Ytdyklly

I'm using Mac OS X, I have tried the builtin openssl as well as the latest openssl from homebrew, but I still couldn't find a way to bind openssl s_server to a specific ip address, e.g. 127.0.0.42.

This page says:

-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.

But it doesn't work:

$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key

getservbyname failure for 127.0.0.42:4433

usage: s_server [args ...]



 -accept arg   - port to accept on (default is 4433)

 -context arg  - set session ID context

 -verify arg   - turn on peer certificate verification

 -Verify arg   - turn on peer certificate verification, must have a cert.

 -cert arg     - certificate file to use

                 (default is server.pem)

 -crl_check    - check the peer certificate has not been revoked by its CA.

                 The CRL(s) are appended to the certificate file

 -crl_check_all - check the peer certificate has not been revoked by its CA

                 or any other CRL in the CA chain. CRL(s) are appended to the

                 the certificate file.

 -certform arg - certificate format (PEM or DER) PEM default

 -key arg      - Private Key file to use, in cert file if

                 not specified (default is server.pem)

 -keyform arg  - key format (PEM, DER or ENGINE) PEM default

 -pass arg     - private key file pass phrase source

 -dcert arg    - second certificate file to use (usually for DSA)

 -dcertform x  - second certificate format (PEM or DER) PEM default

 -dkey arg     - second private key file to use (usually for DSA)

 -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default

 -dpass arg    - second private key file pass phrase source

 -dhparam arg  - DH parameter file to use, in cert file if not specified

                 or a default set of parameters is used

 -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.

                 Use "openssl ecparam -list_curves" for all names

                 (default is nistp256).

 -nbio         - Run with non-blocking IO

 -nbio_test    - test with the non-blocking test bio

...

The error says -accept can only specify port, not ip address, it's ridiculous.

What's going on here? is there any workaround?

I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


This is the syntax for -accept option:
-accept port - the TCP port to listen on for connections. If not specified 4433 is used.

Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html

You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.

Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.