Everything you need to deploy, monitor, and splice TLS connections.
The typical journey from install to PQC migration:
No SSH after install. No config files to edit. The dashboard controls everything.
Register at tlslane.com/register to get your agent token and install command.
The script auto-detects your OS, architecture, and distro (via /etc/os-release and glibc version). RHEL 8, CentOS 8, and Amazon Linux 2 are automatically detected and get the -el8 binary. Use --el8 to override if auto-detection is wrong (containers, chroots). Omit --yes to get a confirmation prompt (requires interactive shell, not curl | sh).
For manual installation, choose the correct binary for your system:
/etc/tlslane/token since the agent typically runs as a system daemon. You can also pass it via --token flag or TLSLANE_TOKEN environment variable.The same token works on every host. Each host registers as a separate agent with its own hostname. Run the same install command on each machine:
The install script auto-detects OS, architecture, and glibc version, then downloads the correct binary.
For fleet tools that need explicit binary URLs:
| Binary | Targets |
|---|---|
tlslane-linux-amd64 | RHEL 9+, Debian 12+, Ubuntu 22.04+, Fedora 37+, Amazon Linux 2023 |
tlslane-linux-amd64-el8 | RHEL 8, CentOS 8, Amazon Linux 2, Ubuntu 18.04+, Debian 10+ (proxy transport only) |
All agents appear on your Hosts dashboard page.
After install, agents start in monitor mode. This observes TLS handshakes and reports cipher suite, version, and key exchange information.
Uses eBPF/TC to passively read packets off the network interface. Traffic is not modified or terminated. Sees all TLS connections on the host transparently, no per-application configuration needed.
On systems where the inline (eBPF) transport isn't available (non-Linux, kernel < 4.9), the proxy transport can be used as a fallback:
Output (both modes):
Each line shows the server's negotiated TLS version, key exchange group, and cipher suite. This data is batched and sent to your dashboard every 30 seconds.
Splice mode performs two independent TLS handshakes on each connection, upgrading the cryptography between client and server.
You can enable splice from the Hosts dashboard (see Remote Mode Control) or from the command line:
sudo tlslane ca generate then sudo tlslane ca trust before splicing.Inbound connections are those where external clients connect to your service — you are the server. The agent needs a real server certificate for these so clients trust the connection without installing the TLS Lane CA. For outbound connections (your service connecting to external servers), the agent uses a CA-signed certificate automatically — no configuration needed.
To provide your own server certificate for inbound splice:
For multiple domains, use config.yaml:
Domains are extracted automatically from each certificate's CN and Subject Alternative Names. The matching cert is selected by SNI (exact match first, then wildcard). Outbound connections continue to use the CA-signed approach.
For fleets where each host serves the same domain (e.g. behind a load balancer), provision the cert alongside the install:
For hosts with their own Let's Encrypt certificates:
The Certificates page lets you distribute a server certificate to online agents without SSH access. This is useful for fleets behind a load balancer that share a wildcard or SAN cert.
How it works:
0600 permissions in ~/.tlslane/certs/.Cert push is not a PKI engine — it does not issue, rotate, or revoke certificates. Bring your own cert from any CA or ACME provider. For full certificate lifecycle management (issuance, rotation, revocation), use an external secret manager and provision certs via config or Ansible.
The Hosts page shows every host running tlslane under your account:
| Column | Description |
|---|---|
| Status | online (heartbeat within 90s) or offline |
| Hostname | Machine hostname (from system) |
| OS | Operating system and kernel version |
| Version | tlslane binary version |
| Hosting | Auto-detected: cloud or on-prem |
| Mode | Current mode: monitor or splice |
| Flows | Active TLS flows being tracked |
| Handshakes | Total TLS handshakes the agent has classified since startup. Cross-transport signal — with the inline (eBPF) transport this counts BPF events per handshake (typically 27–31), with the proxy transport this counts one event per session, so absolute numbers aren't directly comparable across transports. |
| Errors | Splice errors (handshake failures) |
| Disk | Agent disk free percentage. Red <5%, amber <10%. |
| Last Seen | Last heartbeat (every 30 seconds) |
The Crypto Inventory page shows your fleet's cryptographic posture at a glance.
