glenda.party

term% ls -F

index.txt

term% pwd

$home/manuals/plan9_4th/8/tlssrv

term% cat index.txt

TLSSRV(8)                   System Manager's Manual                  TLSSRV(8)

NAME
       tlssrv,  tlsclient,  tlssrvtunnel,  tlsclienttunnel  -  TLS  server and
       client

SYNOPSIS
       tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [  args  ...
       ]

       tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address

       tlssrvtunnel plain-addr crypt-addr cert.pem

       tlsclienttunnel crypt-addr plain-addr trustedkeys

DESCRIPTION
       Tlssrv  is a helper program, typically exec'd in a /bin/service file to
       establish an SSL or TLS connection before launching cmd args; a typical
       command might start the IMAP or HTTP server.  Cert.pem  is  the  server
       certificate;  factotum(4)  should  hold  the corresponding private key.
       The specified logfile is by convention  the  same  as  for  the  target
       server.  Remotesys is mainly used for logging.

       Tlsclient  is  the reverse of tlssrv: it dials address, starts TLS, and
       then relays between the network connection and standard input and  out‐
       put.   If  the -t flag (and, optionally, the -x flag) is given, the re‐
       mote server must present a key whose SHA1 hash is listed  in  the  file
       trustedkeys  but  not  in the file excludedkeys.  See thumbprint(6) for
       more information.

       Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see  lis‐
       ten(8))  to provide TLS network tunnels, allowing legacy application to
       take advantage of TLS encryption.

EXAMPLES
       Listen  for  TLS-encrypted  IMAP  by  creating  a  server   certificate
       /sys/lib/tls/imap.pem  and  a  listener script /bin/service.auth/tcp993
       containing:

              #!/bin/rc
              exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r‘{cat $3/remote} \
                  /bin/ip/imap4d -p -dyourdomain -r‘{cat $3/remote} \
                  >[2]/sys/log/imap4d

       Interact  with  the  server,  putting   the   appropriate   hash   into
       /sys/lib/tls/mail and running:

              tlsclient -t /sys/lib/tls/mail tcp!server!imaps

       Create  a  TLS-encrypted  VNC  connection from a client on kremvax to a
       server on moscvax:

              mosc% vncs -d :3
              mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
                      /usr/you/lib/cert.pem
              krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
                      /usr/you/lib/cert.thumb
              krem% vncv kremvax:5

       (The port numbers passed to the VNC tools are offset by 5900  from  the
       actual TCP port numbers.)

FILES
       /sys/lib/tls

SOURCE
       /sys/src/cmd/tlssrv.c
       /sys/src/cmd/tlsclient.c
       /rc/bin/tlssrvtunnel
       /rc/bin/tlsclienttunnel

SEE ALSO
       factotum(4), listen(8), rsa(8)
       Unix's stunnel

                                                                     TLSSRV(8)