term% cat index.txt TLSSRV(8) System Manager's Manual TLSSRV(8)
NAME
tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS server and
client
SYNOPSIS
tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [ args ...
]
tlsclient [ -D ] [ -c cert.pem ] [ -t trustedkeys ] [ -x excludedkeys ]
address
tlssrvtunnel plain-addr crypt-addr cert.pem
tlsclienttunnel crypt-addr plain-addr trustedkeys
DESCRIPTION
Tlssrv is a helper program, typically exec'd in a /bin/service file to
establish an SSL or TLS connection before launching cmd args; a typical
command might start the IMAP or HTTP server. Cert.pem is the server
certificate; factotum(4) should hold the corresponding private key.
The specified logfile is by convention the same as for the target
server. Remotesys is mainly used for logging.
Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and
then relays between the network connection and standard input and out‐
put. The -D flag enables some debug output. Specifying a certificate
in pem(8) format with the -c flag, causes the client to submit this
certificate upon server's request. A corresponding key has to be
present in factotum(4). If the -t flag (and, optionally, the -x flag)
is given, the remote server must present a key whose SHA1 hash is
listed in the file trustedkeys but not in the file excludedkeys. See
thumbprint(6) for more information.
Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see lis‐
ten(8)) to provide TLS network tunnels, allowing legacy application to
take advantage of TLS encryption.
EXAMPLES
Listen for TLS-encrypted IMAP by creating a server certificate
/sys/lib/tls/imap.pem and a listener script /bin/service.auth/tcp993
containing:
#!/bin/rc
exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
/bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \
>[2]/sys/log/imap4d
Interact with the server, putting the appropriate hash into
/sys/lib/tls/mail and running:
tlsclient -t /sys/lib/tls/mail tcp!server!imaps
Create a TLS-encrypted VNC connection from a client on kremvax to a
server on moscvax:
mosc% vncs -d :3
mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
/usr/you/lib/cert.pem
krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
/usr/you/lib/cert.thumb
krem% vncv kremvax:5
(The port numbers passed to the VNC tools are offset by 5900 from the
actual TCP port numbers.)
FILES
/sys/lib/tls
SOURCE
/sys/src/cmd/tlssrv.c
/sys/src/cmd/tlsclient.c
/rc/bin/tlssrvtunnel
/rc/bin/tlsclienttunnel
SEE ALSO
factotum(4), listen(8), rsa(8)
Unix's stunnel
TLSSRV(8)