Totally Isolated TLS Unwrapping Server

titus is a TLS/SSL proxy server (like stunnel or stud) that protects you from vulnerabilities in the TLS implementation such as Heartbleed (or worse).

  • Runs in a separate process from your application, protecting your application's state from compromise.
  • Uses a separate process for every TLS connection, protecting the state of TLS connections from each other.
  • Uses privilege separation and chrooting to protect your server as a whole.
  • Isolates the private key in a dedicated process that doesn't talk to the network, protecting your private key from compromise.
  • Can run in transparent proxy mode, preserving the client's IP address, so your backend doesn't even know it's there.

If there's a vulnerability in the TLS implementation, titus makes it very, very unlikely that an attacker could steal your private key, access the memory of your application, sniff data from other TLS connections, or otherwise attack your system.

Current status

The current version of titus is 0.2, released on 2014-08-17. titus aims to be bug-free and secure, though it has not yet undergone serious testing or performance optimization. Additionally, we may make backwards-incompatible changes to the behavior before titus reaches version 1.0

Getting titus

Choose your distro:

Wheezy

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/wheezy/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/wheezy/titus.gpg

apt-get update

apt-get install titus

Ubuntu 14.10

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1410/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1410/titus.gpg

apt-get update

apt-get install titus

Ubuntu 14.04

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1404/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1404/titus.gpg

apt-get update

apt-get install titus

Ubuntu 13.10

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1310/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1310/titus.gpg

apt-get update

apt-get install titus

Ubuntu 13.04

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1304/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1304/titus.gpg

apt-get update

apt-get install titus

Ubuntu 12.10

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1210/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1210/titus.gpg

apt-get update

apt-get install titus

Ubuntu 12.04

wget -P /etc/apt/sources.list.d https://www.opsmate.com/titus/apt/ubuntu1204/titus.list

wget -P /etc/apt/trusted.gpg.d https://www.opsmate.com/titus/apt/ubuntu1204/titus.gpg

apt-get update

apt-get install titus

Building from Source

Latest Release

Download and extract titus-0.2.tar.gz (PGP signature) and run:

cd titus-0.2

make

make install

Compiling from Git

git clone https://www.agwa.name/git/titus.git

cd titus

make

make install

Dependencies

  • OpenSSL 1.0.1 or higher, with development headers (libssl-dev)
  • A C++11 compiler (such as GCC 4.7, Clang 3.0, or newer)
  • Make

Verifying the Source

Since version 0.2, all tarballs and Git tags are signed by Andrew Ayer's PGP key, EF5D 84C1 838F 2EB6 D896 8C04 1037 8EFC 2080 080C.

Using titus

If you're using the Debian/Ubuntu package:

  1. Copy the example config from /usr/share/doc/titus/examples to /etc/titus/titus.conf. Modify to fit your needs.
  2. Start titus with: service titus start

Consult the titus(8) man page and /usr/share/doc/titus/README.Debian for documentation.

If you've compiled from source:

  1. Start with titus.conf.example and modify to fit your needs.
  2. Run your configuration with: titus --config /path/to/titus.conf

Consult the titus(8) man page for documentation.

Technical Info

Read Andrew's blog post and followup blog post for details.

Credits

titus was written by Andrew Ayer for use at Opsmate.

Copyright © 2014 Andrew Ayer. Licensed under the X11 license.

Project Resources

For help or questions, send mail to the discussion list, titus-discuss@lists.cloudmutt.com. To report a bug or make a feature request, please open an issue at GitHub or send mail to the discussion list. To contribute code, please send a properly-formatted patch to the discussion list, or open a pull request at GitHub.

To report a confidential security matter, please contact the author directly.

Want backups that take security as seriously as titus?

Check out Opsmate, a simple and secure backup service for Linux servers.