[openssl-users] Binding the socket to a source IP address before connect

Michael Richardson mcr at sandelman.ca
Wed Jan 10 14:25:03 UTC 2018


Sanjaya Joshi <joshi.sanjaya at gmail.com> wrote:
    > Is there a BIO family of API that OpenSSL provides to bind to a
    > specific source IP address before creating a socket connection (using
    > for e.g. BIO_new_connect()) ?

I think not... BIO_new_connect() allocates the BIO, and so there isn't any
state to set up before you call that.

I've had to add a place to store the sockaddr to the DGRAM method in order to
make DTLS work the way I want it, and it could be extended to TCP sockets I
think, but not using the flow that you are using.

However, you can provide the FD to the SSL context using BIO_set_fd()
and SSL_set_bio():

    BIO_set_fd(inbio, connectedfd, BIO_NOCLOSE);
    SSL_set_bio(ssl, inbio, outbio);

Then you can set up the connectedfd any way you want, calling bind() before
connect.  That means that you might have to parse the host/IP + port
yourself, but getaddrinfo() can do that for you, and
          int BIO_lookup(const char *host, const char *service,
                         enum BIO_lookup_type lookup_type,
                         int family, int socktype, BIO_ADDRINFO **res);

wraps it all nicely for you.

    > My application does not need to rely on the kernel-provided source IP
    > address and hence the need for this.

Just remember to test with IPv6 Link-Local addresses, because they do
matter, and they are hard to get right from userspace.
(And if you aren't doing IPv6 testing, then you probably shouldn't be
creating new code)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180110/5e9f166f/attachment.sig>


More information about the openssl-users mailing list