Hi,
Tlswrapper (similar to stunnel) adds TLS encryption functionality to programs without modifying their code.
The fundamental difference against stunnel is in the approach to security.
Tlswrapper s tries to defend against all possible bugs in the TLS library itself and
tries to mitigate the impact of such a bug.
../..
Example of how to use tlswrapper to protect mail protocols:
- run dovecot IMAPS service on port 993, authorization using client certs, and run under user extracted from client certificate from commonName:
tcpserver -HRDl0 0.0.0.0 993 \
/usr/bin/tlswrapper -U commonName -f /etc/ssl/sslcert.pem -a /etc/ssl/ca.pem \
/usr/lib/dovecot/imap
- run old QMAIL qmail-smtpd SMTP service on port 25 with STARTTLS enabled (without patching QMAIL)
tcpserver -HRDl0 0 25 \
tlswrapper -v -n -f /etc/ssl/cert.pem \
tlswrapper-smtp -v -u qmaild \
qmail-smtpd
In the example is used tcpserver (from deb. package ucspi-tcp) but similary can be used from e.g. systemd/inetd/... etc. .
The examples are interesting, maybe tlswrapper documentation should include them.
I can sponsor this, but I have a feeling that won't be accepted before freeze. Let's see.
For the salsa repo: let's keep using yours for now, and see in which team it should go later.
Jérémy