Skip to content

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

License

Notifications You must be signed in to change notification settings

zliuva/ktlswrapper

Repository files navigation

KTLS Wrapper Build Status

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Requirements

Kernel 4.17 or above, module tls loaded.

Usage

LD_PRELOAD=</full/path/to/libktlswrapper.so> \
KTLS_WRAPPER_CERT=</full/path/to/tls/cert (PEM format)> \
KTLS_WRAPPER_KEY=</full/path/to/tls/private-key (PEM format)> \
KTLS_WRAPPER_PORT=<port existing application listens on> \
<existing application>

or any other ways to specify environment variables such as systemd unit files; be aware of LD_PRELOAD limitations on setuid executables.

How does it work?

The wrapper hooks into accept/accept4. Before returning the client socket, the wrapper initiates an SSL handshake using mbedtls and enables Kernel TLS on the socket for both sending and receiving, using the established secrets from mbedtls. Any subsequent reads/writes to the socket would have decryption and encryption working transparently.

Why?

Why not?

Is this safe to use on production?

Definitely not. Maybe. Worse things have happened.

About

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published