Provided by: tlswrapper_0~20230101-1_amd64 bug

NAME

       tlswrapper-tcp - TLS encryption wrapper - tcp client

SYNOPSIS

       tlswrapper-tcp [ options ] host port

DESCRIPTION

       The  tlswrapper-tcp  is  TCP  client  which  connects to host:port and transfers data from
       standard input to the host and from the host to the standard  output.   it's  designed  to
       work  to  together  with  tlswrapper  and  is from the tlswrapper executed.  Allows you to
       protect    non-TLS    TCP    service    using     TLS     similarly     to     stunnel(8).
       Systemd.socket/inetd/tcpserver/...    creates    the    server    connection,    tlswraper
       encrypts/decrypts data  stream  and  tlswrapper-tcp  creates  the  client  connection  and
       sends/receives unencrypted data to/from the host:port as follows:

       Internet  <-->  systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-tcp <->
       host:port

OPTIONS

       -q     Quiet mode. No error messages.

       -v     Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.

       -t seconds
              Set the network timeout to seconds seconds. (default 3600).

       -T seconds
              Set the connect timeout to seconds seconds. (default 10).

       -p version
              Enable incoming proxy-protocol version version string.

       -P version
              Enable outgoing proxy-protocol version version string.

       -J jaildir
              Chroot     network-process     into     a     specified      jaildir      (default:
              /var/lib/tlswraper/empty).

       -j jailuser
              Run  network-process  and  dnsresolver-process under a specified jailuser's uid and
              gid. If unset run network-process and dnsresolver-process under random uid and gid.

       host   host or IP

       port   TCP port

SECURITY

       Separate process for network connection and separate process for DNS resolving

       To protect against secret-information leaks to the network  connection  (such  Heartbleed)
       tlswrapper-tcp  runs  two  independent  processes.   One process resolves the hostname and
       second creates a connection to host:port.

       JAIL - Privilege separation, filesystem isolation, limits

       The tlswrapper-tcp similarly to tlswrapper processes runs under dedicated non-zero uid  to
       prohibit  kill,  ptrace, etc.  Is chrooted into an empty, unwritable directory to prohibit
       filesystem access.  Sets ulimits to prohibit new files,  sockets,  etc.  Sets  ulimits  to
       prohibit forks.

EXAMPLES

       Run tlswrapper using tcpserver/busybox/inetd on port 443 and connect to non-TLS service ip
       127.0.0.1 and port 80
           tcpserver -HRDl0 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
           busybox tcpsvd 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
           inetd.conf line: https stream tcp nowait root /usr/bin/tlswrapper tlswrapper [ options ] /usr/bin/tlswrapper-tcp 127.0.0.1 80

SEE ALSO

       tlswrapper(1)

                                                                                tlswrapper-tcp(1)