openssl s_server can't specify ip address to bind?












0















I'm using Mac OS X, I have tried the builtin openssl as well as the latest openssl from homebrew, but I still couldn't find a way to bind openssl s_server to a specific ip address, e.g. 127.0.0.42.



This page says:




-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.




But it doesn't work:



$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]

-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...


The error says -accept can only specify port, not ip address, it's ridiculous.



What's going on here? is there any workaround?










share|improve this question























  • why do you need IP? the command expects just a port

    – Oleg
    Feb 9 at 20:50
















0















I'm using Mac OS X, I have tried the builtin openssl as well as the latest openssl from homebrew, but I still couldn't find a way to bind openssl s_server to a specific ip address, e.g. 127.0.0.42.



This page says:




-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.




But it doesn't work:



$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]

-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...


The error says -accept can only specify port, not ip address, it's ridiculous.



What's going on here? is there any workaround?










share|improve this question























  • why do you need IP? the command expects just a port

    – Oleg
    Feb 9 at 20:50














0












0








0








I'm using Mac OS X, I have tried the builtin openssl as well as the latest openssl from homebrew, but I still couldn't find a way to bind openssl s_server to a specific ip address, e.g. 127.0.0.42.



This page says:




-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.




But it doesn't work:



$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]

-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...


The error says -accept can only specify port, not ip address, it's ridiculous.



What's going on here? is there any workaround?










share|improve this question














I'm using Mac OS X, I have tried the builtin openssl as well as the latest openssl from homebrew, but I still couldn't find a way to bind openssl s_server to a specific ip address, e.g. 127.0.0.42.



This page says:




-accept val The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.




But it doesn't work:



$ openssl s_server -accept '127.0.0.42:4433' -cert my.crt -key my.key
getservbyname failure for 127.0.0.42:4433
usage: s_server [args ...]

-accept arg - port to accept on (default is 4433)
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-cert arg - certificate file to use
(default is server.pem)
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appended to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
...


The error says -accept can only specify port, not ip address, it's ridiculous.



What's going on here? is there any workaround?







networking openssl






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 9 at 16:18









user996219user996219

1




1













  • why do you need IP? the command expects just a port

    – Oleg
    Feb 9 at 20:50



















  • why do you need IP? the command expects just a port

    – Oleg
    Feb 9 at 20:50

















why do you need IP? the command expects just a port

– Oleg
Feb 9 at 20:50





why do you need IP? the command expects just a port

– Oleg
Feb 9 at 20:50










2 Answers
2






active

oldest

votes


















0














I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


This is the syntax for -accept option:
-accept port - the TCP port to listen on for connections. If not specified 4433 is used.

Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html






share|improve this answer


























  • I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

    – user996219
    Feb 9 at 16:36











  • The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

    – wenzzzel
    Feb 9 at 16:48





















0














You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.



Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403907%2fopenssl-s-server-cant-specify-ip-address-to-bind%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

    The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


    This is the syntax for -accept option:
    -accept port - the TCP port to listen on for connections. If not specified 4433 is used.

    Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html






    share|improve this answer


























    • I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

      – user996219
      Feb 9 at 16:36











    • The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

      – wenzzzel
      Feb 9 at 16:48


















    0














    I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

    The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


    This is the syntax for -accept option:
    -accept port - the TCP port to listen on for connections. If not specified 4433 is used.

    Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html






    share|improve this answer


























    • I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

      – user996219
      Feb 9 at 16:36











    • The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

      – wenzzzel
      Feb 9 at 16:48
















    0












    0








    0







    I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

    The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


    This is the syntax for -accept option:
    -accept port - the TCP port to listen on for connections. If not specified 4433 is used.

    Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html






    share|improve this answer















    I'm pretty sure you should'nt specify an ip-address. Do you only want to allow connections from one ip or why are you trying to specify it?

    The port number should be enough, and to connect to your server you use the servers ip-address or 127.0.0.1 if its local.


    This is the syntax for -accept option:
    -accept port - the TCP port to listen on for connections. If not specified 4433 is used.

    Taken from https://www.openssl.org/docs/man1.0.2/man1/openssl-s_server.html







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Feb 9 at 16:33

























    answered Feb 9 at 16:27









    wenzzzelwenzzzel

    1263




    1263













    • I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

      – user996219
      Feb 9 at 16:36











    • The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

      – wenzzzel
      Feb 9 at 16:48





















    • I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

      – user996219
      Feb 9 at 16:36











    • The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

      – wenzzzel
      Feb 9 at 16:48



















    I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

    – user996219
    Feb 9 at 16:36





    I'm reverse-engineering the non-http tsl communication from an app. This is meant to be a simple mitm server to decrypt the communication with the help of a fake dns server. I don't want other packet to go through this channel. Your edit is literally what I've already quoted in my question, it doesn't work.

    – user996219
    Feb 9 at 16:36













    The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

    – wenzzzel
    Feb 9 at 16:48







    The syntax in your question is not the same as the one I wrote. Your syntax allows both port and host while mine only allows port. I saw now that I'm reading from the manual for release 1.0.2 and you have posted a referernce to the master release. What version are you using? If your using 1.0.2, the host should'nt be allowed to be specified in the -accept option.

    – wenzzzel
    Feb 9 at 16:48















    0














    You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.



    Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.






    share|improve this answer






























      0














      You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.



      Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.






      share|improve this answer




























        0












        0








        0







        You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.



        Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.






        share|improve this answer















        You don't need to write your own code for this - use stunnel. stunnel will do all the crypto for you and give you a cleartext pipe on the other end.



        Set up a service out of launchd to run stunnel when someone connects on the desired port. launchd can be told to listen to the desired IP address if you're willing to slog through the launchd.plist man page to figure that out. Alternatively, start the service with a shell script when you're doing your testing.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Feb 9 at 20:46

























        answered Feb 9 at 20:40









        Velo TravelerVelo Traveler

        1294




        1294






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403907%2fopenssl-s-server-cant-specify-ip-address-to-bind%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