./security/tlswrapper, UCSPI/inetd-style TLS encryption wrapper

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 20230101, Package name: tlswrapper-20230101, Maintainer: schmonz

tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:

Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> prog

By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.

To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.


Master sites:


Version history: (Expand)


CVS history: (Expand)


   2023-01-10 18:03:59 by Amitai Schleier | Files touched by this commit (4) | Package updated
Log message:
Update to 20230101. From the changelog:

20230101:
- removed duplicit crypto_scalarmult_curve25519.* implementation and
  used X25519 from bearssl library
- randombytes: rollback to /dev/urandom variant only
- Makefile: removed bearssl target

20221229:
- fixed parallel build

20221227:
- LICENCE updated from public-domain to CC0
- updated examples and linked examples.md from README.md
- added more error log messages when proxy-protocol is used
   2022-09-11 21:33:05 by Amitai Schleier | Files touched by this commit (9) | Package removed
Log message:
Update to 20220901. From the changelog:

- fixed randombytes(), uses getentropy() and /dev/urandom where
  getentropy() does not exist
   2022-08-30 19:55:31 by Amitai Schleier | Files touched by this commit (9)
Log message:
Apply upstream commit 0cb7bb4 to fall back to /dev/urandom on systems
where getentropy() is not present. Bump PKGREVISION.
   2022-08-25 20:05:37 by Amitai Schleier | Files touched by this commit (2) | Package updated
Log message:
Update to 20220814. From the changelog:

- proxyprotocol cleanup
    - v2 removed
    - switched to buffer lib.
- man page fixed many typos
- tlswrapper-smtp update, added postgrey support
- randombytes based on getentropy() insted of /dev/urandom
- big cleanup in the code
   2022-01-15 20:04:24 by Amitai Schleier | Files touched by this commit (8) | Package removed
Log message:
Update to 20220114. From the changelog:

- added "experimental" support for delayed encryption (option -nN)
- add tlswrapper-smtp (STARTTLS support for old inetd-style SMTP servers)
   2022-01-04 23:10:37 by Amitai Schleier | Files touched by this commit (8)
Log message:
Fix build on BSDs and Solarish.
   2022-01-04 22:39:03 by Amitai Schleier | Files touched by this commit (4)
Log message:
Add tlswrapper, an UCSPI/inetd-style TLS encryption wrapper.

tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:

Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper \ 
<--> prog

By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.

To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.