Totally Isolated TLS Unwrapping Server

titus is a TLS/SSL proxy server (like stunnel or stud) that protects you from vulnerabilities in the TLS implementation such as Heartbleed (or worse).

  • Runs in a separate process from your application, protecting your application's state from compromise.
  • Uses a separate process for every TLS connection, protecting the state of TLS connections from each other.
  • Uses privilege separation and chrooting to protect your server as a whole.
  • Isolates the private key in a dedicated process that doesn't talk to the network, protecting your private key from compromise.
  • Can run in transparent proxy mode, preserving the client's IP address, so your backend doesn't even know it's there.

If there's a vulnerability in the TLS implementation, titus makes it very unlikely that an attacker could steal your private key, access the memory of your application, sniff data from other TLS connections, or otherwise attack your system.

Current status

titus is no longer developed. Since titus was first released, memory-safe TLS stacks like Go's crypto/tls and Rust's rustls have matured enough that the author no longer needs titus.

The last version of titus was 0.4, released on 2020-10-27.

Building from Source

Compiling from Git

git clone

cd titus


make install


  • OpenSSL 1.1.0 or higher, with development headers (libssl-dev)
  • A C++11 compiler (such as GCC 4.7, Clang 3.0, or newer)
  • Make

Using titus

  1. Start with titus.conf.example and modify to fit your needs.
  2. Run your configuration with: titus --config /path/to/titus.conf

Consult the titus(8) man page for documentation.

Technical Info

Read Andrew's blog post and followup blog post for details.


titus was written by Andrew Ayer.

Copyright © 2014-2020 Andrew Ayer. Licensed under the X11 license.

Project Resources

To report a confidential security matter, please contact the author directly.

Want SSL certs without the hassle?

Check out SSLMate, which lets you buy certificates from the command line.