TLSSRV(8)                                               TLSSRV(8)

     NAME
          tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS
          server and client

     SYNOPSIS
          tlssrv [ -D ] [ -[aA] [ -k keyspec ] ] [ -c cert.pem ] [ -l
          logfile ] [ -r remotesys ] cmd [ args ... ]

          tlsclient [ -D ] [ -a [ -k keyspec ] ] [ -c clientcert.pem ]
          [ -d servercert ] [ -t trustedkeys ] [ -x excludedkeys ] [
          -n servername ] [ -o ] address [ cmd [ args ... ] ]

          tlssrvtunnel plain-addr crypt-addr cert.pem

          tlsclienttunnel crypt-addr plain-addr trustedkeys

     DESCRIPTION
          Tlssrv is a helper program, typically exec'd in a
          /bin/service file to establish an SSL or TLS connection
          before launching cmd args; a typical command might start the
          IMAP or HTTP server.  Cert.pem is the server certificate;
          factotum(4) should hold the corresponding private key.  The
          specified logfile is by convention the same as for the tar-
          get server.  Remotesys is mainly used for logging.  If the
          -a or -A flag is specified, p9any authentication is run
          before the TLS handshake and the resulting plan9 session
          secret is used as a pre-shared key for TLS encryption.  This
          enables the use of TLS without certificates and also runs
          the server command as the authorized user when the -a flag
          was specified.

          Tlsclient is the reverse of tlssrv: it connects to address,
          starts TLS, and then relays between the network connection
          and standard input and output or executes cmd args with
          standard input and output redirected to the connection.  The
          -D flag enables some debug output.  Specifying a certificate
          in pem(8) format with the -c flag, causes the client to sub-
          mit this certificate upon server's request. A corresponding
          key has to be present in factotum(4). The -d flag writes the
          server's certificate to the file servercert in binary ASN.1
          encoding.  If the server doesnt provide a certificate, an
          empty file is created.  If the -t flag (and, optionally, the
          -x flag) is given, the remote server must present a public
          key whose SHA1 or SHA256 hash is listed in the file
          trustedkeys but not in the file excludedkeys. See
          thumbprint(6) for more information. The -n option passes the
          string servername in the TLS hello message (Server Name
          Idenfitication) which is usefull when talking to webservers.
          When the -o option was specified, address is interpreted as
          a filename to be opend read-write instead of a dial string.

     Page 1                       Plan 9             (printed 12/3/24)

     TLSSRV(8)                                               TLSSRV(8)

          Tlssrvtunnel and tlsclienttunnel use these tools and listen1
          (see listen(8)) to provide TLS network tunnels, allowing
          legacy application to take advantage of TLS encryption.

     EXAMPLES
          Listen for TLS-encrypted IMAP by creating a server certifi-
          cate /sys/lib/tls/imap.pem and a listener script
          /bin/service.auth/tcp993 containing:

               #!/bin/rc
               exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
                   /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \
                   >[2]/sys/log/imap4d

          Interact with the server, putting the appropriate hash into
          /sys/lib/tls/mail and running:

               tlsclient -t /sys/lib/tls/mail tcp!server!imaps

          Create a TLS-encrypted VNC connection from a client on
          kremvax to a server on moscvax:

               mosc% vncs -d :3
               mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
                       /usr/you/lib/cert.pem
               krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
                       /usr/you/lib/cert.thumb
               krem% vncv kremvax:5

          (The port numbers passed to the VNC tools are offset by 5900
          from the actual TCP port numbers.)

     FILES
          /sys/lib/tls

     SOURCE
          /sys/src/cmd/tlssrv.c
          /sys/src/cmd/tlsclient.c
          /rc/bin/tlssrvtunnel
          /rc/bin/tlsclienttunnel

     SEE ALSO
          factotum(4), listen(8), rsa(8)
          Unix's stunnel

     Page 2                       Plan 9             (printed 12/3/24)