Four cards at the top show total domains observed and the breakdown by risk level:
A progress bar shows PQC migration status as a percentage of total connections.
Click a hostname button above the summary to see only that host's inventory. Summary cards and progress bar update to reflect the selected host. Click "All hosts" to return to the aggregate view.
The table is sorted by risk (legacy first, then modern, then PQC) so the most urgent items are always at the top.
| Column | Description |
|---|---|
| Risk | Classification: legacy, modern, or pqc |
| Direction | inbound — external clients connecting to your service (you are the server). outbound — your service connecting to external servers (you are the client). |
| Domain | Domain name observed in the TLS handshake (SNI) |
| Tag | System classification (e.g. payment, email, identity) |
| TLS Version | Server-negotiated TLS version |
| Key Exchange | Key exchange group (P-256, X25519, ML-KEM-768, etc.) |
| Cipher | Server cipher suite |
| Cert | Server certificate key type and size (e.g. ECDSA-256, RSA-2048). Available in splice mode. |
| Action | monitor, spliced, passthrough, or blocked |
| Count | Number of connections |
| Last Seen | Most recent connection timestamp |
Domains are automatically classified by system type (email, payment, identity, CDN, analytics, storage) based on built-in patterns. You can add custom tags at the bottom of the crypto inventory page using glob patterns (e.g. *.stripe.com → payment). Custom tags override auto-classification. Tags are used on the Compliance page to show PQC readiness by system.
The Alerts page is the single destination for operator attention — it combines automatically-generated alerts with the per-SNI Splice failures review below. Two alert types are always active:
Tabs: Open (N) / Resolved (M). Open alerts have no time limit — clear them by clicking Resolve or by fixing the root cause. Resolved alerts are retained for 7 days for audit, then auto-removed. The sidebar "Alerts" badge counts open alerts plus active splice failures — one number for "things needing attention".
Configure a webhook URL on the Alerts page to receive a JSON POST for each new alert. Works with Slack, PagerDuty, Zapier, or any HTTP endpoint.
Alert types: agent_offline, legacy_crypto, cert_expiry, disk_space.
#ops-alerts) and click Add Incoming WebHooks integrationhttps://hooks.slack.com/services/...)Slack displays the raw JSON payload. For formatted messages, use a Slack Workflow to transform the webhook into a rich notification.
Groups let you organize agents by hostname pattern. Create groups on the Hosts page.
Patterns use glob syntax: web-prod-* matches web-prod-01, web-prod-02, etc. Agents are matched automatically — new agents that match the pattern are included without configuration.
Groups are used for:
Policy controls which domains are spliced, monitored, passed through, or blocked. Use the dashboard policy editor or create a local policy.yaml:
| Action | Description |
|---|---|
splice | Actively intercept, terminate TLS, re-encrypt to upstream (PQC upgrade where supported) |
monitor | Observe the handshake, forward unmodified bytes (inventory event emitted) |
passthrough | Forward unmodified bytes, no event emitted |
block | Close the connection at handshake time |
Patterns support * (single level) and ** (any depth) wildcards. Dashboard policy overrides local policy.yaml.
The top-level default_action selector (above the rules table) controls what happens to SNIs that don't match any rule. Two main use shapes:
| Setting | Use case |
|---|---|
(inherit agent mode) | Default. Unmatched SNIs follow the agent's mode — splice in splice mode, observe in monitor mode. Matched rules carve out exceptions. |
block | SNI allowlist. Refuse every flow whose SNI isn't explicitly listed. Pair with action: splice rules naming each allowed destination. Use when the agent's listener is exposed to networks broader than your trust boundary (public load balancer, multi-tenant network, demo environments). |
monitor | Observe everything, splice only the listed destinations. Inverse pattern — useful during a staged PQC rollout where you want inventory coverage everywhere but active interception on a vetted subset. |
splice | Splice everything regardless of agent-wide mode. Listed rules can downgrade specific destinations to monitor/passthrough. |
The pqc_mode column on each rule overrides the account-wide inject_pure_mlkem768 setting for that SNI:
| Value | What the agent advertises |
|---|---|
(inherit) | Account-wide default (hybrid X25519MLKEM768 only, unless inject_pure_mlkem768 is on) |
hybrid | Force hybrid only (codepoint 0x11ec). Use to suppress pure-MLKEM advertisement on destinations where the larger ClientHello breaks middleboxes. |
required | Advertise pure ML-KEM-768 (0x0201) in addition to hybrid, as a fallback after it. A hybrid-capable upstream still negotiates hybrid, so this never fails — it just makes pure available. |
pure | Advertise only pure ML-KEM-768 (0x0201) and suppress the classical fallback. The upstream negotiates pure ML-KEM-768 or the handshake fails — no silent downgrade to hybrid or classical. Use where compliance requires a pure-PQC handshake on the wire; only safe for upstreams known to support pure ML-KEM-768. |
When the agent's listener is reachable from a network broader than your application clients, configure the policy as an explicit allowlist so the agent refuses to intercept unrecognized SNIs:
Without an allowlist, the agent will splice any SNI it receives — which is the right behavior inside a customer-owned network, but turns the agent into an open MITM proxy when the listener is reachable from untrusted networks. The allowlist is defense-in-depth on top of firewall / VPC / security-group scoping, which should remain the primary access control.
