Hi, Tlswrapper (similar to stunnel) adds TLS encryption functionality to programs without modifying their code.
The fundamental difference against stunnel is in the approach to security. Tlswrapper s tries to defend against all possible bugs in the TLS library itself and tries to mitigate the impact of such a bug. It uses the capabilities that Unix OS has: # Separate process for every connection The tlswrapper is executed from systemd.socket/inetd/tcpserver/... which runs separate instance of tlswrapper for each TLS connection. It ensures that a vulnerability in the code (e.g. bug in the TLS library) can't be used to compromise the memory of another connection. # Separate process for network connection and separate process for secret-key operation To protect against secret-information leaks to the network connection (such Heartbleed) tlswrapper runs two independent processes for every TLS connection. One process holds secret-keys and runs secret-keys operations and second talks to the network. Processes communicate with each other through UNIX pipes. # JAIL - Privilege separation, filesystem isolation, limits The tlswrapper processes run under dedicated non-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks. Example of how to use tlswrapper to protect mail protocols: - run dovecot IMAPS service on port 993, authorization using client certs, and run under user extracted from client certificate from commonName: tcpserver -HRDl0 0.0.0.0 993 \ /usr/bin/tlswrapper -U commonName -f /etc/ssl/sslcert.pem -a /etc/ssl/ca.pem \ /usr/lib/dovecot/imap - run old QMAIL qmail-smtpd SMTP service on port 25 with STARTTLS enabled (without patching QMAIL) tcpserver -HRDl0 0 25 \ tlswrapper -v -n -f /etc/ssl/cert.pem \ tlswrapper-smtp -v -u qmaild \ qmail-smtpd In the example is used tcpserver (from deb. package ucspi-tcp) but similary can be used from e.g. systemd/inetd/... etc. . Jan > On 23. 12. 2022, at 10:02, Jérémy Lal <kapo...@melix.org> wrote: > > Package: wnpp > Followup-For: Bug #1001503 > > Can you explain a bit more how one will be able to use tlswrapper ? > > Maybe compare it to available solutions like stunnel ? > > Thanks, > > Jérémy
