• Registered: 2016-08-14
  • Posts: 47

Topic: [SOLVED] setup multiple TLS connection on the same IP and port

Hi,
   Our product have a requirement : it should be establish two different TLS tunnels between client and server on the same IP address and port !
   Before, I haven't any experience about this situation. I searched related information on Google, and found that SNI(Server Name Indication) maybe can reach this requirement. Below is my assumption, please help me to review it, is it possible?

   In wolfSSL library, there are have one macro named "HAVE_SNI". If I enable this macro, and set different sever name for these two TLS connection, then client/server will receive correct data for different tunnels(maybe wolfSSL API already implemented).

   But for my understanding, for the same IP address/port, we only can bind one socket with it. So, how to create two TLS connections in one thread environment? My means is : can we use same TLS context(WOLFSSL_CTX* type), and create two SSL(WOLFSSL* type) connection base on this context?

   If my assumption is not possible, please give me some suggestion.
    Thank you very much!

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi cxdinter,

Could you provide further details on the project and end goals to better answer your question. It's not entirely clear.


1. Are you on the server side hosting multiple domains?
    I ask because you mentioned SNI. The use-case for SNI is you are on the server side hosting multiple domains IE:
    https://www.cats.com  (IP 123.456.78.910)
    https://www.dogs.com (IP 123.456.78.910)
    https://www.cars.com  (IP 123.456.78.910)

    Therefore you need Server Name Indication to determine which domain the client is trying to reach at that IP.

2. Are you using a web server?
    Typically a client will connect on 443 using an ephemeral port (random port). Server identifies the client uniquely based on the tuple: source ip, source port, destination ip, destination port, and protocol. Otherwise the server would only ever be able to service one client at a time, not ideal. Most servers are already set up to handle this and you should not need to concern yourself if you are not on the server side.

Your use-case is not entirely clear. The mention of SNI may be clouding your intended question. Please clarify this a little more if possible.


Regards,

Kaleb

Kaleb J. Himes's Website

Share

3 Reply by cxdinter (edited by cxdinter 2016-11-28 17:46:43)

  • Registered: 2016-08-14
  • Posts: 47

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi Kaleb,
    Sorry, based on your explanation, I think I have a wrong understanding with our product requirement.
    But how can server recognize current connect request is from which client? Could you please explain related mechanism?  I am not familiar with this situation.

Requirement: In order to enable standard HTTP communications over TLS on port 443 (and other https ports) and additional WebSocket communications over TLS on port 443 (and other wss ports) the client has to establish 2 HTTP/TLS connections and upgrade the second one to WebSocket. The client uses equal TLS credentials for both TLS tunnels. This way the server knows both TLS tunnels established per client.
Note: The client device needs 2 HTTP/TLS connections per „app“ and server port number. In this sense, each „app“ running on the connected device represents an independent client and has to use an own certificate.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi cxdinter,

OK, you are on the client side.

I will try to clarify a bit more. When a client makes a connection to a server you don't ever assign a specific port to the client, it is assigned randomly when you create your socket (ephemeral port assignment). So you would have to create two unique sockets for the two tunnels.

The server identifies a client uniquely by a tuple. The tuple will contain the random port it was assigned. The server can differentiate between the two connections based on the tuple. So you would call connect twice as the requirement states, once per socket, and then upgrade one of the two connections to a websocket. The requirement does not mention that SNI is part of the differentiation so I think it is safe to assume it already knows how to handle this setup. The server should handle forwarding the websocket connection packets to the websocket service and the non-websocket packets to the non-websocket service.


Regards,

Kaleb

Kaleb J. Himes's Website

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi cxdinter,

I also wanted to point out in case it was unclear. A port and a socket are two different things. I was reviewing my response from yesterday and I never explicitly noted that. My response could be confusing if that is not clear. A socket is not a port. A port is used in the tuple to assist the server in differentiating between client connections. A socket is not used to uniquely identify a client.

Regards,

Kaleb

Kaleb J. Himes's Website

Share

6 Reply by cxdinter (edited by cxdinter 2016-11-30 17:46:30)

  • Registered: 2016-08-14
  • Posts: 47

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi Kaleb,

I understood now.
Thank you very much!

But there are two wolfSSL APIs which used for TCP connect. Both of them have the parameter 'port'. Why? (one is in io.c, another is in test.h)
I researched these two functions, like your description, the parameter 'port' seems not necessary.

static int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port,
                               int udp, int sctp, WOLFSSL* ssl)

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi cxdinter,

tcp_connect is the client side API for connecting to a server. To connect to the server you need to know which port the server is listening on for the protocol you intend to connect with thus the argument "port" in the API call to tcp_connect.

So for example if you were to use wolfTLSv1_2_client_method and pass in port 22 to tls_connect then you would be attempting to connect to a port on the server that supports SSH and not TLS. I would expect this to fail. If however you were to change that port number to 443, the standard port for secure http (HTTPS), I would expect this to work as long as the client and server were able to agree on a common cipher suite and the server and client both supported TLS v1.2.

Does that clear things up a bit? Client will be using an ephemeral (randomly assigned) port to send messages out from your computer. The call to tls_connect requires a port argument to know the destination port those messages will be sent to on the server. Without specifying a destination port the packets would never arrive at their intended destination.

Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share

  • Registered: 2016-08-14
  • Posts: 47

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi Kaleb,

I am fully understood.
Thank you very much.
This topic can be closed.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] setup multiple TLS connection on the same IP and port

Hi cxdinter,

No problem, thank you so much for using the wolfSSL forums! Please don't hesitate to reach out if you have any other questions!


Warmest Regards,

Kaleb

Kaleb J. Himes's Website

Share