Using a simple private Public Key Infrastructure (PKI), plain TCP sockets can be secured with TLS. This can be demonstrated with trivial examples that run locally on a loopback device.

A simple echo TCP socket server that listens on port 7000 can be created with socat.

$ socat PIPE TCP-LISTEN:7000,fork

When data is sent to the socket, it will echo it back. The ncat tool from nmap is used because it has TLS features that will be needed later.

$ echo "hello" | ncat localhost 7000

The socket listening on port 7000 won't actually be secured, sorry, instead a new socket listening on port 6000 will provide a secure TLS tunnel/proxy.

The tunnel is created with stunnel. It's configured with local file called stunnel.conf which contains a section for the tunnel.

accept = 6000
connect = 7000
CAfile = ca.crt
cert = service1.crt
key = service1.key
verify = 0

The tunnel is called service1, it listens on port 6000 and creates a tunnel to port 7000. The CA and service1 certificates were created by the PKI. The verify option is set to 0 meaning that peer (client) certificates will not be required or verified.

The tunnel is started by running stunnel with the path to the configuration file.

$ stunnel service1.conf

Trying to connect port 6000 like before won't work.

$ echo "hello" | ncat localhost 6000
Ncat: Connection reset by peer.

The server is expecting the client to start a TLS negotiation. Instead, the characters "hello" are being sent, so the server disconnects. The error logged by stunnel is "SSL routines::wrong version number" which isn't particularly helpful.

Fortunately ncat supports TLS/SSL and it be used with the --ssl option.

$ echo "hello" | ncat --ssl localhost 6000

A response is now returned through an encrypted TLS connection.

If this connection was made over an insecure network, there is no certainty that the server being connected to is really service1. With TLS, certificates used by 'service1' can be verified to have been signed by a specific CA and belonging to service1.

To do this with netcat the --ssl-verify option tells ncat to check the server certificate. The certificate should be signed by a specific CA, so ca.crt needs to be specified with the --ssl-trustfile option. The name in the certificate will also be validated, so service1 needs to specified with the --ssl-servername option.

$ echo "hello" | ncat --ssl --ssl-verify --ssl-servername service1 --ssl-trustfile ca_public_key.pem  localhost 6000

Expecting a different server name should result in a certificate error.

echo "hello" | ncat --ssl --ssl-verify --ssl-servername service2 --ssl-trustfile ca_public_key.pem  localhost 6000
Ncat: Certificate verification error. QUITTING.

A really useful tool when debugging TLS connections is s_client the openssl test client.

openssl s_client -servername service1 -connect localhost:6000 -CAfile ca.crt

This will attempt to negotiate a connection and output a heaps of useful information about the certificate, the signatures, the alorithms used, the validation results and more.

TLS also supports a "peer authentication" mode in which the server checks the client certificates. Servers, or tunnels, can be configured to only allow clients with certificates signed by a specific CA to connect.

A secure tunnel configuration that uses strict peer authentication can be added to the stunnel.conf file.

accept = 5000
connect = 7000
CAfile = ca.crt
cert = service1.crt
key = service1.key
verify = 2

This tunnel is configuration is similar to the previous one except it'll listen on a different port (5000) and verify is set to 2, meaning it will require client certificates and will validate they are signed by the CA (ca.crt)

After restarting the stunnel process with the updated configuration, connecting as before to the new tunnel on port 5000 does not work.

$ echo "hello" | ncat --ssl --ssl-verify --ssl-servername service1 --ssl-trustfile ca.crt  localhost 5000

This time there is no response, this is because no client certificates are being sent. The error logged by stunnel is "peer did not return a certificate".

To connect to this service, a client certificate pair signed by the CA is required. The process to generate a certificate pair for the client is the same process used to create the service1 certificate pair, but this certificate pair will be called client1.


openssl ecparam -genkey -name prime256v1 -noout -out client1.key
openssl req -new -key client1.key -subj $SUBJECT -out client1.csr
openssl x509 -req -days 365 -sha256 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client1.crt

The will generate a private key client1.key and a public key client1.crt.

To configure ncat to use the client certificates, client1.key is provided with the --ssl-key option and client1.crt is provided with the --ssl-cert option.

$ echo "hello" | ncat --ssl --ssl-verify --ssl-servername service1 --ssl-trustfile ca.crt --ssl-cert client1.crt --ssl-key client1.key  localhost 5000

A response is now returned, but only if the client and server certificates are signed by the CA.