sslsvd(8) SSLv3 TCP/IP service daemon

SYNOPSIS

sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x cdb] [-t sec] [-U ssluser] [-/ root] [-Z cert] [-K key] host port prog

DESCRIPTION

sslsvd creates a TCP/IP socket, binds it to the address host:port, and listens on the socket for incoming SSLv3 connections.

On each incoming connection, sslsvd conditionally runs a program, with standard input reading from the socket, and standard output writing to the socket, to handle this connection. The data read and written to the socket will automatically decrypted and encrypted respectively by sslsvd. sslsvd keeps listening on the socket for new connections, and can handle multiple connections simultaneously.

sslsvd optionally checks for special instructions depending on the IP address or hostname of the client that initiated the connection, see ipsvd-instruct(5).

OPTIONS

host
host either is a hostname, or a dotted-decimal IP address, or 0. If host is 0, sslsvd accepts connections to any local IP address.
port
sslsvd accepts connections to host:port. port may be a name from /etc/services or a number.
prog
prog consists of one or more arguments. For each connection, sslsvd normally runs prog, with file descriptor 0 reading decrypted data from the network, and file descriptor 1 writing to be encrypted data to the network. By default it also sets up TCP-related environment variables, see tcp-environ(5)
-i dir
read instructions for handling new connections from the instructions directory dir. See ipsvd-instruct(5) for details.
-x cdb
read instructions for handling new connections from the constant database cdb. The constant database normally is created from an instructions directory by running ipsvd-cdb(8).
-t sec
timeout. This option only takes effect if the -i option is given. While checking the instructions directory, check the time of last access of the file that matches the clients address or hostname if any, discard and remove the file if it wasn't accessed within the last sec seconds; sslsvd does not discard or remove a file if the user's write permission is not set, for those files the timeout is disabled. Default is 0, which means that the timeout is disabled.
-l name
local hostname. Do not look up the local hostname in DNS, but use name as hostname.
-u [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as found in /etc/passwd, before running prog. If user is followed by a colon and a group, set the gid to group's gid, as found in /etc/group, instead of user's gid. If group consists of a colon-separated list of group names, set the group ids of all listed groups. If user is prefixed with a colon, the user and all group arguments are interpreted as uid and gids respectively, and not looked up in the password or group file. All supplementary groups are removed.
-c n
concurrency. Handle up to n connections simultaneously. Default is 30. If there are n connections active, sslsvd defers acceptance of a new connection until an active connection is closed.
-C n[:msg]
per host concurrency. Allow only up to n connections from the same IP address simultaneously. If there are n active connections from one IP address, new incoming connections from this IP address are closed immediately. If n is followed by :msg, the message msg is written to the client if possible, before closing the connection. By default msg is empty. See ipsvd-instruct(5) for supported escape sequences in msg.

For each accepted connection, the current per host concurrency is available through the environment variable TCPCONCURRENCY. n and msg can be overwritten by ipsvd(7) instructions, see ipsvd-instruct(5). By default sslsvd doesn't keep track of connections.

-h
Look up the client's hostname in DNS.
-p
paranoid. After looking up the client's hostname in DNS, look up the IP addresses in DNS for that hostname, and forget about the hostname if none of the addresses match the client's IP address. You should set this option if you use hostname based instructions. The -p option implies the -h option.
-b n
backlog. Allow a backlog of approximately n TCP SYNs. On some systems n is silently limited. Default is 20.
-E
no special environment. Do not set up TCP-related environment variables.
-v
verbose. Print verbose messsages to standard output.
-vv
more verbose. Print more verbose messages to standard output.

SSL OPTIONS

-U [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as found in /etc/passwd, before running the SSLv3 encrypt/decrypt process. If user is followed by a colon and a group, set the gid to group's gid, as found in /etc/group, instead of user's gid. If group consists of a colon-separated list of group names, set the group ids of all listed groups. If user is prefixed with a colon, the user and all group arguments are interpreted as uid and gids respectively, and not looked up in the password or group file. All supplementary groups are removed. This option must be set when sslsvd is started by root.
-/ root
chroot. Change the root directory to root before running the SSLv3 encrypt/decrypt process. This option should be set when sslsvd is started by root.
-Z cert
cert file. Read the certificate from the file cert (default is ``./cert.pem''). If the -/ option is given, first the cert file is read, then the root directory is changed.
-K key
private key. Read the private key from the file key (default is cert). If the -/ option is given, first the cert file is read, then the root directory is changed.

ENVIRONMENT

SSLIO_BUFIN
The environment variable SSLIO_BUFIN overrides the default input buffer size for sslsvd (8192).
SSLIO_BUFOU
The environment variable SSLIO_BUFOU overrides the default output buffer size for sslsvd (12288). If the output buffer is too small to hold encrypted or decrypted data, sslio automatically blows up the buffer to SSLIO_BUFOU more bytes.
SSLIO_HANDSHAKE_TIMOUT
The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the default number of seconds sslsvd will try to complete the ssl handshake (300). If the handshake isn't completed after this number of seconds, the client will be disconnected.

AUTHOR

Gerrit Pape <[email protected]>