---------- Forwarded message ----------
Date: Mon, 17 Jun 2002 21:47:49 -0700
From: Russ Cox
Reply-To: 9fans@cse.psu.edu
To: 9fans@cse.psu.edu
Subject: [9fans] tls tunnelling
I was intrigued by the prospect of running a
TLS-tunneled VNC over the internet (since right
now I run plaintext VNCs over the internet),
so I looked up stunnel. The interface seemed
more reasonable than what I posted earlier today,
so I built an equivalent one for Plan 9.
Sources now has the following new (and documented) programs:
aux/listen1 - simple network listener like inferno's listen(1)
tlsclient - what i posted earlier, but no cmd
tlssrvtunnel - server side tunneler
tlssrvclient - client side tunneler
I figured out how to generate new certificates with
OpenSSL and documented that too.
Enjoy.
Russ
TLSSRV(8) TLSSRV(8)
NAME
tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS
server and client
SYNOPSIS
tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [
args ... ]
tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address
tlssrvtunnel plain-addr crypt-addr cert.pem
tlsclienttunnel crypt-addr plain-addr trustedkeys
DESCRIPTION
Tlssrv is a helper program, typically exec'd in a
/bin/service file to establish an SSL or TLS connection
before launching cmd args; a typical command might start the
IMAP or HTTP server. Cert.pem is the server certificate;
factotum(4) should hold the corresponding private key. The
specified logfile is by convention the same as for the tar-
get server. Remotesys is mainly used for logging.
Tlsclient is the reverse of tlssrv: it dials address, starts
TLS, and then relays between the network connection and
standard input and output. If the -t flag (and, optionally,
the -x flag) is given, the remote server must present a key
whose SHA1 hash is listed in the file trustedkeys but not in
the file excludedkeys. See thumbprint(6) for more informa-
tion.
Tlssrvtunnel and tlsclienttunnel use these tools and listen1
(see listen(8)) to provide TLS network tunnels, allowing
legacy application to take advantage of TLS encryption.
EXAMPLES
Listen for TLS-encrypted IMAP by creating a server certifi-
cate /sys/lib/tls/imap.pem and a listener script
/bin/service.auth/tcp993 containing:
#!/bin/rc
exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
/bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \
>[2]/sys/log/imap4d
Interact with the server, putting the appropriate hash into
/sys/lib/tls/mail and running:
tlsclient -t /sys/lib/tls/mail tcp!server!imaps
Create a TLS-encrypted VNC connection from a client on
kremvax to a server on moscvax:
mosc% vncs -d :3
mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
/usr/you/lib/cert.pem
krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
/usr/you/lib/cert.thumb
krem% vncv kremvax:5
(The port numbers passed to the VNC tools are offset by 5900
from the actual TCP port numbers.)
FILES
/sys/lib/tls
SOURCE
/sys/src/cmd/tlssrv.c
/sys/src/cmd/tlsclient.c
/rc/bin/tlssrvtunnel
/rc/bin/tlsclienttunnel
SEE ALSO
factotum(4), listen(8)
Unix's stunnel
BUGS
There is not yet a Plan 9 tool to generate X.509 certifi-
cates and public keys. Instead, use the Unix openssl
toolkit:
openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem