[openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Feb 8 17:55:58 UTC 2019

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Rajinder Pal Singh
> Sent: Friday, February 08, 2019 12:20

> I want to use a specific ip interface (out of several available ethernet interfaces available
> on my server) to test TLS/SSL connectivity to a remote server.

This isn't an OpenSSL question; it's a networking-API question.

For IPv4: Create your socket, bind it to the local interface you want to use (specifying a port of 0 if you want an ephemeral port assigned as in the usual case), then connect to the peer. You'll probably want to enable SO_REUSEADDR on the socket before calling bind. Once the connection is established, create the OpenSSL socket BIO and associate it with your socket.

For IPv6: You should be able to use a scope zone ID to force a particular local interface. The easiest way to do this is to specify the appropriate zone ID suffix (which might look like e.g. "%15" or "%eth1") on the text representation of the peer's address, then use getaddrinfo with the AI_NUMERICHOST hint to convert it to a sockaddr_in6 structure with the correct scope zone ID field value. Then connect using that, create BIO, etc.

Note that all of this will only work if the peer can actually be reached using that interface.

Another alternative is to configure your routing table with a host route to the peer using the desired interface.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list