
Totally Isolated TLS Unwrapping Server - reader_1000
https://www.opsmate.com/titus/
======
lemonade
You might want to look at:

[https://tlspool.arpa2.net/](https://tlspool.arpa2.net/)

------
ch
Storing the private key material in a separate process is a nice touch.

------
yxhuvud
Isn't the normal term for this to terminate TLS, not unwrap it?

~~~
sigio
That wouldn't fit in a nice acronym

~~~
nly
I dunno. TITTS seems pretty memorable to me

~~~
yxhuvud
A bit _too_ memorable perhaps.

------
gima
"Uses a separate process for every TLS connection" sounds scalable.

~~~
lmm
It should be - the OS's whole job is to manage processes. I mean if it's
allocating 4kb of physical memory to each then that would scale poorly, but
who does that?

~~~
ryanpetrich
4KB is the size of a page on x86 and most architectures, the smallest unit of
memory the OS can dispense. SSL termination is definitely a function you don't
want the kernel to swap to disk, therefore each connection would get at least
4KB of physical memory under a process-per-connection model.

------
nulltype
Is there any info about the per connection memory usage?

------
ericlathrop

      The current version of titus is 0.2, released on 2014-08-17.
    

I'd be wary of using any piece of security software that hasn't had a release
in over a year.

~~~
agwa
(Author here.) I'd be more wary of using security software that changes
frequently, since every code change is an opportunity for a new security
vulnerability to be introduced. I'm very cautious with changes to titus.

That said, 0.3 will be released any day now. It's pending testing of the new
FreeBSD support.

~~~
aristus
This looks great. Any tips on how to terminate mixed-mode protocols like
MySQL's SSL mode and IMAP's STARTTLS? Vanilla unwrapper daemons generally
don't handle the case of initial unencrypted bit twiddling, and then SSL
negotiation.

~~~
agwa
Unfortunately not. STARTTLS is the bane of standalone TLS terminators like
titus, which is one of the reasons I really dislike STARTTLS. I won't rule out
titus supporting STARTTLS some day, but the idea of integrating parsers for a
bunch of different protocols into titus is really unappealing.

