titus is a TLS/SSL proxy server (like stunnel or stud) that protects you from vulnerabilities in the TLS implementation such as Heartbleed (or worse).
Totally Isolated TLS Unwrapping Server
- Runs in a separate process from your application, protecting your application's state from compromise.
- Uses a separate process for every TLS connection, protecting the state of TLS connections from each other.
- Uses privilege separation and chrooting to protect your server as a whole.
- Isolates the private key in a dedicated process that doesn't talk to the network, protecting your private key from compromise.
- Can run in transparent proxy mode, preserving the client's IP address, so your backend doesn't even know it's there.
If there's a vulnerability in the TLS implementation, titus makes it very unlikely that an attacker could steal your private key, access the memory of your application, sniff data from other TLS connections, or otherwise attack your system.
Current status
The current version of titus is 0.3, released on 2015-11-28. titus aims to be bug-free and secure, though it is lacking in features and needs additional performance optimization. Additionally, we may make backwards-incompatible changes to the behavior before titus reaches version 1.0
Getting titus
Building from Source
Latest Release
Download and extract titus-0.3.tar.gz (PGP signature) and run:
cd titus-0.3
make
make install
Compiling from Git
git clone https://www.agwa.name/git/titus.git
cd titus
make
make install
Dependencies
- OpenSSL 1.0.1 or higher, with development headers (libssl-dev)
- A C++11 compiler (such as GCC 4.7, Clang 3.0, or newer)
- Make
Verifying the Source
Since version 0.2, all tarballs and Git tags are signed by Andrew Ayer's PGP key, EF5D 84C1 838F 2EB6 D896 8C04 1037 8EFC 2080 080C.
Using titus
If you're using the Debian/Ubuntu package:
- Copy the example config from
/usr/share/doc/titus/examplesto/etc/titus/titus.conf. Modify to fit your needs. - Start titus with:
service titus start
Consult the titus(8) man page and /usr/share/doc/titus/README.Debian for documentation.
If you've compiled from source:
- Start with titus.conf.example and modify to fit your needs.
- Run your configuration with:
titus --config /path/to/titus.conf
Consult the titus(8) man page for documentation.
Technical Info
Read Andrew's blog post and followup blog post for details.
Credits
titus was written by Andrew Ayer.
Copyright © 2014 Andrew Ayer. Licensed under the X11 license.
Project Resources
- Announcement list (low traffic): subscribe / archives
- Discussion list:
titus-discuss@lists.cloudmutt.comsubscribe / archives - GitHub project
- Issue tracker
For help or questions, send mail to the discussion list, titus-discuss@lists.cloudmutt.com. To report a bug or make a feature request, please open an issue at GitHub or send mail to the discussion list. To contribute code, please send a properly-formatted patch to the discussion list, or open a pull request at GitHub.
To report a confidential security matter, please contact the author directly.
Want SSL certs without the hassle?
Check out SSLMate, which lets you buy certificates from the command line.