Provided by: tlswrapper_0~20230101-1_amd64
NAME
tlswrapper-tcp - TLS encryption wrapper - tcp client
SYNOPSIS
tlswrapper-tcp [ options ] host port
DESCRIPTION
The tlswrapper-tcp is TCP client which connects to host:port and transfers data from standard input to the host and from the host to the standard output. it's designed to work to together with tlswrapper and is from the tlswrapper executed. Allows you to protect non-TLS TCP service using TLS similarly to stunnel(8). Systemd.socket/inetd/tcpserver/... creates the server connection, tlswraper encrypts/decrypts data stream and tlswrapper-tcp creates the client connection and sends/receives unencrypted data to/from the host:port as follows: Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-tcp <-> host:port
OPTIONS
-q Quiet mode. No error messages. -v Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3. -t seconds Set the network timeout to seconds seconds. (default 3600). -T seconds Set the connect timeout to seconds seconds. (default 10). -p version Enable incoming proxy-protocol version version string. -P version Enable outgoing proxy-protocol version version string. -J jaildir Chroot network-process into a specified jaildir (default: /var/lib/tlswraper/empty). -j jailuser Run network-process and dnsresolver-process under a specified jailuser's uid and gid. If unset run network-process and dnsresolver-process under random uid and gid. host host or IP port TCP port
SECURITY
Separate process for network connection and separate process for DNS resolving To protect against secret-information leaks to the network connection (such Heartbleed) tlswrapper-tcp runs two independent processes. One process resolves the hostname and second creates a connection to host:port. JAIL - Privilege separation, filesystem isolation, limits The tlswrapper-tcp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.
EXAMPLES
Run tlswrapper using tcpserver/busybox/inetd on port 443 and connect to non-TLS service ip 127.0.0.1 and port 80 tcpserver -HRDl0 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80 busybox tcpsvd 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80 inetd.conf line: https stream tcp nowait root /usr/bin/tlswrapper tlswrapper [ options ] /usr/bin/tlswrapper-tcp 127.0.0.1 80
SEE ALSO
tlswrapper(1) tlswrapper-tcp(1)