path: root/doc/s6-tlsc.html

<html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="Content-Language" content="en" />
    <title>s6-networking: the s6-tlsc program</title>
    <meta name="Description" content="s6-networking: the s6-tlsc program" />
    <meta name="Keywords" content="s6-networking s6-tlsc tlsc tls ssl ucspi tcp inet network tcp/ip client" />
    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
  </head>
<body>

<p>
<a href="index.html">s6-networking</a><br />
<a href="//skarnet.org/software/">Software</a><br />
<a href="//skarnet.org/">skarnet.org</a>
</p>

<h1> The <tt>s6-tlsc</tt> program </h1>

<p>
<tt>s6-tlsc</tt> is a program that establishes a TLS or SSL
client connection over an existing TCP connection, then execs
into an application. It is meant to make network communications
secure even for applications that do not natively support
TLS/SSL.
</p>

<h2> Interface </h2>

<pre>
     s6-tlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
</pre>

<ul>
 <li> s6-tlsc expects to have an open TCP connection it
can talk to on its (by default) descriptors 6 (for reading)
and 7 (for writing). </li>
 <li> It spawns an <a href="s6-tlsc-io.html">s6-tlsc-io</a>
child process that will initiate the TLS connection, perform the
handshake (expecting a TLS server on the other side of the
network) and maintain the TLS tunnel. </li>
 <li> When notified by <a href="s6-tlsc-io.html">s6-tlsc-io</a>
that the handshake has completed, s6-tlsc execs into
<em>prog...</em>. </li>
</ul>

<h2> Exit codes </h2>

<ul>
 <li> 100: wrong usage. </li>
 <li> 111: system call failed. </li>
</ul>

<p>
 If everything goes smoothly, s6-tlsc does not exit, but execs
into <em>prog...</em> instead.
</p>

<h2> Environment variables </h2>

<h3> Read </h3>

<p>
 s6-tlsc does not expect to have any particular
environment variables, but it spawns an
<a href="s6-tlsc-io.html">s6-tlsc-io</a> program that does.
So it should pay attention to the following variables:
</p>

<ul>
 <li> <tt>CADIR</tt> or <tt>CAFILE</tt> </li>
 <li> (if the -y option has been given) <tt>CERTFILE</tt> and <tt>KEYFILE</tt> </li>
 <li> <tt>TLS_UID</tt> and <tt>TLS_GID</tt>
</ul>

<h3> Written </h3>

<p>
 By default, <em>prog...</em> is run with all these
variables <em>unset</em>: CADIR, CAFILE,
KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to
the <a href="s6-tlsc-io.html">s6-tlsc-io</a> child but
not to <em>prog...</em>.
The <tt>-Z</tt> option prevents that behaviour.
</p>

<p>
 However, <em>prog...</em> is run with the following additional
environment variables:
</p>

<ul>
 <li> <tt>SSL_PROTOCOL</tt> contains the protocol version:
TLSv1, TLSv1.1, TLSv1.2... </li>
 <li> <tt>SSL_CIPHER</tt> contains the name of the cipher
used. </li>
 <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains <em>servername</em>,
if the <tt>-k</tt> option has been given; otherwise it is removed
from the environment. </li>
 <li> More similar environment variables containing information
about the connection may be added in the future. </li>
</ul>

<h2> Options </h2>

<ul>
 <li> <tt>-v&nbsp;<em>verbosity</em></tt>&nbsp;: Be more or less
verbose. Default for <em>verbosity</em> is 1. 0 is quiet, 2 is
verbose, more than 2 is debug output. This option currently has
no effect. </li>
 <li> <tt>-Z</tt>&nbsp;: do not clean the environment of
the variables used by <a href="s6-tlsc-io.html">s6-tlsc-io</a>
before execing <em>prog...</em>. </li>
 <li> <tt>-z</tt>&nbsp;: clean the environment of
the variables used by <a href="s6-tlsc-io.html">s6-tlsc-io</a>
before execing <em>prog...</em>. This is the default. </li>
 <li> <tt>-S</tt>&nbsp;: send a <tt>close_notify</tt> alert
and break the connection when <em>prog</em> sends EOF. </li>
 <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
 <li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
 <li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
 <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
Indication, and send <em>servername</em>. The default is not to
use SNI, which may be a security risk. </li>
 <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: if the peer fails
to send data for <em>kimeout</em> milliseconds during the handshake,
close the connection. The default is 0, which means infinite timeout
(never kill the connection). This option is ignored by the
<tt>libtls</tt> backend, which does not have a way to interrupt
the handshake after a timeout. </li>
 <li> <tt>-6&nbsp;<em>fdr</em></tt>&nbsp;: expect an open file
descriptor numbered <em>fdr</em> to read network (ciphertext)
data from. Make sure <em>prog</em> also reads its data
from its own fd <em>fdr</em>. Default is 6. </li>
 <li> <tt>-7&nbsp;<em>fdw</em></tt>&nbsp;: expect an open file
descriptor numbered <em>fdw</em> to write network (ciphertext)
data to. Make sure <em>prog</em> also writes its data to
its own fd <em>fdw</em>. Default is 7. </li>
</ul>

<h2> Notes </h2>

<ul>
 <li> The goal of the s6-tlsc interface (and its
server-side companion <a href="s6-tlsd.html">s6-tlsd</a>) is to
make it so that if you have a client, run by the command line
<tt>client...</tt> that speaks a cleartext protocol to a server
run by the command line <tt>server...</tt>, then if the server
has the proper private key and certificate, and the client has
the proper list of trust anchors, you can just change the
client command line to <tt>s6-tlsc client...</tt> and the
server command line to <tt>s6-tlsd server...</tt>
without changing the client or the server themselves, and the
communication between them will be secure. </li>
</ul>

</body>
</html>