Thanks Dave... In my test scenario, I am using a Firewall in between client and server machines and firewall supports SSL certificate caching. Here main thing is to test the firewall for SSL certificate caching. So wanted to establish multiple SSL connections from a single linux PC to the same server.
That's the reason I was asking whether it's possible to send multiple SSL connections from single host. Please do let me know if there are any ways to test this scenario. Thanks, Sharan -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 1:18 AM To: openssl-users@openssl.org Subject: RE: SSL Certificate Caching > From: owner-openssl-us...@openssl.org On Behalf Of Sharanagoud B D > Sent: Tuesday, 09 October, 2012 06:39 > Is there a option to specify a source interface along with openssl > s_cleint option to establish multiple HTTP Connections from single > linux device? This is required to test certificate caching scenario > where need to have multiple clients trying to connect to a same > server. > > For Ex: specify eth1:1, eth1:2..etc... > 0. s_client doesn't do HTTP connections. It does SSL/TLS, only. If you feed it HTTP input (manually or from a file or program), you've got HTTPS. (s_server -www can do some minimal HTTPS.) 1. You can't specify an interface. You can't even specify a "bind" (local) address, which is how the usual socket interface (used by openssl) maps to a local interface. 2. You can have multiple connections from one client IP address to a given server IP address, because nearly all clients including s_client get unique port. Does the server need to see different addresses? If so, that will cause problems when used with NATted clients, which many these days are, especially on the public net. 3. If your server listens/accepts at multiple addresses, on a different subnet for each interface -- and listen-all (0.0.0.0 or ::0) is usually the default -- your IP stack should automatically use the matching client address. 4. If you can run virtual machines for the clients, you may be able to assign only selected interfaces and addresses to those virtual machines. This will depend on the particulars of the virtual machine software and I can't help there. 5. Or just use multiple real machines. Simple and foolproof. But do you really need this? If you are concerned about server behavior, you don't need s_client to test it; you can write a trivial program using openssl (which can bind), or find other client software. I've heard rumors perl or gawk can do such things, and I believe are standard on Linux. Java can definitely do it with about 20 lines of code -- that's what I use -- and is pretty easy to install (if you can instal software at all). If you are concerned about s_client behavior, it doesn't do any caching by itself. It uses exactly and only what's in static files that you can look at. Or it occurs to me, are you thinking about *session* caching (rather than certificates)? openssl library does support session caching within a process, or through some kind of shared storage, but s_client will only re-use a session if you explicitly specify -sess_out and -sess_in . ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
