Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

factotum(4)

listen(8)

x509(8)

TLSSRV(8)

NAME

tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel − TLS server and client

SYNOPSIS

­tlssrv [ ­-c ­cert.pem ] [ ­-l logfile ] [ ­-r ­remotesys ] ­cmd [ ­args ...  ]

­tlsclient [ ­-t ­trustedkeys ] [ ­-x ­excludedkeys ] ­address

­tlssrvtunnel ­plain-addr ­crypt-addr ­cert.pem

­tlsclienttunnel ­crypt-addr ­plain-addr ­trustedkeys

DESCRIPTION

­Tlssrv is a helper program, typically exec’d in a ­/bin/service file to establish an SSL or TLS connection before launching ­cmd args; a typical command might start the IMAP or HTTP server. ­Cert.pem is the server certificate; factotum(4) should hold the corresponding private key. The specified ­logfile is by convention the same as for the target server.  ­Remotesys is mainly used for logging. 

­Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and then relays between the network connection and standard input and output. If the ­-t flag (and, optionally, the ­-x flag) is given, the remote server must present a key whose SHA1 hash is listed in the file ­trustedkeys but not in the file excludedkeys. See thumbprint(6) for more information.

­Tlssrvtunnel and ­tlsclienttunnel use these tools and ­listen1 (see listen(8)) to provide TLS network tunnels, allowing legacy application to take advantage of TLS encryption.

EXAMPLES

Listen for TLS-encrypted IMAP by creating a server certificate ­/sys/lib/tls/imap.pem and a listener script ­/bin/service.auth/tcp993 containing:

#!/bin/rc
exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r‘{cat $3/remote} \
    /bin/ip/imap4d -p -dyourdomain -r‘{cat $3/remote} \
    >[2]/sys/log/imap4d

Interact with the server, putting the appropriate hash into ­/sys/lib/tls/mail and running:

tlsclient -t /sys/lib/tls/mail tcp!server!imaps

Create a TLS-encrypted VNC connection from a client on ­kremvax to a server on moscvax:

mosc% vncs -d :3
mosc% tlssrvtunnel tcp!moscvax!5903 tcp!∗!12345 \
        /usr/you/lib/cert.pem
krem% tlsclienttunnel tcp!moscvax!12345 tcp!∗!5905 \
        /usr/you/lib/cert.thumb
krem% vncv kremvax:5

(The port numbers passed to the VNC tools are offset by 5900 from the actual TCP port numbers.) 

FILES

­/sys/lib/tls

SOURCE

­/sys/src/cmd/tlssrv.c
­/sys/src/cmd/tlsclient.c
­/rc/bin/tlssrvtunnel
­/rc/bin/tlsclienttunnel

SEE ALSO

factotum(4), listen(8), x509(8)
Unix’s ­stunnel

Plan 9  —  November 17, 2002

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026