TLS over unix pipe

Question

Can I use TLS/SSL over Unix pipe with Unix command line?

I want the equivalent of

$ mkfifo /tmp/spipe
$ echo a|openssl s_server -acceptFifo /tmp/spipe &
[1] 25563
$ openssl s_client -connectFifo /tmp/spipe
a
[1]   Done                    echo a|openssl s_server -acceptFifo /tmp/spipe

(Yes, it's not hard to write a short program to do that, but I was hoping it is possible with existing tools)

Let me clarify, I do not want a tcp connection any time in the process. I want to use the TLS/SSL protocol over a UNIX pipe. The client will open a unix pipe, and will connect to the server "listening" on another pipe. I do NOT want to move data from TLS tcp connection to a pipe.

TLS is bidrectional, so you need two pipes or a "bi-directional pipe" which can be simulated by `dpipe` from the vde2 package. — jofel, Mar 02 '12 at 12:12
@jofel, correct. I'll have a look at the vde2 package. Thanks — Elazar Leibovich, Mar 02 '12 at 13:30
@psusi see comments in the answer below. It's mostly useful for debugging. — Elazar Leibovich, Jun 02 '12 at 20:23
There's one aspect you won't be able to debug with unix sockets: host name verification. I'm not sure it even makes sense to use a certificate valid for `localhost` for a unix socket. — Bruno, Jul 26 '12 at 22:34

jofel · Answer 1 · 2012-03-01T14:15:47.787

4

You can use socat.

#client
socat PIPE:/tmp/spipe OPENSSL:server:4443,cafile=server.crt,cert=client.pem

#server
socat -u OPENSSL-LISTEN:4443,reuseaddr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE:/tmp/spipe

socat has lots of features, so you could maybe avoid the pipes at all.

EDIT: added the -u (unidirectional) option to server's socat - without it, the pipe works as an echo service.

edited Mar 01 '12 at 14:15

answered Mar 01 '12 at 13:55

jofel

26,513
6
65
92

Your method opens a TCP connection, and does not use unix pipes to move the data. It will move the plaintext data from the tcp TLS connection to a pipe, but it will not use TLS when moving data through the pipe. It's equivalent to `openssl s_client -connect host` and `openssl s_server`. Please correct your answer. – Elazar Leibovich Mar 01 '12 at 14:31
1

Sorry, I misunderstood your questions. I think what you want is not possible with socat - so I will delete my answer soon. But why do you want a local ssl pipe? For me, this makes no sense at all. – jofel Mar 01 '12 at 14:38
1

It's really handy for debugging purposes. For instance, you can test an HTTP proxy with `(echo -e 'CONNECT example.com 443 HTTP/1.1';tlsOnPipe)|nc proxyserver 8080`. It can also make sense if you want to use TLS authentication (say, client cert), and to expose your service through tcp and through unix pipes. – Elazar Leibovich Mar 01 '12 at 18:19

TLS over unix pipe

1 Answers1