Re: [openssl-users] Binding the socket to a source IP address before connect
Hi, Thanks Michael. I'll check if your proposal fits my requirement. Regards, Sanjaya On Wed, Jan 10, 2018 at 7:55 PM, Michael Richardson wrote: > > Sanjaya Joshi wrote: > > Is there a BIO family of API that OpenSSL provides to bind to a > > specific source IP address before creating a socket connection (using > > for e.g. BIO_new_connect()) ? > > I think not... BIO_new_connect() allocates the BIO, and so there isn't any > state to set up before you call that. > > I've had to add a place to store the sockaddr to the DGRAM method in order > to > make DTLS work the way I want it, and it could be extended to TCP sockets I > think, but not using the flow that you are using. > > However, you can provide the FD to the SSL context using BIO_set_fd() > and SSL_set_bio(): > > BIO_set_fd(inbio, connectedfd, BIO_NOCLOSE); > SSL_set_bio(ssl, inbio, outbio); > > Then you can set up the connectedfd any way you want, calling bind() before > connect. That means that you might have to parse the host/IP + port > yourself, but getaddrinfo() can do that for you, and > int BIO_lookup(const char *host, const char *service, > enum BIO_lookup_type lookup_type, > int family, int socktype, BIO_ADDRINFO **res); > > wraps it all nicely for you. > > > My application does not need to rely on the kernel-provided source IP > > address and hence the need for this. > > Just remember to test with IPv6 Link-Local addresses, because they do > matter, and they are hard to get right from userspace. > (And if you aren't doing IPv6 testing, then you probably shouldn't be > creating new code) > > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works| network > architect [ > ] m...@sandelman.ca http://www.sandelman.ca/| ruby on > rails[ > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Binding the socket to a source IP address before connect
Sanjaya Joshi wrote: > Is there a BIO family of API that OpenSSL provides to bind to a > specific source IP address before creating a socket connection (using > for e.g. BIO_new_connect()) ? I think not... BIO_new_connect() allocates the BIO, and so there isn't any state to set up before you call that. I've had to add a place to store the sockaddr to the DGRAM method in order to make DTLS work the way I want it, and it could be extended to TCP sockets I think, but not using the flow that you are using. However, you can provide the FD to the SSL context using BIO_set_fd() and SSL_set_bio(): BIO_set_fd(inbio, connectedfd, BIO_NOCLOSE); SSL_set_bio(ssl, inbio, outbio); Then you can set up the connectedfd any way you want, calling bind() before connect. That means that you might have to parse the host/IP + port yourself, but getaddrinfo() can do that for you, and int BIO_lookup(const char *host, const char *service, enum BIO_lookup_type lookup_type, int family, int socktype, BIO_ADDRINFO **res); wraps it all nicely for you. > My application does not need to rely on the kernel-provided source IP > address and hence the need for this. Just remember to test with IPv6 Link-Local addresses, because they do matter, and they are hard to get right from userspace. (And if you aren't doing IPv6 testing, then you probably shouldn't be creating new code) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Binding the socket to a source IP address before connect
Hello, Is there a BIO family of API that OpenSSL provides to bind to a specific source IP address before creating a socket connection (using for e.g. BIO_new_connect()) ? My application does not need to rely on the kernel-provided source IP address and hence the need for this. Regards, Sanjaya -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users