Skip to content
This repository has been archived by the owner on Mar 1, 2021. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
TITUS -- Totally Isolated TLS Unwrapping Server

titus is a highly secure network proxy that terminates TLS (SSL)
connections and forwards the unencrypted traffic to some backend.
It is similar in purpose to stud and stunnel.

titus provides heightened security by running in extreme isolation.
The private key is stored in a dedicated process that doesn't talk to
the network, and all private key operations take place in this process.
Furthermore, every connection is handled by a new process that runs
as an unprivileged user in an unwritable and empty root directory.
These security features ensure that if there is a vulnerability in the
TLS processing code, it is very, very unlikely that an attacker could
steal your private key, access the memory of your application, sniff
data from other TLS connections, or otherwise attack your system.

titus aims to be as transparent as possible to the backend application.
Changes to the connection state between the client and titus are reflected
in the connection between titus and the backend, and vice-versa.  This
allows the backend to dictate throttling behavior, maximum connection
behavior, and so on.

On Linux, titus can operate in transparent proxy mode so that the client
IP address is preserved when contacting the backend.  This requires
special configuration with iptables and advanced routing (see TRANSPARENT
PROXY MODE in the titus(8) man page).

titus supports the Elliptic Curve Diffie-Hellman handshake, and also
provides advanced control over TLS settings, such as the Diffie-Hellman
modulus, and the curve used for Elliptic Curve Diffie-Hellman.  This is
handy if your backend's built-in TLS support is lacking.

For technical details about titus' design, see


titus is no longer developed.  Since titus was first released, memory-safe
TLS stacks like Go's crypto/tls and Rust's rustls have matured enough that
the author no longer needs titus.

The last version of titus was 0.4, released on 2020-10-27.


On non-Linux systems, due to the lack of the prctl() syscall, titus cannot
prevent tracing/debugging of one titus process by another titus process.
This substantially reduces the isolation between TLS connections, although
private key operations remain isolated since they run as a separate user.

On FreeBSD 10.2-RELEASE and higher, titus uses procctl with PROC_TRACE_CTL
to disable tracing, which should provide isolation.  However, this has
not undergone security analysis yet and should be considered experimental.


To build from source, see the BUILDING file.


Start with titus.conf.example and modify it to fit your needs.  Also see
the titus(8) man page.

If you're using the Debian package, start with the example config
in /usr/share/doc/titus/examples and place it in /etc/titus.
See /etc/titus/README for details.


Run `titus --config /path/to/titus.conf`.


 * For copyright/license, see COPYING.
 * For build instructions, see BUILDING.
 * For general documentation, see the titus(8) man page.


Totally Isolated TLS Unwrapping Server







No packages published