot of short-lived connections.

Obviously bypassing TIME_WAIT this way introduces precisely the problem that TIME_WAIT exists to prevent: picking up data from a previous connection. However, modern stacks with randomized ISNs make the failure mode for that situation more palatable (more likely to produce an error state rather than silently accepting the stale data), and applications that implement their own session and/or presentation layers on top of the TCP bytestream will typically do a good job of 1) ensuring there isn't any stale data, and 2) detecting it if there is. TLS provides such a layer.

I recognize that the use of SO_REUSEADDR on the active-open (client) side is controversial, but this particular use case shouldn't appear in a production environment anyway.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Rajinder Pal Singh
In reply to this post by Rajinder Pal Singh
Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux. 

From Application perspective, we choose what ip interface to use. 

Wondering if we can force the openssl to use specific interface? 

Regards. 



On Fri, Feb 8, 2019, 12:26 PM [hidden email] <[hidden email] wrote:
Hi Rajinder

There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.


Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:

Hi, 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 


Wondering if its possible? 


Regards,
Rajinder. 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

FooCrypt
HI Rajinder

Perhaps a tunnel may help ?

Have a look at man -s ssh, check out binding to interfaces and setting up a tunnel from one Nic through to your endpoint.

Have a look at nectar or nc as its called these days for listening on the endpoint of the tunnel as your basic http 1.1 server, and redirect the output to a file to see what it is receiving.


You could write a quick shell script in KORN and open up a TCP socket connection to your web server and just feed it the raw SSL/TLS packets captured from the hand shake from another session captured with tcpdump, snoop, etc.

Regards,

Mark A. Lane


On 9 Feb 2019, at 07:53, Rajinder Pal Singh <[hidden email]> wrote:

Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux. 

From Application perspective, we choose what ip interface to use. 

Wondering if we can force the openssl to use specific interface? 

Regards. 



On Fri, Feb 8, 2019, 12:26 PM [hidden email] <[hidden email] wrote:
Hi Rajinder

There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.


Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:

Hi, 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 


Wondering if its possible? 


Regards,
Rajinder. 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Kyle Hamilton
In reply to this post by Rajinder Pal Singh
It appears you could create() a socket, bind() it to the interface you
want to use, possibly connect() it, and then pass it to either
BIO_s_connect() or BIO_s_socket() depending on which meets your needs.

-Kyle H

On Sat, Feb 9, 2019 at 7:21 AM Rajinder Pal Singh <[hidden email]> wrote:

>
> Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux.
>
> From Application perspective, we choose what ip interface to use.
>
> Wondering if we can force the openssl to use specific interface?
>
> Regards.
>
>
>
> On Fri, Feb 8, 2019, 12:26 PM [hidden email] <[hidden email] wrote:
>>
>> Hi Rajinder
>>
>> There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.
>>
>> Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.
>>
>> —
>>
>> Regards,
>>
>> Mark A. Lane
>>
>>
>>
>>
>> On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:
>>
>> Hi,
>>
>> I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server.
>>
>>
>> Wondering if its possible?
>>
>>
>> Regards,
>> Rajinder.
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Rajinder Pal Singh
In reply to this post by FooCrypt
Thanks Mark. Will definitely try this. Appreciate your help. Will keep you losted. 

Regards.

On Sat, Feb 9, 2019, 8:45 AM [hidden email] <[hidden email] wrote:
HI Rajinder

Perhaps a tunnel may help ?

Have a look at man -s ssh, check out binding to interfaces and setting up a tunnel from one Nic through to your endpoint.

Have a look at nectar or nc as its called these days for listening on the endpoint of the tunnel as your basic http 1.1 server, and redirect the output to a file to see what it is receiving.


You could write a quick shell script in KORN and open up a TCP socket connection to your web server and just feed it the raw SSL/TLS packets captured from the hand shake from another session captured with tcpdump, snoop, etc.

Regards,

Mark A. Lane


On 9 Feb 2019, at 07:53, Rajinder Pal Singh <[hidden email]> wrote:

Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux. 

From Application perspective, we choose what ip interface to use. 

Wondering if we can force the openssl to use specific interface? 

Regards. 



On Fri, Feb 8, 2019, 12:26 PM [hidden email] <[hidden email] wrote:
Hi Rajinder

There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.


Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:

Hi, 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 


Wondering if its possible? 


Regards,
Rajinder. 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use a specific ip interface while testing TLS/SSL connectivity.

Scott Neugroschl-2
In reply to this post by Rajinder Pal Singh

Hi Rajinder,

 

Have you tried the “socket_transport_name_set” call in your main program?

 

ScottN

 

 

 

From: openssl-users <[hidden email]> On Behalf Of Rajinder Pal Singh
Sent: Friday, February 08, 2019 12:54 PM
To: [hidden email]
Cc: openssl-users <[hidden email]>
Subject: Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

 

Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux. 

 

From Application perspective, we choose what ip interface to use. 

 

Wondering if we can force the openssl to use specific interface? 

 

Regards. 

 

 

On Fri, Feb 8, 2019, 12:26 PM [hidden email] <[hidden email] wrote:

Hi Rajinder

 

There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on.

 

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server.


 

Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh <[hidden email]> wrote:

 

Hi, 

 

I want to use a specific ip interface (out of several available ethernet interfaces available on my server) to test TLS/SSL connectivity to a remote server. 

 

 

Wondering if its possible? 

 

 

Regards,

Rajinder. 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users