TLSSRV(8)                                               TLSSRV(8)

     NAME
          tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS
          server and client

     SYNOPSIS
          tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [
          args ... ]

          tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address

          tlssrvtunnel plain-addr crypt-addr cert.pem

          tlsclienttunnel crypt-addr plain-addr trustedkeys

     DESCRIPTION
          Tlssrv is a helper program, typically exec'd in a
          /bin/service file to establish an SSL or TLS connection
          before launching cmd args; a typical command might start the
          IMAP or HTTP server.  Cert.pem is the server certificate;
          factotum(4) should hold the corresponding private key.  The
          specified logfile is by convention the same as for the tar-
          get server.  Remotesys is mainly used for logging.

          Tlsclient is the reverse of tlssrv: it dials address, starts
          TLS, and then relays between the network connection and
          standard input and output.  If the -t flag (and, optionally,
          the -x flag) is given, the remote server must present a key
          whose SHA1 hash is listed in the file trustedkeys but not in
          the file excludedkeys. See thumbprint(6) for more informa-
          tion.

          Tlssrvtunnel and tlsclienttunnel use these tools and listen1
          (see listen(8)) to provide TLS network tunnels, allowing
          legacy application to take advantage of TLS encryption.

     EXAMPLES
          Listen for TLS-encrypted IMAP by creating a server certifi-
          cate /sys/lib/tls/imap.pem and a listener script
          /bin/service.auth/tcp993 containing:

               #!/bin/rc
               exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
                   /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \
                   >[2]/sys/log/imap4d

          Interact with the server, putting the appropriate hash into
          /sys/lib/tls/mail and running:

               tlsclient -t /sys/lib/tls/mail tcp!server!imaps

     Page 1                       Plan 9             (printed 3/28/24)

     TLSSRV(8)                                               TLSSRV(8)

          Create a TLS-encrypted VNC connection from a client on
          kremvax to a server on moscvax:

               mosc% vncs -d :3
               mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
                       /usr/you/lib/cert.pem
               krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
                       /usr/you/lib/cert.thumb
               krem% vncv kremvax:5

          (The port numbers passed to the VNC tools are offset by 5900
          from the actual TCP port numbers.)

     FILES
          /sys/lib/tls

     SOURCE
          /sys/src/cmd/tlssrv.c
          /sys/src/cmd/tlsclient.c
          /rc/bin/tlssrvtunnel
          /rc/bin/tlsclienttunnel

     SEE ALSO
          factotum(4), listen(8), rsa(8)
          Unix's stunnel

     Page 2                       Plan 9             (printed 3/28/24)