tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel – TLS server and client


tlssrv [ -D ] [ -[aA] [ -k keyspec ] ] [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [ args ... ]

tlsclient [ -D ] [ -a [ -k keyspec ] ] [ -c clientcert.pem ] [ -d servercert ] [ -t trustedkeys ] [ -x excludedkeys ] [ -n servername ] [ -o ] address [ cmd [ args ... ] ]

tlssrvtunnel plain-addr crypt-addr cert.pem

tlsclienttunnel crypt-addr plain-addr trustedkeys


Tlssrv is a helper program, typically exec’d in a /bin/service file to establish an SSL or TLS connection before launching cmd args; a typical command might start the IMAP or HTTP server. Cert.pem is the server certificate; factotum(4) should hold the corresponding private key. The specified logfile is by convention the same as for the target server. Remotesys is mainly used for logging. If the -a or -A flag is specified, p9any authentication is run before the TLS handshake and the resulting plan9 session secret is used as a pre-shared key for TLS encryption. This enables the use of TLS without certificates and also runs the server command as the authorized user when the -a flag was specified.

Tlsclient is the reverse of tlssrv: it connects to address, starts TLS, and then relays between the network connection and standard input and output or executes cmd args with standard input and output redirected to the connection. The -D flag enables some debug output. Specifying a certificate in pem(8) format with the -c flag, causes the client to submit this certificate upon server’s request. A corresponding key has to be present in factotum(4). The -d flag writes the server’s certificate to the file servercert in binary ASN.1 encoding. If the server doesnt provide a certificate, an empty file is created. If the -t flag (and, optionally, the -x flag) is given, the remote server must present a public key whose SHA1 or SHA256 hash is listed in the file trustedkeys but not in the file excludedkeys. See thumbprint(6) for more information. The -n option passes the string servername in the TLS hello message (Server Name Idenfitication) which is usefull when talking to webservers. When the -o option was specified, address is interpreted as a filename to be opend read-write instead of a dial string.

Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see listen(8)) to provide TLS network tunnels, allowing legacy application to take advantage of TLS encryption.


Listen for TLS-encrypted IMAP by creating a server certificate /sys/lib/tls/imap.pem and a listener script /bin/service.auth/tcp993 containing:


exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
    /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \

Interact with the server, putting the appropriate hash into /sys/lib/tls/mail and running:


tlsclient -t /sys/lib/tls/mail tcp!server!imaps

Create a TLS-encrypted VNC connection from a client on kremvax to a server on moscvax:


mosc% vncs -d :3
mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
krem% vncv kremvax:5

(The port numbers passed to the VNC tools are offset by 5900 from the actual TCP port numbers.)







factotum(4), listen(8), rsa(8)
Unix’s stunnel