[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001503: ITP: tlswrapper -- TLS encryption wrapper





Le ven. 23 déc. 2022 à 13:53, Jan Mojzis <jan.mojzis@gmail.com> a écrit :
Hi,

Tlswrapper (similar to stunnel) adds TLS encryption functionality to programs without modifying their code.

The fundamental difference against stunnel is in the approach to security.
Tlswrapper s tries to defend against all possible bugs in the TLS library itself and
tries to mitigate the impact of such a bug.
../..
Example of how to use tlswrapper to protect mail protocols:

- run dovecot IMAPS service on port 993, authorization using client certs, and run under user extracted from client certificate from commonName:
tcpserver -HRDl0 0.0.0.0 993 \
/usr/bin/tlswrapper -U commonName -f /etc/ssl/sslcert.pem -a /etc/ssl/ca.pem \
/usr/lib/dovecot/imap

- run old QMAIL qmail-smtpd SMTP service on port 25 with STARTTLS enabled (without patching QMAIL)
tcpserver -HRDl0 0 25 \
tlswrapper -v -n -f /etc/ssl/cert.pem \
tlswrapper-smtp -v -u qmaild \
qmail-smtpd

In the example is used tcpserver (from deb. package ucspi-tcp) but similary can be used from e.g. systemd/inetd/... etc. .

The examples are interesting, maybe tlswrapper documentation should include them.
I can sponsor this, but I have a feeling that won't be accepted before freeze. Let's see.

For the salsa repo: let's keep using yours for now, and see in which team it should go later.

Jérémy


Reply to: