Use openssl s_server as a reverse proxy

Posted on

Use openssl s_server as a reverse proxy – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Use openssl s_server as a reverse proxy was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, ssl, reverse-proxy, openssl, port-forwarding.

Is it somehow possible to use openssl s_server as a kind of reverse proxy by forwarding all data after the handshake to a different port.

To be more concrete, I would like to create a simple tftp-over-dtls setting for testing purposes.

No, it is not.

Because openssl s_server only does TCP, as mentioned in the output of man s_server:

       The s_server command implements a generic SSL/TLS server which listens for connections on a given port using SSL/TLS.

       -accept port
           the TCP port to listen on for connections. If not specified 4433 is used.

TFTP uses UDP (see,, so I can’t see how you would make this work.

nginx might be able to do what you are looking for, however.

According to /etc/services, an IANA assignment exists for TFTPS, but I can find no RFCs or other documentation about it.


As pointed out in comments – s_server does (in some openSSL releases, e.g. 1.1.0) support DTLS:

This is not the case for all openSSL releases though – 1.0.2 ( and 1.0.1 ( do not support DTLS.

Yes, using sufficiently recent OpenSSL and Bash, you can redirect input and output of the “s_server” command to a socket. On the (proxy) server you could run:

exec 3<> /dev/udp/; openssl s_server -dtls -port 1069 
  -key x.key -cert x.cert -quiet <&3 >&3

On the client side start communicating to the proxy server, port 1069, with your DTLS capable TFTP client:

openssl s_client -dtls -connect

However for TFTP an actual file transfer would originate from a port other than 69, for that the then established DTLS association would not be usable most likely.

Leave a Reply

Your email address will not be published. Required fields are marked *