> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Chethan Kumar > Sent: Monday, May 20, 2019 04:22 > I wanted to log end point’s IP address during some errors in communication > using openssl. > Initially when I tried getpeername() on SSL context, its giving proxy > server’s IP and not destination IP. The proxy server address *is* the peer address. Proxies terminate TLS conversations. The client has a TLS conversation with the proxy, and the proxy may have a separate TLS conversation with the origin server. (Or with whatever the next application-level node in the chain is; there can be multiple proxies, gateways, etc.) If it didn't do TLS termination, it wouldn't be a proxy, but a router. If you have a node that's doing routing at level 4 (copying data between two TCP connections) but not doing TLS termination, there's no way to get the IP addresses of the endpoints of the other connection from the stack. That information has to be provided at the application level. (Techincal quibble: "Level 4 routing" is a somewhat dubious concept in TCP/IP, since TCP straddles OSI levels 4 and 5. But applications which forward data between TCP conversations are traditionally connsidered level-4 routers. Also, note some level-4 routing packages do TLS termination - stunnel in its base mode is an example. A level-4 router may or may not do TLS termination.) -- Michael Wojcik Distinguished Engineer, Micro Focus
