Skip to content

zliuva/ktlswrapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

.github/workflows

.github/workflows

 
 

mbedtls @ 04a049b

mbedtls @ 04a049b

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.travis.yml

.travis.yml

 
 

CMakeLists.txt

CMakeLists.txt

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

ktlswrapper.c

ktlswrapper.c

 
 

ktlswrapper.version

ktlswrapper.version

 
 

Repository files navigation

KTLS Wrapper Build Status

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Requirements

Kernel 4.17 or above, module tls loaded.

Usage

LD_PRELOAD=</full/path/to/libktlswrapper.so> \
KTLS_WRAPPER_CERT=</full/path/to/tls/cert (PEM format)> \
KTLS_WRAPPER_KEY=</full/path/to/tls/private-key (PEM format)> \
KTLS_WRAPPER_PORT=<port existing application listens on> \
<existing application>

or any other ways to specify environment variables such as systemd unit files; be aware of LD_PRELOAD limitations on setuid executables.

How does it work?

The wrapper hooks into accept/accept4. Before returning the client socket, the wrapper initiates an SSL handshake using mbedtls and enables Kernel TLS on the socket for both sending and receiving, using the established secrets from mbedtls. Any subsequent reads/writes to the socket would have decryption and encryption working transparently.

Why?

Why not?

Is this safe to use on production?

Definitely not. Maybe. Worse things have happened.

About

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Topics

c tls kernel sockets ld-preload

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

23 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 1

v0.1 Latest
Jan 6, 2020

Packages

No packages published

Languages