When the agent attempts to splice an SNI and the pipe explicitly throws (AEAD authentication failure, malformed TLS record header, unbridgeable cross-version negotiation, etc.), that flow's splice can't complete. The Splice failures section is embedded below Alerts on the same page, listing recent occurrences aggregated by (agent, SNI, reason class) (also reachable directly at /dashboard/splice-failures). Tabs: Active (N) / Dismissed (M). Each row offers three choices:
- pattern: <SNI>
action: passthrough to the active policy. The agent stops attempting splice for that SNI; raw TCP relay continues so the destination remains reachable. The SNI no longer contributes to inventory or PQC upgrade. Reversible from the policy editor. A confirmation dialog appears before the policy change goes live.Reason classes: aead_auth (AEAD tag mismatch on a post-handshake record; usually a transient race with peer renegotiation or key rotation). malformed_header (received bytes don't match TLS record framing; usually means non-TLS traffic arrived on :443, or a middlebox re-segmented in a way the agent's reassembler can't handle). cross_version (couldn't bridge the client's TLS version to the upstream's, e.g. no acceptable 1.2 AEAD cipher; usually the right place to add a passthrough rule). upstream_cert_invalid (upstream cert chain didn't verify against the trust store: self-signed, expired, or signed by a CA not installed in the splice-path trust anchors. Fix by pushing the issuing CA via the Certificates dashboard, or add a passthrough rule if you can't trust the upstream). upstream_hostname_mismatch (upstream cert chain verified but its SAN/CN doesn't cover the ClientHello SNI — common on IP-based handshakes or renamed internal endpoints). other (catch-all for the long tail; widened as new classes emerge from operator review).
If you have agent groups, the policy page shows group tabs at the top. Select a group to edit its policy. Agents receive the most specific policy that matches their hostname:
The policy page offers predefined templates to get started quickly:
| Template | Description |
|---|---|
| Monitor Only | Passthrough all traffic — observe without splicing |
| Splice All | Splice everything with PQC, no exceptions |
| Conservative | Passthrough known cert-pinning domains (Apple, Google, Microsoft, AWS), splice the rest |
| CNSA 2.0 | Compliance-focused — passthrough Apple/iCloud, splice everything else for PQC upgrade |
Click a template to load it into the editor, then customize and save. Templates are available per-group — different groups can start from different templates.
Every save creates a version. The version history at the bottom of the policy page shows all previous versions with a show button to view the full YAML. Click rollback to restore a previous version. Each group has its own independent version history.
Click "Generate from inventory" to auto-classify domains based on observed crypto. Legacy and modern domains get splice, PQC domains get passthrough. Review and edit before saving.
Agents poll for policy changes every 60 seconds. For local policy, send SIGHUP to reload: kill -HUP $(pidof tlslane)
The Target column on the Hosts page lets you switch agent modes from the dashboard:
| Setting | Description |
|---|---|
local | Agent uses its own configuration (default after install = monitor) |
monitor | Force monitor mode from dashboard |
splice | Force splice mode from dashboard |
The agent picks up the target mode on its next config poll (within 60 seconds). Combined with policy:
Update agents from the command line or remotely from the dashboard.
