Use openssl s_server as a reverse proxy – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Use openssl s_server as a reverse proxy was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, ssl, reverse-proxy, openssl, port-forwarding.
Is it somehow possible to use
openssl s_server as a kind of reverse proxy by forwarding all data after the handshake to a different port.
To be more concrete, I would like to create a simple tftp-over-dtls setting for testing purposes.
No, it is not.
Because openssl s_server only does TCP, as mentioned in the output of
DESCRIPTION The s_server command implements a generic SSL/TLS server which listens for connections on a given port using SSL/TLS. OPTIONS -accept port the TCP port to listen on for connections. If not specified 4433 is used.
TFTP uses UDP (see https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol, http://www.faqs.org/rfcs/rfc1350.html), so I can’t see how you would make this work.
nginx might be able to do what you are looking for, however.
According to /etc/services, an IANA assignment exists for TFTPS, but I can find no RFCs or other documentation about it.
As pointed out in comments – s_server does (in some openSSL releases, e.g. 1.1.0) support DTLS: https://www.openssl.org/docs/man1.1.0/apps/s_server.html.
This is not the case for all openSSL releases though – 1.0.2 (https://www.openssl.org/docs/man1.0.2/apps/s_server.html) and 1.0.1 (https://www.openssl.org/docs/man1.0.1/apps/s_server.html) do not support DTLS.
Yes, using sufficiently recent OpenSSL and Bash, you can redirect input and output of the “s_server” command to a socket. On the (proxy) server you could run:
exec 3<> /dev/udp/mytftpserver.com/69; openssl s_server -dtls -port 1069 -key x.key -cert x.cert -quiet <&3 >&3
On the client side start communicating to the proxy server, port 1069, with your DTLS capable TFTP client:
openssl s_client -dtls -connect myproxyserver.com:1069
However for TFTP an actual file transfer would originate from a port other than 69, for that the then established DTLS association would not be usable most likely.