sslsvd - SSLv3 TCP/IP service daemon
sslsvd [-hpEvv] [-c n] [-C
n:msg] [-b n] [-u user] [-l name] [-i dir|-x cdb] [-t sec] [-U ssluser] [-/ root]
[-Z cert] [-K key] host port prog
sslsvd creates a TCP/IP socket,
binds it to the address host:port, and listens on the socket for incoming
On each incoming connection, sslsvd conditionally runs
a program, with standard input reading from the socket, and standard output
writing to the socket, to handle this connection. The data read and written
to the socket will automatically decrypted and encrypted respectively by
sslsvd. sslsvd keeps listening on the socket for new connections, and can
handle multiple connections simultaneously.
sslsvd optionally checks for
special instructions depending on the IP address or hostname of the client
that initiated the connection, see ipsvd-instruct(5).
- host either
is a hostname, or a dotted-decimal IP address, or 0. If host is 0, sslsvd
accepts connections to any local IP address.
- sslsvd accepts connections
to host:port. port may be a name from /etc/services or a number.
consists of one or more arguments. For each connection, sslsvd normally
runs prog, with file descriptor 0 reading decrypted data from the network,
and file descriptor 1 writing to be encrypted data to the network. By default
it also sets up TCP-related environment variables, see tcp-environ(5)
- -i dir
- read instructions for handling new connections from the instructions directory
dir. See ipsvd-instruct(5) for details.
- -x cdb
- read instructions for handling
new connections from the constant database cdb. The constant database normally
is created from an instructions directory by running ipsvd-cdb(8).
- -t sec
- timeout. This option only takes effect if the -i option is given. While checking
the instructions directory, check the time of last access of the file that
matches the clients address or hostname if any, discard and remove the
file if it wasn’t accessed within the last sec seconds; sslsvd does not
discard or remove a file if the user’s write permission is not set, for
those files the timeout is disabled. Default is 0, which means that the
timeout is disabled.
- -l name
- local hostname. Do not look up the local hostname
in DNS, but use name as hostname.
- -u [:]user[:group]
- drop permissions. Set
uid and gid to the user’s uid and gid, as found in /etc/passwd, before running
prog. If user is followed by a colon and a group, set the gid to group’s
gid, as found in /etc/group, instead of user’s gid. If group consists of
a colon-separated list of group names, set the group ids of all listed groups.
If user is prefixed with a colon, the user and all group arguments are
interpreted as uid and gids respectively, and not looked up in the password
or group file. All supplementary groups are removed.
- -c n
- concurrency. Handle
up to n connections simultaneously. Default is 30. If there are n connections
active, sslsvd defers acceptance of a new connection until an active connection
- -C n[:msg]
- per host concurrency. Allow only up to n connections
from the same IP address simultaneously. If there are n active connections
from one IP address, new incoming connections from this IP address are
closed immediately. If n is followed by :msg, the message msg is written
to the client if possible, before closing the connection. By default msg
is empty. See ipsvd-instruct(5) for supported escape sequences in msg.
each accepted connection, the current per host concurrency is available
through the environment variable TCPCONCURRENCY. n and msg can be overwritten
by ipsvd(7) instructions, see ipsvd-instruct(5). By default sslsvd doesn’t
keep track of connections.
- Look up the client’s hostname in DNS.
After looking up the client’s hostname in DNS, look up the IP addresses
in DNS for that hostname, and forget about the hostname if none of the
addresses match the client’s IP address. You should set this option if you
use hostname based instructions. The -p option implies the -h option.
- -b n
Allow a backlog of approximately n TCP SYNs. On some systems n is silently
limited. Default is 20.
- no special environment. Do not set up TCP-related
- verbose. Print verbose messsages to standard output.
- more verbose. Print more verbose messages to standard output.
- drop permissions. Set uid and gid to the user’s uid and gid,
as found in /etc/passwd, before running the SSLv3 encrypt/decrypt process.
If user is followed by a colon and a group, set the gid to group’s gid,
as found in /etc/group, instead of user’s gid. If group consists of a colon-separated
list of group names, set the group ids of all listed groups. If user is
prefixed with a colon, the user and all group arguments are interpreted
as uid and gids respectively, and not looked up in the password or group
file. All supplementary groups are removed. This option must be set when
sslsvd is started by root.
- -/ root
- chroot. Change the root directory to root
before running the SSLv3 encrypt/decrypt process. This option should be
set when sslsvd is started by root.
- -Z cert
- cert file. Read the certificate
from the file cert (default is ‘‘./cert.pem’’). If the -/ option is given, first
the cert file is read, then the root directory is changed.
- -K key
key. Read the private key from the file key (default is cert). If the -/ option
is given, first the cert file is read, then the root directory is changed.
ipsvd(7), tcpsvd(8), udpsvd(8),
ipsvd-instruct(5), ipsvd-cdb(8), sslio(8)
- The environment variable SSLIO_BUFIN overrides the
default input buffer size for sslsvd (8192).
- The environment
variable SSLIO_BUFOU overrides the default output buffer size for sslsvd
(12288). If the output buffer is too small to hold encrypted or decrypted
data, sslio automatically blows up the buffer to SSLIO_BUFOU more bytes.
- The environment variable SSLIO_HANDSHAKE_TIMEOUT
overrides the default number of seconds sslsvd will try to complete the
ssl handshake (300). If the handshake isn’t completed after this number of
seconds, the client will be disconnected.
Table of Contents