Downloads the latest version, verifies the SHA256 checksum, backs up the current binary, and replaces it. Use tlslane update --rollback to restore the previous version.
0.5.4) in the Update column for one agentAn amber badge on "Hosts" in the sidebar shows how many agents are running an older version than the latest release.
If a new binary crashes on startup, the agent automatically restores the previous version on the next restart. This is handled via a .updating marker file — no manual intervention needed.
TLS Lane helps organizations meet post-quantum cryptography regulatory requirements by providing continuous cryptographic inventory, audit trails, and migration tracking.
| Regulation | Requirement | How TLS Lane Helps |
|---|---|---|
| CNSA 2.0 | New NSS acquisitions PQC-compliant by 2027, full migration by 2033 | Continuous monitoring identifies non-compliant connections. PQC migration progress bar tracks adoption over time. |
| OMB M-23-02 | Annual cryptographic inventory with 9 data items per system | Automated inventory of domains, TLS versions, cipher suites, and key exchange groups. Export as NDJSON for reporting. |
| NSM-10 | Federal agencies must mitigate quantum risk by 2035 | Risk classification (legacy/modern/PQC) per domain. Policy engine enables targeted splice upgrades. |
| CISA ACDI | Automated cryptographic discovery and inventory | eBPF-based passive discovery requires no agent on target systems. Covers data-in-transit across the network. |
| Authority | Requirement | How TLS Lane Helps |
|---|---|---|
| 數位發展部 (MODA) | Published Taiwan's first PQC Migration Guide (後量子密碼遷移指引, April 2025). Recommends organizations inventory cryptographic systems and plan migration. | Automated cryptographic inventory with risk classification. Continuous monitoring covers all TLS traffic without manual collection. |
| 金管會 (FSC) | Financial Cybersecurity Resilience Blueprint (金融資安韌性發展藍圖, Dec 2025). PQC migration reference guide for financial institutions targeted H1 2026. | Audit trail with append-only event logs for compliance evidence. Export as NDJSON for regulatory reporting. |
| 金管會 PQC Pilot | Pilot group of financial institutions conducting cryptographic inventory and risk assessment (since July 2025). | Per-domain risk classification (legacy/modern/PQC). Compliance dashboard shows migration progress with CISO-ready metrics. |
Every observed TLS handshake is recorded in an append-only NDJSON file on the agent (/etc/tlslane/events.ndjson). Each line contains:
The log rotates at 100 MB, keeping 9 backups (~1 GB total). Pull event logs from agents via the Compliance or Support page for archival. For real-time forwarding, configure syslog to send events to your SIEM.
The Compliance page provides a CISO-ready view of your organization's PQC readiness:
Forward compliance events in real-time to your SIEM via syslog. Configure on the Settings page or per-agent:
Each event is sent as RFC 5424 with a JSON payload. Facility: authpriv (10), severity: informational (6). TCP uses octet-counted framing (RFC 6587).
When configured via the dashboard Settings page, the syslog URL is pushed to all agents via config poll (within 60 seconds). Agents auto-reconfigure on change and stop forwarding when the URL is cleared.
Export crypto inventory and alerts as NDJSON for batch ingestion:
Both endpoints return application/x-ndjson (one JSON object per line), compatible with Splunk HEC, Elastic Filebeat, and Datadog log ingestion.
TLS Lane provides built-in support channels accessible from the dashboard.
When agents encounter errors, the error count appears as a badge on the Support sidebar link. The Support page lists agents with errors, showing hostname, error count, and status.
For each agent with errors, you can:
After logs are retrieved, click View to open the log viewer. Logs are shown in an editable text area so you can review for personal information (PI/PSI) before submitting.
Only the redacted version is attached to the support ticket — the raw log stays in your account.
Logged-in users can submit support tickets from the Support page. Each ticket includes:
After submission, you can track your tickets and exchange replies with support directly in the dashboard.
The public Contact page is for general inquiries, enterprise deployments, partnerships, and compliance consulting. No account required.
TLS Lane is designed for minimal overhead. Run tlslane bench on your own hardware to measure actual performance.
