TLSPROXYD(8) TLSPROXYD(8) NAME tlsproxyd - proxying daemon for TLS SYNOPSIS tlsproxyd -h | [ -d ] [ -f file ] [ -p ] DESCRIPTION tlsproxyd accepts TCP connections from remote hosts and negotiates SSLv2/TLS secured communications with the peer, and proxies data from the encrypted connection to a con- ventional TCP connection with another service, allowing existing services to be `retrofitted' with TLS support. It differs from other approaches, such as stunnel(8) in that it is a long-running daemon, rather than a service run from inetd(8). This makes it much more convenient for use where the cryptographic key and signature are protected by a passphrase, since it can read these from the terminal at startup. tlsproxyd reads its configuration, including the defini- tions of services to proxy, from a configuration file, by default /etc/tlsproxyd.conf. OPTIONS -h Print a summary of usage. -d Do not fork to become a daemon, but stay attached to a controlling terminal and print log messages to standard error as well as the syslog. -f file Read configuration from file, instead of from /etc/tlsproxyd.conf. -p Do not attempt to read pass phrases from the termi- nal, but instead fail if a pass phrase is required. CONFIGURATION tlsproxyd reads its configuration from a file; the name of the file may be selected at run time using the -f option. The configuration file consists of definitions of run-time parameters, of proxying services, and optional comments introduced by `#'. PARAMETERS Parameters are defined by statements of the form: parameter = value The following parameters are defined: log-facility The facility code under which tlsproxyd will log diagnostic messages. Possible values are: mail, authpriv, daemon, user, and local0 through local7 inclusive. If no value is specified, the value dae- mon will be used. See openlog(3). certificate The name of a PEM file containing the certificate to be used by tlsproxyd. Mandatory. private-key The name of a PEM file containing the private key to be used. Optional; if not specified, the private key is assumed to be in the same file as the cer- tificate. pid-file The name of a file in which tlsproxyd should record its PID. Optional; if not specified, no PID file will be used. max-processes The maximum number of child processes; this is a limit on the maximum number of concurrent proxy connections. Mandatory. timeout The maximum interval in seconds between transmis- sions by the proxied service before the connection is automatically dropped. Optional; if not set, defaults to 60 seconds. user The user name or UID under which tlsproxyd will run after it initialises. Mandatory; tlsproxyd will refuse to run as root. group The group name or GID under which tlsproxyd will run after it initialises. Mandatory; tlsproxyd will refuse to run as group 0. PROXYING SERVICES The syntax for a proxy service definition is: host:port -> host:port The left hand host and port denote an address on which tlsproxyd will listen for incoming connections. When a connection arrives, tlsproxyd will negotiate a secured connection to the peer; it will then connect to the right hand host and port and relay data between the two. In most cases, you will want the right hand host to be either localhost or a nearby host on a secured network. Hosts and ports may be specified numerically or as sym- bolic names. SIGNALS SIGTERM, SIGINT Cause the daemon to exit; active connections will continue until closed. SIGHUP Causes the daemon to restart and reread its config- uration file. FILES /etc/tlsproxyd.conf SEE ALSO stunnel(8), inetd(8), http://www.ex-parrot.com/~chris/tlsproxyd/. AUTHOR Chris Lightfoot <chris@ex-parrot.com> VERSION $Id: tlsproxyd.8,v 1.5 2002/06/11 13:52:19 chris Exp $ COPYING This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 1