NAME
|
tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel – TLS server and
client |
SYNOPSIS
|
tlssrv [ –c cert.pem ] [ –l logfile ] [ –r remotesys ] cmd [ args
... ] tlsclient [ –t trustedkeys ] [ –x excludedkeys ] address tlssrvtunnel plain–addr crypt–addr cert.pem
tlsclienttunnel crypt–addr plain–addr trustedkeys |
DESCRIPTION
|
Tlssrv is a helper program, typically exec'd in a /bin/service
file to establish an SSL or TLS connection before launching cmd
args; a typical command might start the IMAP or HTTP server. Cert.pem
is the server certificate; factotum(4) should hold the corresponding
private key. The specified logfile is by
convention the same as for the target server. Remotesys is mainly
used for logging. Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and then relays between the network connection and standard input and output. If the –t flag (and, optionally, the –x flag) is given, the remote server must present a key whose SHA1 hash is listed in the file trustedkeys but not in the file excludedkeys. See thumbprint(6) for more information.
Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see
listen(8)) to provide TLS network tunnels, allowing legacy application
to take advantage of TLS encryption. |
EXAMPLES
Listen for TLS–encrypted IMAP by creating a server certificate
/sys/lib/tls/imap.pem and a listener script /bin/service.auth/tcp993
containing:
|
FILES
|
/sys/lib/tls |
SOURCE
|
/sys/src/cmd/tlssrv.c /sys/src/cmd/tlsclient.c /rc/bin/tlssrvtunnel /rc/bin/tlsclienttunnel |
SEE ALSO
|
factotum(4), listen(8), rsa(8) Unix's stunnel |