Next: , Previous: , Up: Top  


6 Common tools

Some of the tools that are handy to use with TLSd are mentioned here. See their documentation for more information.

6.1 Certificate generation

To generate X.509 certificates that are needed for mutual authentication, one can use GnuTLS:

certtool --generate-privkey --outfile key.pem
certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem

Or OpenSSL:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Add -nodes to the above command in order to generate an unencrypted key, for use with tlsd.

6.2 Client connection

To connect to a TLS server, one can also use GnuTLS:

gnutls-cli --insecure --x509keyfile=key.pem --x509certfile=cert.pem \
--port=5556 localhost

Or OpenSSL:

openssl s_client -key key.pem -cert cert.pem -connect localhost:5556

Or ncat:

nc --ssl --ssl-key key.pem --ssl-cert cert.pem localhost 5556

It may be handy to set aliases to those commands in your shell.

6.2.1 rlwrap

rlwrap (readline wrapper) improves text input, and makes the above clients usable for chat-like applications.

6.3 Tor

Tor hidden services are useful not just for privacy, but also to bypass NATs, and to have the same address anywhere you go. To setup a hidden service, simply add into /etc/tor/torrc something like the following:

HiddenServiceDir /var/lib/tor/my-service/
HiddenServicePort 5556 127.0.0.1:5556

Reload Tor, and /var/lib/tor/my-service/hostname should contain your new hostname.

The clients should be able to connect simply by prefixing their commands with torify, and using that hostname.

When running torify tlsd, torify may not like binding it to 0.0.0.0, but it can be allowed in /etc/tor/torsocks.conf. Or just bind to 127.0.0.1, if you don’t want direct incoming connections anyway.

If you wish to remain anonymous, extra care should be taken. This manual doesn’t cover the topic of anonymity.

6.4 SSH

SSH port forwarding is handy for NAT traversal as well, if you have a remote server: just ssh -R 5600:0.0.0.0:5600 example.com to forward incoming connections to your machine.


Next: , Previous: , Up: Top