forked from AGWA/titus
-
Notifications
You must be signed in to change notification settings - Fork 0
Totally Isolated TLS Unwrapping Server (fork for support of modern versions of OpenSSL)
License
rubicae/titus
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
TITUS -- Totally Isolated TLS Unwrapping Server =============================================== titus is a highly secure network proxy that terminates TLS (SSL) connections and forwards the unencrypted traffic to some backend. It is similar in purpose to stud and stunnel. titus provides heightened security by running in extreme isolation. The private key is stored in a dedicated process that doesn't talk to the network, and all private key operations take place in this process. Furthermore, every connection is handled by a new process that runs as an unprivileged user in an unwritable and empty root directory. These security features ensure that if there is a vulnerability in the TLS processing code, it is very, very unlikely that an attacker could steal your private key, access the memory of your application, sniff data from other TLS connections, or otherwise attack your system. titus aims to be as transparent as possible to the backend application. Changes to the connection state between the client and titus are reflected in the connection between titus and the backend, and vice-versa. This allows the backend to dictate throttling behavior, maximum connection behavior, and so on. On Linux, titus can operate in transparent proxy mode so that the client IP address is preserved when contacting the backend. This requires special configuration with iptables and advanced routing (see TRANSPARENT PROXY MODE in the titus(8) man page). titus supports the Elliptic Curve Diffie-Hellman handshake, and also provides advanced control over TLS settings, such as the Diffie-Hellman modulus, and the curve used for Elliptic Curve Diffie-Hellman. This is handy if your backend's built-in TLS support is lacking. CURRENT STATUS The current version of titus is 0.3, released on 2015-11-28. titus aims to be bug-free and secure, though it is lacking in features and needs additional performance optimization. Additionally, we may make backwards-incompatible changes to the behavior before titus reaches version 1.0 NON-LINUX WARNING On non-Linux systems, due to the lack of the prctl() syscall, titus cannot prevent tracing/debugging of one titus process by another titus process. This substantially reduces the isolation between TLS connections, although private key operations remain isolated since they run as a separate user. On FreeBSD 10.2-RELEASE and higher, titus uses procctl with PROC_TRACE_CTL to disable tracing, which should provide isolation. However, this has not undergone security analysis yet and should be considered experimental. A future version of titus will provide full isolation even on non-Linux systems. INSTALLING TITUS If you use Debian or Ubuntu, see https://www.opsmate.com/titus/#getting for information about installing the titus .deb package. Using the .deb package is highly recommended since it comes with a handy init script. To build from source, see the BUILDING file. CONFIGURING TITUS Start with titus.conf.example and modify it to fit your needs. Also see the titus(8) man page. If you're using the Debian package, start with the example config in /usr/share/doc/titus/examples and place it in /etc/titus. See /etc/titus/README for details. RUNNING TITUS Run `titus --config /path/to/titus.conf`. If you're using the Debian package, use the init script to start/stop titus like any other service. PROJECT RESOURCES Home page: https://www.opsmate.com/titus Git repository: https://agwa.name/git/titus.git https://github.com/AGWA/titus.git (mirror) GitHub project: https://github.com/AGWA/titus Issue tracker: https://github.com/AGWA/titus/issues Announce list: https://lists.cloudmutt.com/mailman/listinfo/titus-announce Discuss list: https://lists.cloudmutt.com/mailman/listinfo/titus-discuss For help or questions, send mail to the discuss list <[email protected]>. To report a bug or make a feature request, please open an issue at GitHub or send mail to the discuss list. To contribute code, please send a properly-formatted patch to the discuss list, or open a pull request at GitHub. AUTHOR titus was written by Andrew Ayer <[email protected]>. FURTHER DOCUMENTATION * For copyright/license, see COPYING. * For build instructions, see BUILDING. * For general documentation, see the titus(8) man page.
About
Totally Isolated TLS Unwrapping Server (fork for support of modern versions of OpenSSL)
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published
Languages
- C++ 89.7%
- Roff 9.7%
- Makefile 0.6%