tlswrapper-tcp(1) General Commands Manual tlswrapper-tcp(1)

tlswrapper-tcp - TLS encryption wrapper - tcp client

tlswrapper-tcp [ options ] host port

The tlswrapper-tcp is TCP client which connects to host:port and transfers data from standard input to the host and from the host to the standard output. it's designed to work to together with tlswrapper and is from the tlswrapper executed. Allows you to protect non-TLS TCP service using TLS similarly to stunnel(8). Systemd.socket/inetd/tcpserver/... creates the server connection, tlswraper encrypts/decrypts data stream and tlswrapper-tcp creates the client connection and sends/receives unencrypted data to/from the host:port as follows:

Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-tcp <-> host:port

Quiet mode. No error messages.
Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.
Set the network timeout to seconds seconds. (default 3600).
Set the connect timeout to seconds seconds. (default 10).
Enable incoming proxy-protocol version version string.
Enable outgoing proxy-protocol version version string.
Chroot network-process into a specified jaildir (default: /var/lib/tlswraper/empty).
Run network-process and dnsresolver-process under a specified jailuser's uid and gid. If unset run network-process and dnsresolver-process under random uid and gid.
host or IP
TCP port

Separate process for network connection and separate process for DNS resolving

To protect against secret-information leaks to the network connection (such Heartbleed) tlswrapper-tcp runs two independent processes. One process resolves the hostname and second creates a connection to host:port.

JAIL - Privilege separation, filesystem isolation, limits

The tlswrapper-tcp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.

Run tlswrapper using tcpserver/busybox/inetd on port 443 and connect to non-TLS service ip 127.0.0.1 and port 80

tcpserver -HRDl0 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
busybox tcpsvd 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
inetd.conf line: https stream tcp nowait root /usr/bin/tlswrapper tlswrapper [ options ] /usr/bin/tlswrapper-tcp 127.0.0.1 80

tlswrapper(1)