tlsclient [ -t trustedkeys ] [ -x excludedkeys ] address

tlssrvtunnel plain-addr crypt-addr cert.pem

tlsclienttunnel crypt-addr plain-addr trustedkeys

Tlsclient is the reverse of tlssrv: it dials address, starts TLS, and then relays between the network connection and standard input and output. If the -t flag (and, optionally, the -x flag) is given, the remote server must present a key whose SHA1 hash is listed in the file trustedkeys but not in the file excludedkeys. See thumbprint(6) for more information.

Tlssrvtunnel and tlsclienttunnel use these tools and listen1 (see listen(8)) to provide TLS network tunnels, allowing legacy application to take advantage of TLS encryption.

#!/bin/rc exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \ /bin/ip/imap4d -p -dyourdomain -r`{cat $3/remote} \ >[2]/sys/log/imap4d

Interact with the server, putting the appropriate hash into /sys/lib/tls/mail and running:

tlsclient -t /sys/lib/tls/mail tcp!server!imaps

Create a TLS-encrypted VNC connection from a client on kremvax to a server on moscvax:

mosc% vncs -d :3 mosc% tlssrvtunnel tcp!moscvax!5903 tcp!*!12345 \ /usr/you/lib/cert.pem krem% tlsclienttunnel tcp!moscvax!12345 tcp!*!5905 \ /usr/you/lib/cert.thumb krem% vncv kremvax:5

(The port numbers passed to the VNC tools are offset by 5900 from the actual TCP port numbers.)

/sys/lib/tls