Skip to content
/ ktlswrapper Public

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

License

BSD-2-Clause license
23 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zliuva/ktlswrapper

BranchesTags

Repository files navigation

KTLS Wrapper Build Status

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Requirements

Kernel 4.17 or above, module tls loaded.

Usage

LD_PRELOAD=</full/path/to/libktlswrapper.so> \
KTLS_WRAPPER_CERT=</full/path/to/tls/cert (PEM format)> \
KTLS_WRAPPER_KEY=</full/path/to/tls/private-key (PEM format)> \
KTLS_WRAPPER_PORT=<port existing application listens on> \
<existing application>

or any other ways to specify environment variables such as systemd unit files; be aware of LD_PRELOAD limitations on setuid executables.

How does it work?

The wrapper hooks into accept/accept4. Before returning the client socket, the wrapper initiates an SSL handshake using mbedtls and enables Kernel TLS on the socket for both sending and receiving, using the established secrets from mbedtls. Any subsequent reads/writes to the socket would have decryption and encryption working transparently.

Why?

Why not?

Is this safe to use on production?

Definitely not. Maybe. Worse things have happened.

About

A wrapper that enables TLS support (TLS 1.2 with AES 128 GCM) for existing applications without code change.

Topics

c tls kernel sockets ld-preload

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

23 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 1

v0.1 Latest
Jan 6, 2020

Packages

No packages published

Languages