Provided by: gnutls-bin_3.4.10-4ubuntu1_amd64 bug


       CryWrap - Simple TCP/IP service encryption using TLS/SSL


       crywrap --listen HOST/PORT --destination HOST/PORT [options]


       CryWrap  is  a  simple  wrapper that waits for TLS/SSL connections, and proxies them to an
       unencrypted location.


       CryWrap takes the following options:

   Required options
       --destionation (-d) HOST/PORT
              The destionation host and address, where CryWrap should connect to. Both  arguments
              are required.

   TLS options
       --anon (-a)
              Enables  Anon-DH  mode.  If enabled, no certificate will be sent to the client, and
              only anonymous sessions will be enabled.
              Default is off.

       --cert (-c) PATH

       --key (-k) PATH
              The public certificate to send to clients, and the private server key.
              Default is /etc/crywrap/server.pem, unless --anon is also specified, in which  case
              no certificate will be used.  --ca (-z) PATH
              A  Certificate  Authority  certificate  to  be  used  for  verification  of  client

       --verify (-v) [LEVEL]
              Set the level of client certificate verification. Level one simply logs the result,
              level two and above abort if the certificate could not be verified.
              Default is 0.

   Miscellaneous options
       --inetd (-i)
              Enable  inetd-mode.  Use this if you want to run CryWrap from inetd. If this option
              is not enabled, then --listen is a required option.
              Default is off.

       --listen (-l) HOST/PORT
              The host and port CryWrap should listen on. HOST can be an IPv4 or IPv6 address, or
              a  hostname, and is optional - if unspecified, CryWrap will listen on all available
              addresses. PORT is mandatory.
              This option is required, unless CryWrap was put into inetd mode.

       --pidfile (-P) PIDFILE
              Write the pid thy runs with to PIDFILE.
              Default is /var/run/

       --user (-u) UID
              UID is the numerical user id of the user thy should run as.
              Default is 65534.

       --version (-V)
              Print the version number and exit.

       --help (-?)
              Print a verbose help screen and exit.

              Print a short summary of options.


   Setting up pop3s
       crywrap --listen /995 --destination localhost/110

   Setting up imaps with a different certificate
       crywrap --listen /993 --destination localhost/143 \
            --pem /etc/ssl/certs/imap.pem


              This directory contains the default server key and certificate.


       Probably many.


       Gergely Nagy <>