Can a linux service work as both TLS client and server?

Sam Roberts vieuxtech at gmail.com
Sat Nov 16 01:02:33 UTC 2019


I'm curious, its pretty unusual to not know which side of a TCP connection
is the client or server, not just TLS, HTTP, SMTP, .... etc. Its almost
always the side that makes the accept() call that's the server, but that
doesn't have to be.

Why is it that you do not in this context?

Without it, you are fairly far off the beaten path. A normal TLS client
would not be able to connect to your "accept()" side if it tried to be a
client, and a normal TLS server would never initiate a connection to your
"accept()" in the hopes that the acceptor would turn around and be a client.

The 1/0 isn't so terrible (well, maybe the protocol is terrible :-). To do
a custom negotiation, then "step up" to TLS is done by other protocols. You
could also sniff the TCP after accept, and wait a while to see if a client
hello arrives to know if the other side is a client (or wait for any data,
I don't think a server starts sending data until it gets something, but its
been a while since I looked).

Hope thats helpful, and even if not, it'd be interesting to know what apple
is doing that is pushing you down this path.

Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/5e5c2f88/attachment.html>


More information about the openssl-users mailing list