SSL Wrapper is an application that encrypts any unsecured network communication inside secure SSL tunnel and provides industry-grade authentication mechanism.
SSL wrapper opens a listening port and forwards traffic to the specified target host, in two modes:
- Listening port is SSL, target host is plain TCP
- Listening port is plain TCP, target host is SSL
SSL wrapper can be used just on one side of communication, or on both sides:
- on one side (client), SSL wrapper encrypts outgoing client traffic
- on one side (server), SSL wrapper decrypts incoming server traffic, implementing SSL termination proxy
- on both sides, two paired SSL wrappers enclose plain TCP traffic into the secure SSL tunnel
Graphics below illustrate how SSL Wrapper works:
Usage: ssl_wrapper <listening_address> <target_address>
Address format is as follows:
PROTO is either
ssl. If omitted,
tcp is used. For SSL,
SSL_CERT.PEM specifies server certificate for
client certificate for
target_address. All certificates must be in PEM format.
SSL_CERT.PEM file must have both server certificate and
private key, in PEM format, concatenated together.
CA_CERT.PEM is specified, it enables peer certificate authentication.
listening_address it enables client side certificate auth, also
known as two-way SSL.
Enable SSL on a web server (listen on port 443, terminate SSL and forward all traffic to port 80, which is a web port):
ssl_wrapper ssl://443:server_cert.pem 127.0.0.1:80
Setup SSL man-in-the-middle (MITM) proxy for the external site foo.com, which requires client authentication. By setting up such a proxy, we can connect to foo.com without client-side certificate. Only proxy needs to have client-side certificate:
ssl_wrapper ssl://443:foo_server.pem ssl://foo.com:443:foo_client.pem
Building SSL wrapper
git clone https://github.com/cesanta/net_skeleton.git git clone https://github.com/cesanta/ssl_wrapper.git cd ssl_wrapper make
Note: SSL Wrapper is built on top of Net Skeleton, and therefore it is portable and works on may operating systems including Windows, MacOS, UNIX/LINUX, QNX, eCos, Android, iOS, and more.