Measured on AMD Ryzen 9, 100–500 connections, 64 KB data per connection, loopback:
| Mode | Throughput | Latency | CPU / conn | CPU util |
|---|---|---|---|---|
| Direct TCP (baseline) | 234 MB/s | 0.27 ms | 0.30 ms | 113% |
| Proxy monitor | 91 MB/s | 0.69 ms | 0.66 ms | 96% |
| eBPF inline monitor | Zero overhead — kernel-space passive capture, no proxy | |||
Proxy monitor adds +0.42 ms latency per connection. On a real network with 5–50 ms RTT, this is negligible (<1% of round-trip time).
| Metric | Measured |
|---|---|
| New connections/sec | ~500/sec (proxy transport, single core) |
| Concurrent connections | 1,000+ tested with no fd or memory leaks |
| Memory per connection | ~100 bytes (session metadata only) |
| Binary size | ~5 MB (static OpenSSL + Boost) |
| Approach | How it works | Trade-offs |
|---|---|---|
| eBPF inline (tlslane default) | Kernel-space TC classifier reads packets directly off the NIC. No proxy, no TCP termination. | Zero overhead for monitoring. Linux 5.8+ only. Cannot modify traffic (monitor only). |
| Userspace proxy (tlslane proxy) | boost::asio TCP relay on localhost. iptables redirects traffic through the proxy. | Sub-millisecond overhead. Can splice (modify) TLS. Works on any kernel. |
| Hardware appliance | Dedicated hardware with ASIC for TLS acceleration. Sits inline on the network. | Lowest latency for inspection. Expensive. Fixed capacity. No PQC upgrade. |
| Cloud proxy | Traffic routes through a cloud service for inspection. | No on-prem hardware. Adds network hop latency (5–30 ms). Data leaves your network. |
TLS Lane is designed with privacy as a default:
Terms used throughout these docs. Product-specific terms first, then the industry standards we cite. One-line definitions; links go to the canonical reference where applicable.
| Term | Definition |
|---|---|
| Monitor mode | Passive observation. The agent reads TLS handshakes off the wire and reports cipher suite, version, key exchange, certificate. No traffic modification. |
| Splice mode | Active interception. The agent performs two independent TLS negotiations on a connection — one with the client, one with the server — bridging classical and post-quantum crypto without changing either endpoint. |
| Passthrough | Per-domain policy action. The agent observes the connection but forwards it unmodified. Used for cert-pinning domains (Apple, banking) where splice would break trust. |
| Inline transport (eBPF) | Linux-only transport using a kernel TC classifier for zero-copy capture. Original TCP connection is preserved. Linux 4.9+. |
| Proxy transport | Userspace TCP relay using boost::asio. Available on Linux, macOS, Windows. Single-binary fallback when eBPF isn't available; required for splice on non-Linux. |
| Inbound vs outbound | Direction relative to the host's network boundary. Inbound: external client connecting to your service (you are the server). Outbound: your service connecting to an external server (you are the client). Splice handles both, with different cert behavior on each side. |
| Flight recorder | 10-minute in-memory ring buffer of recent log events on each agent. Pulled on demand via Support → Pull Logs; preserved across the resolve-errors action. |
| Crypto inventory | The aggregated table of all observed TLS handshakes for an account, classified by risk (legacy / modern / PQC) and grouped by domain. |
| Cert push | Distribution mechanism for delivering a server certificate to a group of online agents from the dashboard, without SSH. Private key stays in memory on the manage server. |
| Target mode | Server-authoritative mode setting (monitor / splice / local) the agent picks up on its next config poll. Replaces local CLI flags for fleet operations. |
| Domain tag | System classification of a domain (e.g. payment, email, identity, cdn). Auto-applied via 25 built-in patterns; manual overrides via the dashboard. Used on the Compliance page to break down PQC readiness per system. |
| Term | Definition |
|---|---|
| PQC | Post-quantum cryptography. Cryptographic algorithms believed to resist attack by a future large-scale quantum computer. |
| ML-KEM | Module-Lattice Key Encapsulation Mechanism. NIST's standardized post-quantum KEM, formerly known as Kyber. Standardized as FIPS 203 in August 2024. ML-KEM-768 is the parameter set TLS Lane negotiates. |
