glenda.party
term% ls -F
term% cat index.txt
TLSSRV(8)                   System Manager's Manual                  TLSSRV(8)



NAME
       tlssrv,  tlsclient,  tlssrvtunnel,  tlsclienttunnel  -  TLS  server and
       client

SYNOPSIS
       tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [  args  ...
       ]

       tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address

       tlssrvtunnel plain-addr crypt-addr cert.pem

       tlsclienttunnel crypt-addr plain-addr trustedkeys

DESCRIPTION
       Tlssrv  is a helper program, typically exec'd in a /bin/service file to
       establish an SSL or TLS connection before launching cmd args; a typical
       command  might  start  the IMAP or HTTP server.  Cert.pem is the server
       certificate; factotum(4) should hold  the  corresponding  private  key.
       The  specified  logfile  is  by  convention  the same as for the target
       server.  Remotesys is mainly used for logging.

       Tlsclient is the reverse of tlssrv: it dials address, starts  TLS,  and
       then  relays between the network connection and standard input and out‐
       put.  If the -t flag (and, optionally, the -x flag) is given,  the  re‐
       mote  server  must  present a key whose SHA1 hash is listed in the file
       trustedkeys but not in the file excludedkeys.   See  thumbprint(6)  for
       more information.

       Tlssrvtunnel  and tlsclienttunnel use these tools and listen1 (see lis‐
       ten(8)) to provide TLS network tunnels, allowing legacy application  to
       take advantage of TLS encryption.

EXAMPLES
       Listen   for  TLS-encrypted  IMAP  by  creating  a  server  certificate
       /sys/lib/tls/imap.pem and a  listener  script  /bin/service.auth/tcp993
       containing:

              #!/bin/rc
              exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
                  /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \
                  >[2]/sys/log/imap4d

       Interact   with   the   server,   putting  the  appropriate  hash  into
       /sys/lib/tls/mail and running:

              tlsclient -t /sys/lib/tls/mail tcp!server!imaps

       Create a TLS-encrypted VNC connection from a client  on  kremvax  to  a
       server on moscvax:

              mosc% vncs -d :3
              mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
                      /usr/you/lib/cert.pem
              krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
                      /usr/you/lib/cert.thumb
              krem% vncv kremvax:5

       (The  port  numbers passed to the VNC tools are offset by 5900 from the
       actual TCP port numbers.)

FILES
       /sys/lib/tls

SOURCE
       /sys/src/cmd/tlssrv.c
       /sys/src/cmd/tlsclient.c
       /rc/bin/tlssrvtunnel
       /rc/bin/tlsclienttunnel

SEE ALSO
       factotum(4), listen(8), rsa(8)
       Unix's stunnel



                                                                     TLSSRV(8)