s6-networking
Software
skarnet.org

The s6-tlsc program

s6-tlsc is a program that establishes a TLS or SSL client connection over an existing TCP connection, then execs into an application. It is meant to make network communications secure even for applications that do not natively support TLS/SSL.

Interface

     s6-tlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -k servername ] [ -6 rfd ] [ -7 wfd ] [ -- ] prog...

• s6-tlsc expects to have an open TCP connection it can talk to on its (by default) descriptors 6 (for reading) and 7 (for writing).
• It spawns a s6-tlsc-io child process that will initiate the TLS connection, perform the handshake (expecting a TLS server on the other side of the network) and maintain the TLS tunnel.
• When notified by s6-tlsc-io that the handshake has completed, s6-tlsc execs into prog....

Exit codes

• 100: wrong usage.
• 111: system call failed.

If everything goes smoothly, s6-tlsc does not exit, but execs into prog... instead.

Environment variables

Read

s6-tlsc does not expect to have any particular environment variables, but it spawns a s6-tlsc-io program that does. So it should pay attention to the following variables:

• CADIR or CAFILE
• (if the -y option has been given) CERTFILE and KEYFILE
• TLS_UID and TLS_GID

Written

By default, prog... is run with all these variables unset: CADIR, CAFILE, KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to the s6-tlsc-io child but not to prog.... The -Z option prevents that behaviour.

However, prog... is run with the following additional environment variables:

• SSL_PROTOCOL contains the protocol version: TLSv1, TLSv1.1, TLSv1.2...
• SSL_CIPHER contains the name of the cipher used.
• SSL_TLS_SNI_SERVERNAME contains the required SNI server name, if any, or is empty otherwise.
• More similar environment variables containing information about the connection may be added in the future.

Options

• -v verbosity : Be more or less verbose. Default for verbosity is 1. 0 is quiet, 2 is verbose, more than 2 is debug output. This option currently has no effect.
• -Z : do not clean the environment of the variables used by s6-tlsc-io before execing prog....
• -z : clean the environment of the variables used by s6-tlsc-io before execing prog.... This is the default.
• -S : send a close_notify alert and break the connection when prog sends EOF.
• -s : transmit EOF by half-closing the TCP connection without using close_notify. This is the default.
• -Y : Do not send a client certificate. This is the default.
• -y : Send a client certificate.
• -k servername : use Server Name Indication, and send servername. The default is not to use SNI, which may be a security risk.
• -K kimeout : if the peer fails to send data for kimeout milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). This option is ignored by the libtls backend, which does not have a way to interrupt the handshake after a timeout.
• -6 fdr : expect an open file descriptor numbered fdr to read network (ciphertext) data from. Make sure prog also reads its data from its own fd fdr. Default is 6.
• -7 fdw : expect an open file descriptor numbered fdw to write network (ciphertext) data to. Make sure prog also writes its data to its own fd fdw. Default is 7.

Notes

• The goal of the s6-tlsc interface (and its server-side companion s6-tlsd) is to make it so that if you have a client, run by the command line client... that speaks a cleartext protocol to a server run by the command line server..., then if the server has the proper private key and certificate, and the client has the proper list of trust anchors, you can just change the client command line to s6-tlsc client... and the server command line to s6-tlsd server... without changing the client or the server themselves, and the communication between them will be secure.