Skip to content

blenessy/tiniktls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

245 Commits
.github/workflows
.github/workflows
 
 
docker
docker
 
 
src
src
 
 
test
test
 
 
tpl
tpl
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
NOTICE.md
NOTICE.md
 
 
README.md
README.md
 
 
SHA256SUMS
SHA256SUMS
 
 

Repository files navigation

What is tiniktls ?

tl;dr: It is a fork of tini with support for ktls socket management.

tini is a popular init program (pid 1), commonly used in docker containers for its small size. It handles process reaping on behalf of it's child process.

tiniktls introduces a control socket and a simple text based protocol, through which the child process:

  1. request TLS connection to remote hosts (client)
  2. request listening for incoming TLS connections (server)

tiniktls responds with the file-descriptor to fully-negotiated KTLS sockets. The child process can bind the file descriptor to a socket and use that directly with unencrypted data knowing that the Kernel handles the encryption/decryption transparently.

This effectively means that the TLS stack (which is usually a big part of the child application) is moved into tiniktls (handshake) and kernel (encryption/decryption).

The primary benefits are:

  • Smaller child applications
  • Faster TLS data path as encryption/decryptions is done by the Kernel

TLS 1.2 support

Given that you are using Linux 5.11 with the tls module loaded, the following OpenSSL Cipher List is supported:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305

TLS 1.3 support

Given that you are using Linux 5.11 with the tls module loaded, the following OpenSSL Cipher Suite is supported:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Development

The following tools needs to be installed before you begin:

  • docker

Building tiniktls

The tiniktls-builder Docker image contains the musl toolchain and custom built OpenSSL for tiniktls. You can build it with docker:

docker build -t tiniktls-builder -f docker/Dockerfile.builder docker

During development build tiniktls and update SHA256SUMS with:

docker run --rm -it -v "$PWD:/tiniktls" -e SHA256SUMS=update tiniktls-builder

If you want to build tiniktls and check that it matches the hash in SHA256SUMS:

docker run --rm -it -v "$PWD:/tiniktls" tiniktls-builder

Testing tiniktls

Build the tiniktls-qa Docker image, which incorporates the test environment for tiniktls:

docker build -t tiniktls-qa -f docker/Dockerfile.qa docker

Run the tests and other QA checks with:

docker run --rm -it -v "$PWD:/tiniktls" tiniktls-qa

Goals

The goal of this project is to provide a secure and performant TLS solution for child applications, which do not want to bother with their own TLS stack.

  1. Security: only safe TLS 1.2/1.3 ciphers are included
  2. Auditability: small well written code base that can be easily scrutinized by auditors
  3. Reproducibility: build twice on different environments and get bit-exact binaries
  4. Performance: it should be possible to implement i.e. a performant TLS reverse proxies with tiniktls in front.

Contribution

  • TLS improving features are generally welcome as long it does not degrade any of the goals significantly.
  • Transport related features like rate-limiting/load-balancing might be welcome if code size is small - talk to me first!

About

Fork of tini with TLS socket manager and KTLS

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

v0.1.0 Latest
Feb 23, 2025

Packages

 
 
 

Contributors

Languages