Path to this page:
./
security/tlswrapper,
UCSPI/inetd-style TLS encryption wrapper
Branch: CURRENT,
Version: 20230101,
Package name: tlswrapper-20230101,
Maintainer: schmonztlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> prog
By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.
To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.
Master sites:
Version history: (Expand)
- (2023-01-10) Updated to version: tlswrapper-20230101
- (2022-09-12) Updated to version: tlswrapper-20220901
- (2022-08-30) Updated to version: tlswrapper-20220814nb1
- (2022-08-25) Updated to version: tlswrapper-20220814
- (2022-01-15) Updated to version: tlswrapper-20220114
- (2022-01-05) Package added to pkgsrc.se, version tlswrapper-20220101 (created)
CVS history: (Expand)
2023-01-10 18:03:59 by Amitai Schleier | Files touched by this commit (4) | |
Log message:
Update to 20230101. From the changelog:
20230101:
- removed duplicit crypto_scalarmult_curve25519.* implementation and
used X25519 from bearssl library
- randombytes: rollback to /dev/urandom variant only
- Makefile: removed bearssl target
20221229:
- fixed parallel build
20221227:
- LICENCE updated from public-domain to CC0
- updated examples and linked examples.md from README.md
- added more error log messages when proxy-protocol is used
|
2022-09-11 21:33:05 by Amitai Schleier | Files touched by this commit (9) | |
Log message:
Update to 20220901. From the changelog:
- fixed randombytes(), uses getentropy() and /dev/urandom where
getentropy() does not exist
|
2022-08-30 19:55:31 by Amitai Schleier | Files touched by this commit (9) |
Log message:
Apply upstream commit 0cb7bb4 to fall back to /dev/urandom on systems
where getentropy() is not present. Bump PKGREVISION.
|
2022-08-25 20:05:37 by Amitai Schleier | Files touched by this commit (2) | |
Log message:
Update to 20220814. From the changelog:
- proxyprotocol cleanup
- v2 removed
- switched to buffer lib.
- man page fixed many typos
- tlswrapper-smtp update, added postgrey support
- randombytes based on getentropy() insted of /dev/urandom
- big cleanup in the code
|
2022-01-15 20:04:24 by Amitai Schleier | Files touched by this commit (8) | |
Log message:
Update to 20220114. From the changelog:
- added "experimental" support for delayed encryption (option -nN)
- add tlswrapper-smtp (STARTTLS support for old inetd-style SMTP servers)
|
2022-01-04 23:10:37 by Amitai Schleier | Files touched by this commit (8) |
Log message:
Fix build on BSDs and Solarish.
|
2022-01-04 22:39:03 by Amitai Schleier | Files touched by this commit (4) |
Log message:
Add tlswrapper, an UCSPI/inetd-style TLS encryption wrapper.
tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper \
<--> prog
By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.
To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.
|