Provided by: ipsvd_0.13.0-1_i386
sslsvd - SSLv3 TCP/IP service daemon
sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x
cdb] [-t sec] [-U ssluser] [-/ root] [-Z cert] [-K key] host port prog
sslsvd creates a TCP/IP socket, binds it to the address host:port, and
listens on the socket for incoming SSLv3 connections.
On each incoming connection, sslsvd conditionally runs a program, with
standard input reading from the socket, and standard output writing to
the socket, to handle this connection. The data read and written to
the socket will automatically decrypted and encrypted respectively by
sslsvd. sslsvd keeps listening on the socket for new connections, and
can handle multiple connections simultaneously.
sslsvd optionally checks for special instructions depending on the IP
address or hostname of the client that initiated the connection, see
host host either is a hostname, or a dotted-decimal IP address, or 0.
If host is 0, sslsvd accepts connections to any local IP
port sslsvd accepts connections to host:port. port may be a name
from /etc/services or a number.
prog prog consists of one or more arguments. For each connection,
sslsvd normally runs prog, with file descriptor 0 reading
decrypted data from the network, and file descriptor 1 writing
to be encrypted data to the network. By default it also sets up
TCP-related environment variables, see tcp-environ(5)
-i dir read instructions for handling new connections from the
instructions directory dir. See ipsvd-instruct(5) for details.
-x cdb read instructions for handling new connections from the constant
database cdb. The constant database normally is created from an
instructions directory by running ipsvd-cdb(8).
-t sec timeout. This option only takes effect if the -i option is
given. While checking the instructions directory, check the
time of last access of the file that matches the clients address
or hostname if any, discard and remove the file if it wasn’t
accessed within the last sec seconds; sslsvd does not discard or
remove a file if the user’s write permission is not set, for
those files the timeout is disabled. Default is 0, which means
that the timeout is disabled.
local hostname. Do not look up the local hostname in DNS, but
use name as hostname.
drop permissions. Switch user ID to user’s UID, and group ID to
user’s primary GID before running prog. If user is followed by
a colon and a group name, the group ID is switched to the GID of
group instead. All supplementary groups are removed.
-c n concurrency. Handle up to n connections simultaneously.
Default is 30. If there are n connections active, sslsvd defers
acceptance of a new connection until an active connection is
per host concurrency. Allow only up to n connections from the
same IP address simultaneously. If there are n active
connections from one IP address, new incoming connections from
this IP address are closed immediately. If n is followed by
:msg, the message msg is written to the client if possible,
before closing the connection. By default msg is empty. See
ipsvd-instruct(5) for supported escape sequences in msg.
For each accepted connection, the current per host concurrency
is available through the environment variable TCPCONCURRENCY. n
and msg can be overwritten by ipsvd(7) instructions, see ipsvd-
instruct(5). By default sslsvd doesn’t keep track of
-h Look up the client’s hostname in DNS.
-p paranoid. After looking up the client’s hostname in DNS, look
up the IP addresses in DNS for that hostname, and forget about
the hostname if none of the addresses match the client’s IP
address. You should set this option if you use hostname based
instructions. The -p option implies the -h option.
-b n backlog. Allow a backlog of approximately n TCP SYNs. On some
systems n is silently limited. Default is 20.
-E no special environment. Do not set up TCP-related environment
-v verbose. Print verbose messsages to standard output.
-vv more verbose. Print more verbose messages to standard output.
drop permissions. Switch user ID to ssluser’s UID, and group ID
to ssluser’s primary GID before running the SSLv3
encrypt/decrypt process. If ssluser is followed by a colon and
a group name, the group ID is switched to the GID of group
instead. This option must be set when sslsvd is started by
chroot. Change the root directory to root before running the
SSLv3 encrypt/decrypt process. This option should be set when
sslsvd is started by root.
cert file. Read the certificate from the file cert (default is
‘‘./cert.pem’’). If the -/ option is given, first the cert file
is read, then the root directory is changed.
-K key private key. Read the private key from the file key (default is
cert). If the -/ option is given, first the cert file is read,
then the root directory is changed.
The environment variable SSLIO_BUFIN overrides the default input
buffer size for sslsvd (8192).
The environment variable SSLIO_BUFOU overrides the default
output buffer size for sslsvd (12288). If the output buffer is
too small to hold encrypted or decrypted data, sslio
automatically blows up the buffer to SSLIO_BUFOU more bytes.
The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the
default number of seconds sslsvd will try to complete the ssl
handshake (300). If the handshake isn’t completed after this
number of seconds, the client will be disconnected.
ipsvd(7), tcpsvd(8), udpsvd(8), ipsvd-instruct(5), ipsvd-cdb(8),
Gerrit Pape <firstname.lastname@example.org>