repo: tlswrap
action: summary
revision: 
path_from: 
revision_from: :
path_to: 
revision_to: 

 # tlswrap

 inspired by:

 http://www.rickk.com/sslwrap/

 ## what this program does

 tlswrap will load a cert and key from its arguments.
 attach the part of openssl that speaks TLS to stdin and stdout (using: SSL_set_rfd(0); SSL_set_wfd(1); )
 accept a single connection
 sets a bunch of handy environment variables for the subprocess.
 fork a subprocess off.

 then it waits to read data from either the SSL or the subprocess.
 when it reads data from the TLS on stdin, it writes it to the subprocess.
 when it reads data from the subprocess, it writes it to TLS on stdout.

 that's pretty much it.

 I use it so I can have inetd handle the port binding
 and my inetd-compatible httpd can handle the http

 it kind of has a long line, I guess if you don't want long lines in your inetd you could put it into a script and pretend it is a config file.

 so instead of:
 443	stream	tcp	nowait	root	/usr/local/bin/tlswrap	tlswrap --verify-mode 0 /etc/ssl/https.crt /etc/ssl/keys/https.key /usr/libexec/httpd

 443	stream	tcp	nowait	root	/etc/tlswrap/thebackupbox.net

 where /etc/tlswrap/thebackupbox.net contains just:
 ```
  #!/usr/bin/env bash
  exec tlswrap --verify-mode 0 /etc/ssl/https.crt /etc/ssl/keys/https.key /usr/libexec/httpd
 ```

 ## dependencies

 on debian:
 apt-get install openssl-dev

 other distros:
 ??? probably something close. whatever gets you -lssl and the proper headers.
 you can use wolfssl probably. I haven't tested. let me know if you do.

 ## to build:

 make

 ## to install:

 make install

 ## to configure certs per SNI

 create a directory to match against the servername.

 /etc/tlswrap/thebackupbox.net
 or, if you have a wildcard cert
 /etc/tlswrap/*.thebackupbox.net
 inside of this dir create two files named "cert" and "key"
 if the SNI fails to find a subdir, it falls back to what was specified on the command line.