| Hybrid PQC | Negotiation that combines a classical key exchange (X25519) with a PQC KEM (ML-KEM-768). Protects against both classical and quantum attackers, even if one of the two primitives turns out to be broken. Codepoint 0x11EC per RFC 9794. |
| Harvest now, decrypt later | Adversary strategy: capture encrypted traffic today, store it, decrypt it once large-scale quantum computers exist. Motivates urgency on PQC migration for long-confidentiality data. |
| CNSA 2.0 | NSA Commercial National Security Algorithm Suite 2.0. Specifies ML-KEM, ML-DSA, SHA-2, AES-256 as the required algorithm set for National Security Systems. ML-KEM required for new NSS acquisitions by 2027; full migration by 2033. |
| FIPS 203 / 204 / 205 | NIST ratified PQC standards (August 2024). FIPS 203 = ML-KEM (key encapsulation). FIPS 204 = ML-DSA (signatures, formerly Dilithium). FIPS 205 = SLH-DSA (stateless hash-based signatures, formerly SPHINCS+). |
| M-23-02 / NSM-10 | US federal directives. OMB M-23-02 mandates federal agencies to inventory cryptographic systems. NSM-10 promotes quantum-resistant cryptography across federal systems. |
| Cipher suite | The combination of algorithms a TLS connection uses for authentication, key exchange, encryption, and message authentication (e.g. TLS_AES_256_GCM_SHA384). |
| Key exchange group | The algorithm used to derive a shared secret during the TLS handshake. Examples: X25519, P-256, X25519MLKEM768. TLS Lane upgrades this from classical to hybrid PQC in splice mode. |
| SNI | Server Name Indication. TLS extension that lets a client tell the server which hostname it's trying to reach, so a server with many certs can pick the right one. TLS Lane reads SNI to apply per-domain policy. |
| Command | Description |
|---|---|
sudo tlslane | Monitor mode (passive, no traffic modification) |
sudo tlslane --proxy | Monitor mode, proxy fallback (for non-Linux or old kernels) |
sudo tlslane splice | Splice all traffic |
tlslane splice DOMAIN... | Splice specific domains only |
tlslane splice --exclude DOMAIN... | Splice all except listed domains |
tlslane splice --cert PEM --key PEM | Use your own cert for inbound splice |
sudo tlslane ca generate | Generate root CA |
sudo tlslane ca trust | Install CA to system trust store |
sudo tlslane ca untrust | Remove CA from trust store |
sudo tlslane ca remove | Delete CA file |
tlslane ca show | Print CA certificate PEM |
sudo tlslane update | Download and install latest version |
sudo tlslane update --rollback | Restore previous version |
tlslane --version | Show version |
tlslane --help | Show usage |
tlslane --token TOKEN | Set agent token |
tlslane --management URL | Set management server URL |
tlslane --syslog URL | Forward events to syslog (udp://host:514 or tcp://host:514) |
tlslane --metrics-port N | Enable Prometheus /metrics endpoint on port N |
tlslane splice --listen N | Bind a proxy acceptor on port N. Repeatable: pass --listen multiple times to bind several acceptors (e.g. --listen 443 --upstream localhost:8443 --listen 11443 serves both reverse-proxy and explicit-proxy clients). Required on Windows. |
tlslane splice --upstream HOST:PORT | Reverse-proxy upstream target. When given after a --listen, attaches to that listener; otherwise sets the default for all listeners. Overrides SNI-based routing. |
tlslane splice --port N | Target port for SNI resolution and reverse-proxy bind. Attaches to the most recent --listen when both are given. |
tlslane splice --no-iptables | Skip the iptables PREROUTING + OUTPUT bypass install. For deployments where routing is handled externally (HTTPS_PROXY clients, container ingress, dual-listener mode). |
tlslane --interface NAME | eBPF inline transport: bind to a specific network interface. Default auto-picks the first UP non-loopback interface. |
tlslane --event-log-path PATH | Override event-log file location (default /var/lib/tlslane/events.ndjson). |
tlslane --event-log-max-bytes N | Rotate the event log at N bytes (default 100 MiB; accepts suffixes like 10MB, 1GB). |
tlslane --event-log-max-files N | Keep at most N rotated event-log files (default 9, total ~1 GB). |
tlslane --event-log-min-free N | Stop event logging when free disk falls below N% (default 5). |