Skip to content

cesanta/ssl_wrapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
Makefile
Makefile
 
 
README.md
README.md
 
 
net_skeleton.c
net_skeleton.c
 
 
net_skeleton.h
net_skeleton.h
 
 
ssl_wrapper.c
ssl_wrapper.c
 
 
ssl_wrapper.h
ssl_wrapper.h
 
 

Repository files navigation

ssl_wrapper

SSL Wrapper is an application that encrypts any unsecured network communication inside secure SSL tunnel and provides industry-grade authentication mechanism.

SSL wrapper opens a listening port and forwards traffic to the specified target host, in two modes:

  1. Listening port is SSL, target host is plain TCP
  2. Listening port is plain TCP, target host is SSL

SSL wrapper can be used just on one side of communication, or on both sides:

  • on one side (client), SSL wrapper encrypts outgoing client traffic
  • on one side (server), SSL wrapper decrypts incoming server traffic, implementing SSL termination proxy
  • on both sides, two paired SSL wrappers enclose plain TCP traffic into the secure SSL tunnel

Graphics below illustrate how SSL Wrapper works:

Configuration options

Usage: ssl_wrapper <listening_address> <target_address>

Address format is as follows:

[PROTO://][IP:]PORT[:SSL_CERT.PEM][:CA_CERT.PEM]

PROTO is either tcp or ssl. If omitted, tcp is used. For SSL, SSL_CERT.PEM specifies server certificate for listening_address or client certificate for target_address. All certificates must be in PEM format. Server certificate SSL_CERT.PEM file must have both server certificate and private key, in PEM format, concatenated together.

If CA_CERT.PEM is specified, it enables peer certificate authentication. For listening_address it enables client side certificate auth, also known as two-way SSL.

Examples

Enable SSL on a web server (listen on port 443, terminate SSL and forward all traffic to port 80, which is a web port):

   ssl_wrapper ssl://443:server_cert.pem 127.0.0.1:80

Setup SSL man-in-the-middle (MITM) proxy for the external site foo.com, which requires client authentication. By setting up such a proxy, we can connect to foo.com without client-side certificate. Only proxy needs to have client-side certificate:

ssl_wrapper ssl://443:foo_server.pem ssl://foo.com:443:foo_client.pem

Building SSL wrapper

git clone https://github.com/cesanta/net_skeleton.git
git clone https://github.com/cesanta/ssl_wrapper.git
cd ssl_wrapper
make

Note: SSL Wrapper is built on top of Net Skeleton, and therefore it is portable and works on may operating systems including Windows, MacOS, UNIX/LINUX, QNX, eCos, Android, iOS, and more.

License

SSL Wrapper is released under GNU GPL v.2. Businesses have an option to get non-restrictive commercial license and professional support from Cesanta Software.

About

Wrap plain TCP traffic into SSL

Resources

Readme
Activity
Custom properties

Stars

87 stars

Watchers

20 watching

Forks

33 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages