man CryWrap (8): Simple TCP/IP service encryption using TLS/SSL

SYNOPSIS

crywrap --listen HOST/PORT --destination HOST/PORT [options]

CryWrap is a simple wrapper that waits for TLS/SSL connections, and proxies them to an unencrypted location.

CryWrap takes the following options:

--destionation (-d) HOST/PORT: The destionation host and address, where CryWrap should connect to. Both arguments are required.

--anon (-a): Enables Anon-DH mode. If enabled, no certificate will be sent to the client, and only anonymous sessions will be enabled.
Default is off.
--cert (-c) PATH
--key (-k) PATH: The public certificate to send to clients, and the private server key.
Default is /etc/crywrap/server.pem, unless --anon is also specified, in which case no certificate will be used. --ca (-z) PATH
A Certificate Authority certificate to be used for verification of client certificates.
--verify (-v) [LEVEL]: Set the level of client certificate verification. Level one simply logs the result, level two and above abort if the certificate could not be verified.
Default is 0.

--inetd (-i): Enable inetd-mode. Use this if you want to run CryWrap from inetd. If this option is not enabled, then --listen is a required option.
Default is off.
--listen (-l) HOST/PORT: The host and port CryWrap should listen on. HOST can be an IPv4 or IPv6 address, or a hostname, and is optional - if unspecified, CryWrap will listen on all available addresses. PORT is mandatory.
This option is required, unless CryWrap was put into inetd mode.
--pidfile (-P) PIDFILE: Write the pid thy runs with to PIDFILE.
Default is /var/run/crywrap.pid.
--user (-u) UID: UID is the numerical user id of the user thy should run as.
Default is 65534.
--version (-V): Print the version number and exit.
--help (-?): Print a verbose help screen and exit.
--usage: Print a short summary of options.

crywrap --listen /995 --destination localhost/110

crywrap --listen /993 --destination localhost/143 \
        --pem /etc/ssl/certs/imap.pem

/etc/crywrap/

Probably many.