TLSSRV(8)                                               TLSSRV(8)

          tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel - TLS
          server and client

          tlssrv [ -c cert.pem ] [ -l logfile ] [ -r remotesys ] cmd [
          args ... ]

          tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address

          tlssrvtunnel plain-addr crypt-addr cert.pem

          tlsclienttunnel crypt-addr plain-addr trustedkeys

          Tlssrv is a helper program, typically exec'd in a
          /bin/service file to establish an SSL or TLS connection
          before launching cmd args; a typical command might start the
          IMAP or HTTP server.  Cert.pem is the server certificate;
          factotum(4) should hold the corresponding private key.  The
          specified logfile is by convention the same as for the tar-
          get server.  Remotesys is mainly used for logging.

          Tlsclient is the reverse of tlssrv: it dials address, starts
          TLS, and then relays between the network connection and
          standard input and output.  If the -t flag (and, optionally,
          the -x flag) is given, the remote server must present a key
          whose SHA1 hash is listed in the file trustedkeys but not in
          the file excludedkeys. See thumbprint(6) for more informa-

          Tlssrvtunnel and tlsclienttunnel use these tools and listen1
          (see listen(8)) to provide TLS network tunnels, allowing
          legacy application to take advantage of TLS encryption.

          Listen for TLS-encrypted IMAP by creating a server certifi-
          cate /sys/lib/tls/imap.pem and a listener script
          /bin/service.auth/tcp993 containing:

               exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
                   /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \

          Interact with the server, putting the appropriate hash into
          /sys/lib/tls/mail and running:

               tlsclient -t /sys/lib/tls/mail tcp!server!imaps

     TLSSRV(8)                                               TLSSRV(8)

          Create a TLS-encrypted VNC connection from a client on
          kremvax to a server on moscvax:

               mosc% vncs -d :3
               mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \
               krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \
               krem% vncv kremvax:5

          (The port numbers passed to the VNC tools are offset by 5900
          from the actual TCP port numbers.)



          factotum(4), listen(8), rsa(8)
          Unix's stunnel