openssl s_server can't specify ip address to bind?
I'm using Mac OS X, I have tried the builtin openssl
as well as the latest openssl
from homebrew
, but I still couldn't find a way to bind openssl s_server
to a specific ip address, e.g. 127.0.0.42
.
This page says:
-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
But it doesn't work:
$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...
The error says -accept
can only specify port, not ip address, it's ridiculous.
What's going on here? is there any workaround?
networking openssl
add a comment |
I'm using Mac OS X, I have tried the builtin openssl
as well as the latest openssl
from homebrew
, but I still couldn't find a way to bind openssl s_server
to a specific ip address, e.g. 127.0.0.42
.
This page says:
-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
But it doesn't work:
$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...
The error says -accept
can only specify port, not ip address, it's ridiculous.
What's going on here? is there any workaround?
networking openssl
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50
add a comment |
I'm using Mac OS X, I have tried the builtin openssl
as well as the latest openssl
from homebrew
, but I still couldn't find a way to bind openssl s_server
to a specific ip address, e.g. 127.0.0.42
.
This page says:
-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
But it doesn't work:
$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...
The error says -accept
can only specify port, not ip address, it's ridiculous.
What's going on here? is there any workaround?
networking openssl
I'm using Mac OS X, I have tried the builtin openssl
as well as the latest openssl
from homebrew
, but I still couldn't find a way to bind openssl s_server
to a specific ip address, e.g. 127.0.0.42
.
This page says:
-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
But it doesn't work:
$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...
The error says -accept
can only specify port, not ip address, it's ridiculous.
What's going on here? is there any workaround?
networking openssl
networking openssl
asked Feb 9 at 16:18
user996219user996219
1
1
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50
add a comment |
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50
add a comment |
2 Answers
2
active
oldest
votes
I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?
The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.
This is the syntax for -accept
option:
-accept port
- the TCP port to listen on for connections. If not specified 4433 is used.
Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the-accept
option.
– wenzzzel
Feb 9 at 16:48
add a comment |
You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.
Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403907%2fopenssl-s-server-cant-specify-ip-address-to-bind%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?
The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.
This is the syntax for -accept
option:
-accept port
- the TCP port to listen on for connections. If not specified 4433 is used.
Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the-accept
option.
– wenzzzel
Feb 9 at 16:48
add a comment |
I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?
The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.
This is the syntax for -accept
option:
-accept port
- the TCP port to listen on for connections. If not specified 4433 is used.
Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the-accept
option.
– wenzzzel
Feb 9 at 16:48
add a comment |
I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?
The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.
This is the syntax for -accept
option:
-accept port
- the TCP port to listen on for connections. If not specified 4433 is used.
Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html
I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?
The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.
This is the syntax for -accept
option:
-accept port
- the TCP port to listen on for connections. If not specified 4433 is used.
Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html
edited Feb 9 at 16:33
answered Feb 9 at 16:27
wenzzzelwenzzzel
1263
1263
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the-accept
option.
– wenzzzel
Feb 9 at 16:48
add a comment |
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the-accept
option.
– wenzzzel
Feb 9 at 16:48
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.
– user996219
Feb 9 at 16:36
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the
-accept
option.– wenzzzel
Feb 9 at 16:48
The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the
-accept
option.– wenzzzel
Feb 9 at 16:48
add a comment |
You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.
Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.
add a comment |
You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.
Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.
add a comment |
You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.
Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.
You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.
Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.
edited Feb 9 at 20:46
answered Feb 9 at 20:40
Velo TravelerVelo Traveler
1294
1294
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403907%2fopenssl-s-server-cant-specify-ip-address-to-bind%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
why do you need IP? the command expects just a port
– Oleg
Feb 9 at 20:50