TLSSRV(8) TLSSRV(8) NAME tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS server and client SYNOPSIS tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [ args ... ] tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address tlssrvtunnel plain-addr crypt-addr cert.pem tlsclienttunnel crypt-addr plain-addr trustedkeys DESCRIPTION Tlssrv is a helper program, typically exec'd in a /bin/service file to establish an SSL or TLS connection before launching cmd args; a typical command might start the IMAP or HTTP server. Cert.pem is the server certificate; factotum(4) should hold the corresponding private key. The specified logfile is by convention the same as for the tar- get server. Remotesys is mainly used for logging. Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and then relays between the network connection and standard input and output. If the -t flag (and, optionally, the -x flag) is given, the remote server must present a key whose SHA1 hash is listed in the file trustedkeys but not in the file excludedkeys. See thumbprint(6) for more informa- tion. Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see listen(8)) to provide TLS network tunnels, allowing legacy application to take advantage of TLS encryption. EXAMPLES Listen for TLS-encrypted IMAP by creating a server certifi- cate /sys/lib/tls/imap.pem and a listener script /bin/service.auth/tcp993 containing: #!/bin/rc exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \ /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \ >[2]/sys/log/imap4d Interact with the server, putting the appropriate hash into /sys/lib/tls/mail and running: tlsclient -t /sys/lib/tls/mail tcp!server!imaps Page 1 Plan 9 (printed 12/21/24) TLSSRV(8) TLSSRV(8) Create a TLS-encrypted VNC connection from a client on kremvax to a server on moscvax: mosc% vncs -d :3 mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \ /usr/you/lib/cert.pem krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \ /usr/you/lib/cert.thumb krem% vncv kremvax:5 (The port numbers passed to the VNC tools are offset by 5900 from the actual TCP port numbers.) FILES /sys/lib/tls SOURCE /sys/src/cmd/tlssrv.c /sys/src/cmd/tlsclient.c /rc/bin/tlssrvtunnel /rc/bin/tlsclienttunnel SEE ALSO factotum(4), listen(8), rsa(8) Unix's stunnel Page 2 Plan 9 (printed 12/21/24)