PageViews: 623 hits / 110 nets

A universal TLS gateway by DeleGate

Yutaka Sato
May 3, 2005

Simplified Configuration

From DeleGate/9.0.1, the configuration of DeleGate as a TLS (or SSL) gateway has become simple and uniform. TLS gateways for any application protocol including HTTP, FTP, SMTP, POP, IMAP and so on, can be enabled by simply specifying the common STLS parameter as this: In older versions, it was a little complicated to configure DeleGate as a TLS gateway, especially for FTP protocol as described in the former document, like this: Also it was necessary to run two DeleGate servers to make services for FTPS and FTP+AUTH-TLS clients respectively. And the configuration of the latter was a bit complex.

But now, those DeleGate can be realized with one DeleGate server as this.

Simplified Installation

From DeleGate/9.0.1, the SSL libraries has come to be linked dynamically into DeleGate process, and then executed in it. No compile time environment is necessary to make it. Also DeleGate after 9.0.1 includes a built-in anonymous certificate which can be used as a default certificate to ease instant setup of a TLS gateway without preparing a certificate. At the run-time, if the dynamic library of SSL are not at the standard location, it can be specified with newly introduced DYLIB parameter.

Be careful not to use older SSL libraries with vulnerabilities. Using OpenSSL after 0.9.7d or later is recomended. For users who have some problem to make OpenSSL libraries for dynamic linking, I uploaded the binary versions for Linux (lib{ssl,crypto}.so.0.9.7), MacOSX (lib{ssl,crypto}.0.9.7.dylib) and Win32 ({ssleay,libeay}32.dll) at

In older versions, making the "sslway" executable was a bit troublesome because there are so diverse environments at compile time in which a program is to be compiled with SSL libraries. From now on, there is no trouble at compile-time to make DeleGate to be a TLS gateway.

Refined Performance

The performance of TLS with DeleGate has significantly refined in DeleGate/9.0.1, about ten times lighter than older versions. The context and sessions of SSL has come to be cached and shared.

In older versions, "sslway" as an external filter program has been invoked every time a SSL connection is made. On every invocation, it initializes the SSL context, retrieves certificate, and creates a session from scrach.


All these options are available with STLS=fcl

Example 1. how to make gateways from TLS clients to bare protocol:

Example 2. how to make gateways from bare protocol client to TLS server: Example 3. A SSL gateway with protocol translation
Yutaka Sato @ DeleGate.ORG