sslsvd
creates a TCP/IP socket, binds it to the address
host:port,
and listens on the socket for incoming SSLv3 connections.
On each incoming connection,
sslsvd
conditionally runs a program, with standard input reading from the socket,
and standard output writing to the socket, to handle this connection.
The data read and written to the socket will automatically decrypted and
encrypted respectively by
sslsvd.
sslsvd
keeps listening on the socket for new connections, and can handle multiple
connections simultaneously.
sslsvd
optionally checks for special instructions depending on the IP address or
hostname of the client that initiated the connection, see
ipsvd-instruct(5).
OPTIONS
host
host
either is a hostname, or a dotted-decimal IP address, or 0.
If
host
is 0,
sslsvd
accepts connections to any local IP address.
port
sslsvd
accepts connections to
host:port.
port
may be a name from /etc/services or a number.
prog
prog
consists of one or more arguments.
For each connection,
sslsvd
normally runs
prog,
with file descriptor 0 reading decrypted data from the network, and file
descriptor 1 writing to be encrypted data to the network.
By default it also sets up TCP-related environment variables, see
tcp-environ(5)
-i dir
read instructions for handling new connections from the instructions
directory
dir.
See
ipsvd-instruct(5)
for details.
-x cdb
read instructions for handling new connections from the constant database
cdb.
The constant database normally is created from an instructions directory by
running
ipsvd-cdb(8).
-t sec
timeout.
This option only takes effect if the -i option is given.
While checking the instructions directory, check the time of last access of
the file that matches the clients address or hostname if any, discard and
remove the file if it wasn't accessed within the last
sec
seconds;
sslsvd
does not discard or remove a file if the user's write permission is not set,
for those files the timeout is disabled.
Default is 0, which means that the timeout is disabled.
-l name
local hostname.
Do not look up the local hostname in DNS, but use
name
as hostname.
-u [:]user[:group]
drop permissions.
Set uid and gid to the
user's
uid and gid, as found in
/etc/passwd,
before running
prog.
If
user
is followed by a colon and a
group,
set the gid to
group's
gid, as found in
/etc/group,
instead of
user's
gid.
If
group
consists of a colon-separated list of group names,
set the group ids of all listed groups.
If
user
is prefixed with a colon, the
user
and all
group
arguments are interpreted as uid and gids respectively, and not looked up in
the password or group file.
All supplementary groups are removed.
-c n
concurrency.
Handle up to
n
connections simultaneously.
Default is 30.
If there are
n
connections active,
sslsvd
defers acceptance of a new connection until an active connection is closed.
-C n[:msg]
per host concurrency.
Allow only up to
n
connections from the same IP address simultaneously.
If there are
n
active connections from one IP address, new incoming connections from this IP
address are closed immediately.
If
n
is followed by
:msg,
the message
msg
is written to the client if possible, before closing the connection.
By default
msg
is empty.
See
ipsvd-instruct(5)
for supported escape sequences in
msg.
For each accepted connection, the current per host concurrency is available
through the environment variable
TCPCONCURRENCY.
n
and
msg
can be overwritten by
ipsvd(7)
instructions, see
ipsvd-instruct(5).
By default
sslsvd
doesn't keep track of connections.
-h
Look up the client's hostname in DNS.
-p
paranoid.
After looking up the client's hostname in DNS, look up the IP addresses in
DNS for that hostname, and forget about the hostname if none of the addresses
match the client's IP address.
You should set this option if you use hostname based instructions.
The -p option implies the -h option.
-b n
backlog.
Allow a backlog of approximately
n
TCP SYNs.
On some systems
n
is silently limited.
Default is 20.
-E
no special environment.
Do not set up TCP-related environment variables.
-v
verbose.
Print verbose messsages to standard output.
-vv
more verbose.
Print more verbose messages to standard output.
SSL OPTIONS
-U [:]user[:group]
drop permissions.
Set uid and gid to the
user's
uid and gid, as found in
/etc/passwd,
before running the SSLv3 encrypt/decrypt process.
If
user
is followed by a colon and a
group,
set the gid to
group's
gid, as found in
/etc/group,
instead of
user's
gid.
If
group
consists of a colon-separated list of group names,
set the group ids of all listed groups.
If
user
is prefixed with a colon, the
user
and all
group
arguments are interpreted as uid and gids respectively, and not looked up in
the password or group file.
All supplementary groups are removed.
This option must be set when
sslsvd
is started by root.
-/ root
chroot.
Change the root directory to
root
before running the SSLv3 encrypt/decrypt process.
This option should be set when
sslsvd
is started by root.
-Z cert
cert file.
Read the certificate from the file
cert
(default is ``./cert.pem'').
If the -/ option is given, first the cert file is read, then the root
directory is changed.
-K key
private key.
Read the private key from the file
key
(default is
cert).
If the -/ option is given, first the cert file is read, then the root
directory is changed.
ENVIRONMENT
SSLIO_BUFIN
The environment variable
SSLIO_BUFIN
overrides the default input buffer size for
sslsvd
(8192).
SSLIO_BUFOU
The environment variable
SSLIO_BUFOU
overrides the default output buffer size for
sslsvd
(12288).
If the output buffer is too small to hold encrypted or decrypted data,
sslio
automatically blows up the buffer to
SSLIO_BUFOU
more bytes.
SSLIO_HANDSHAKE_TIMOUT
The environment variable
SSLIO_HANDSHAKE_TIMEOUT
overrides the default number of seconds
sslsvd
will try to complete the ssl handshake (300).
If the handshake isn't completed after this number of seconds,
the client will be disconnected.