TLS tunnel -- an alternative to stud / stunnel
OCaml Shell

Build Status

Who needs a stunnel if you have a tls tunnel?

tlstunnel is picky; it won't accept connections:

  • which do not contain the secure renegotiation extension
  • which speak SSL version 3
  • if the given certificate chain is not valid (or contains an X.509 version 1 certificate, or less than 1024 bits RSA public key


You first need OCaml (at least 4.1.0) and OPAM (1.2.*) from your distribution.

Run opam install tlstunnel after opam init finished.


A sample command line is:

tlstunnel -b -f 4433 -cert server.pem

which listens on TCP port 4433 with the given certificate chain and private key (both in server.pem), and forwards connections to on port 8080.

An optional argument is -l FILE to log into a file instead of to stdout. Try --help for all command line arguments.