TLS over unix pipe

opensslpipessltls

Can I use TLS/SSL over Unix pipe with Unix command line?

I want the equivalent of

$ mkfifo /tmp/spipe
$ echo a|openssl s_server -acceptFifo /tmp/spipe &
[1] 25563
$ openssl s_client -connectFifo /tmp/spipe
a
[1]   Done                    echo a|openssl s_server -acceptFifo /tmp/spipe

(Yes, it's not hard to write a short program to do that, but I was hoping it is possible with existing tools)

Let me clarify, I do not want a tcp connection any time in the process. I want to use the TLS/SSL protocol over a UNIX pipe. The client will open a unix pipe, and will connect to the server "listening" on another pipe. I do NOT want to move data from TLS tcp connection to a pipe.

Best Answer

You can use socat.

#client
socat PIPE:/tmp/spipe OPENSSL:server:4443,cafile=server.crt,cert=client.pem

#server
socat -u OPENSSL-LISTEN:4443,reuseaddr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE:/tmp/spipe

socat has lots of features, so you could maybe avoid the pipes at all.

EDIT: added the -u (unidirectional) option to server's socat - without it, the pipe works as an echo service.

Related Solutions

How to display server’s TLS certicicate details in terminal

openssl s_client -connect server:port display some informations. Maybe is it sufficient for you. It is not exactly the same format, but it can help.

Problem with pipes. Pipe terminates when reader done

As for the cause, use strace.

tail -f | strace bash >> foo

The second echo echo hello > pToB gives me then this:

rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
read(0, "e", 1)                         = 1
read(0, "c", 1)                         = 1
read(0, "h", 1)                         = 1
read(0, "o", 1)                         = 1
read(0, " ", 1)                         = 1
read(0, "h", 1)                         = 1
read(0, "e", 1)                         = 1
read(0, "l", 1)                         = 1
read(0, "l", 1)                         = 1
read(0, "o", 1)                         = 1
read(0, "\n", 1)                        = 1
write(1, "hello\n", 6)                  = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=3299, si_uid=1000} ---
+++ killed by SIGPIPE +++

So, the second time it tries to write hello\n, it gets a broken pipe error; that's why you can't read hello (it was never written), and bash quits so that's the end of it.

You'd have to use something that keeps the pipe open, I guess.

How about this?

(while read myline; do echo $myline; done) < pToP

For more background information, man 7 pipe may be relevant, it describes the various error cases around pipes.

Best Answer

Related Solutions

How to display server’s TLS certicicate details in terminal

Problem with pipes. Pipe terminates when reader done

Related Question