Provided by: tlswrapper_0~20250201-1_amd64 bug

NAME
       tlswrapper-tcp - TLS encryption wrapper - tcp client


SYNOPSIS
       tlswrapper-tcp [ options ] host port


DESCRIPTION
       The  tlswrapper-tcp  is  TCP client which connects to host:port and transfers data from standard input to
       the host and from the host to the standard output.  it's designed to work to together with tlswrapper and
       is from the tlswrapper executed.  Allows you to protect  non-TLS  TCP  service  using  TLS  similarly  to
       stunnel(8).     Systemd.socket/inetd/tcpserver/...    creates    the    server    connection,   tlswraper
       encrypts/decrypts data stream  and  tlswrapper-tcp  creates  the  client  connection  and  sends/receives
       unencrypted data to/from the host:port as follows:

       Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-tcp <-> host:port


OPTIONS
       -q     Quiet mode. No error messages.

       -v     Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.

       -t seconds
              Set the network timeout to seconds seconds. (default 3600).

       -T seconds
              Set the connect timeout to seconds seconds. (default 10).

       -p version
              Enable incoming proxy-protocol version version string.

       -P version
              Enable outgoing proxy-protocol version version string.

       -J jaildir
              Chroot network-process into a specified jaildir (default: /var/lib/tlswraper/empty).

       -j jailuser
              Run network-process and dnsresolver-process under a specified jailuser's uid and gid. If unset run
              network-process and dnsresolver-process under random uid and gid.

       host   host or IP

       port   TCP port


SECURITY
       Separate process for network connection and separate process for DNS resolving

       To  protect  against  secret-information leaks to the network connection (such Heartbleed) tlswrapper-tcp
       runs two independent processes.  One process resolves the hostname and second  creates  a  connection  to
       host:port.

       JAIL - Privilege separation, filesystem isolation, limits

       The  tlswrapper-tcp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill,
       ptrace, etc.  Is chrooted into an empty,  unwritable  directory  to  prohibit  filesystem  access.   Sets
       ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.


EXAMPLES
       Run  tlswrapper using tcpserver/busybox/inetd on port 443 and connect to non-TLS service ip 127.0.0.1 and
       port 80
           tcpserver -HRDl0 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
           busybox tcpsvd 0 443 tlswrapper [ options ] tlswrapper-tcp 127.0.0.1 80
           inetd.conf line: https stream tcp nowait root /usr/bin/tlswrapper tlswrapper [ options ] /usr/bin/tlswrapper-tcp 127.0.0.1 80


SEE ALSO
       tlswrapper(1)

                                                                                               tlswrapper-tcp(1)