Some of the tools that are handy to use with TLSd are mentioned here. See their documentation for more information.
To generate X.509 certificates that are needed for mutual authentication, one can use GnuTLS:
certtool --generate-privkey --outfile key.pem certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Add -nodes to the above command in order to generate an
unencrypted key, for use with
To connect to a TLS server, one can also use GnuTLS:
gnutls-cli --insecure --x509keyfile=key.pem --x509certfile=cert.pem \ --port=5556 localhost
openssl s_client -key key.pem -cert cert.pem -connect localhost:5556
nc --ssl --ssl-key key.pem --ssl-cert cert.pem localhost 5556
It may be handy to set aliases to those commands in your shell.
rlwrap (readline wrapper) improves text input, and makes the
above clients usable for chat-like applications.
Tor hidden services are useful not just for privacy, but also to bypass NATs, and to have the same address anywhere you go. To setup a hidden service, simply add into /etc/tor/torrc something like the following:
HiddenServiceDir /var/lib/tor/my-service/ HiddenServicePort 5556 127.0.0.1:5556
Reload Tor, and /var/lib/tor/my-service/hostname should contain your new hostname.
The clients should be able to connect simply by prefixing their commands
torify, and using that hostname.
torify may not like
binding it to 0.0.0.0, but it can be allowed in
/etc/tor/torsocks.conf. Or just bind to 127.0.0.1, if you don’t
want direct incoming connections anyway.
If you wish to remain anonymous, extra care should be taken. This manual doesn’t cover the topic of anonymity.
SSH port forwarding is handy for NAT traversal as well, if you have a
remote server: just
ssh -R 5600:0.0.0.0:5600 example.com to
forward incoming connections to your machine.