[openssl-users] Binding the socket to a source IP address before connect

Sanjaya Joshi joshi.sanjaya at gmail.com
Wed Jan 10 19:43:24 UTC 2018


Hi,
Thanks Michael. I'll check if your proposal fits my requirement.

Regards,
Sanjaya

On Wed, Jan 10, 2018 at 7:55 PM, Michael Richardson <mcr at sandelman.ca>
wrote:

>
> Sanjaya Joshi <joshi.sanjaya at gmail.com> wrote:
>     > Is there a BIO family of API that OpenSSL provides to bind to a
>     > specific source IP address before creating a socket connection (using
>     > for e.g. BIO_new_connect()) ?
>
> I think not... BIO_new_connect() allocates the BIO, and so there isn't any
> state to set up before you call that.
>
> I've had to add a place to store the sockaddr to the DGRAM method in order
> to
> make DTLS work the way I want it, and it could be extended to TCP sockets I
> think, but not using the flow that you are using.
>
> However, you can provide the FD to the SSL context using BIO_set_fd()
> and SSL_set_bio():
>
>     BIO_set_fd(inbio, connectedfd, BIO_NOCLOSE);
>     SSL_set_bio(ssl, inbio, outbio);
>
> Then you can set up the connectedfd any way you want, calling bind() before
> connect.  That means that you might have to parse the host/IP + port
> yourself, but getaddrinfo() can do that for you, and
>           int BIO_lookup(const char *host, const char *service,
>                          enum BIO_lookup_type lookup_type,
>                          int family, int socktype, BIO_ADDRINFO **res);
>
> wraps it all nicely for you.
>
>     > My application does not need to rely on the kernel-provided source IP
>     > address and hence the need for this.
>
> Just remember to test with IPv6 Link-Local addresses, because they do
> matter, and they are hard to get right from userspace.
> (And if you aren't doing IPv6 testing, then you probably shouldn't be
> creating new code)
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180111/33dd3eca/attachment.html>


More information about the openssl-users mailing list