From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <75441112d2ceb0638d3bf74fd3df91d6@plan9.bell-labs.com> From: "Russ Cox" To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: [9fans] tls tunnelling Date: Mon, 17 Jun 2002 21:47:49 -0700 Topicbox-Message-UUID: b19f7f20-eaca-11e9-9e20-41e7f4b1d025 I was intrigued by the prospect of running a TLS-tunneled VNC over the internet (since right now I run plaintext VNCs over the internet), so I looked up stunnel. The interface seemed more reasonable than what I posted earlier today, so I built an equivalent one for Plan 9. Sources now has the following new (and documented) programs: aux/listen1 - simple network listener like inferno's listen(1) tlsclient - what i posted earlier, but no cmd tlssrvtunnel - server side tunneler tlssrvclient - client side tunneler I figured out how to generate new certificates with OpenSSL and documented that too. Enjoy. Russ TLSSRV(8) TLSSRV(8) NAME tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS server and client SYNOPSIS tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [ args ... ] tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address tlssrvtunnel plain-addr crypt-addr cert.pem tlsclienttunnel crypt-addr plain-addr trustedkeys DESCRIPTION Tlssrv is a helper program, typically exec'd in a /bin/service file to establish an SSL or TLS connection before launching cmd args; a typical command might start the IMAP or HTTP server. Cert.pem is the server certificate; factotum(4) should hold the corresponding private key. The specified logfile is by convention the same as for the tar- get server. Remotesys is mainly used for logging. Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and then relays between the network connection and standard input and output. If the -t flag (and, optionally, the -x flag) is given, the remote server must present a key whose SHA1 hash is listed in the file trustedkeys but not in the file excludedkeys. See thumbprint(6) for more informa- tion. Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see listen(8)) to provide TLS network tunnels, allowing legacy application to take advantage of TLS encryption. EXAMPLES Listen for TLS-encrypted IMAP by creating a server certifi- cate /sys/lib/tls/imap.pem and a listener script /bin/service.auth/tcp993 containing: #!/bin/rc exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \ /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \ >[2]/sys/log/imap4d Interact with the server, putting the appropriate hash into /sys/lib/tls/mail and running: tlsclient -t /sys/lib/tls/mail tcp!server!imaps Create a TLS-encrypted VNC connection from a client on kremvax to a server on moscvax: mosc% vncs -d :3 mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \ /usr/you/lib/cert.pem krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \ /usr/you/lib/cert.thumb krem% vncv kremvax:5 (The port numbers passed to the VNC tools are offset by 5900 from the actual TCP port numbers.) FILES /sys/lib/tls SOURCE /sys/src/cmd/tlssrv.c /sys/src/cmd/tlsclient.c /rc/bin/tlssrvtunnel /rc/bin/tlsclienttunnel SEE ALSO factotum(4), listen(8) Unix's stunnel BUGS There is not yet a Plan 9 tool to generate X.509 certifi- cates and public keys. Instead, use the Unix openssl toolkit: openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem