Provided by: ipsvd_0.13.0-1_i386 bug


       sslsvd - SSLv3 TCP/IP service daemon


       sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x
       cdb] [-t sec] [-U ssluser] [-/ root] [-Z cert] [-K key] host port prog


       sslsvd creates a TCP/IP socket, binds it to the address host:port,  and
       listens on the socket for incoming SSLv3 connections.

       On  each incoming connection, sslsvd conditionally runs a program, with
       standard input reading from the socket, and standard output writing  to
       the  socket,  to  handle this connection.  The data read and written to
       the socket will automatically decrypted and encrypted  respectively  by
       sslsvd.   sslsvd keeps listening on the socket for new connections, and
       can handle multiple connections simultaneously.

       sslsvd optionally checks for special instructions depending on  the  IP
       address  or  hostname  of the client that initiated the connection, see


       host   host either is a hostname, or a dotted-decimal IP address, or 0.
              If  host  is  0,  sslsvd  accepts  connections  to  any local IP

       port   sslsvd accepts connections to host:port.  port  may  be  a  name
              from /etc/services or a number.

       prog   prog  consists  of  one or more arguments.  For each connection,
              sslsvd normally  runs  prog,  with  file  descriptor  0  reading
              decrypted  data  from the network, and file descriptor 1 writing
              to be encrypted data to the network.  By default it also sets up
              TCP-related environment variables, see tcp-environ(5)

       -i dir read   instructions   for  handling  new  connections  from  the
              instructions directory dir.  See ipsvd-instruct(5) for  details.

       -x cdb read instructions for handling new connections from the constant
              database cdb.  The constant database normally is created from an
              instructions directory by running ipsvd-cdb(8).

       -t sec timeout.   This  option  only  takes  effect if the -i option is
              given.  While checking the  instructions  directory,  check  the
              time of last access of the file that matches the clients address
              or hostname if any, discard and remove the  file  if  it  wasn’t
              accessed within the last sec seconds; sslsvd does not discard or
              remove a file if the user’s write permission  is  not  set,  for
              those  files the timeout is disabled.  Default is 0, which means
              that the timeout is disabled.

       -l name
              local hostname.  Do not look up the local hostname in  DNS,  but
              use name as hostname.

       -u user[:group]
              drop permissions.  Switch user ID to user’s UID, and group ID to
              user’s primary GID before running prog.  If user is followed  by
              a colon and a group name, the group ID is switched to the GID of
              group instead.  All supplementary groups are removed.

       -c n   concurrency.   Handle  up  to  n   connections   simultaneously.
              Default is 30.  If there are n connections active, sslsvd defers
              acceptance of a new connection until  an  active  connection  is

       -C n[:msg]
              per  host  concurrency.  Allow only up to n connections from the
              same  IP  address  simultaneously.   If  there  are   n   active
              connections  from  one IP address, new incoming connections from
              this IP address are closed immediately.  If  n  is  followed  by
              :msg,  the  message  msg  is  written to the client if possible,
              before closing the connection.  By default msg  is  empty.   See
              ipsvd-instruct(5) for supported escape sequences in msg.

              For  each  accepted connection, the current per host concurrency
              is available through the environment variable TCPCONCURRENCY.  n
              and  msg can be overwritten by ipsvd(7) instructions, see ipsvd-
              instruct(5).   By  default  sslsvd   doesn’t   keep   track   of

       -h     Look up the client’s hostname in DNS.

       -p     paranoid.   After  looking up the client’s hostname in DNS, look
              up the IP addresses in DNS for that hostname, and  forget  about
              the  hostname  if  none  of  the addresses match the client’s IP
              address.  You should set this option if you use  hostname  based
              instructions.  The -p option implies the -h option.

       -b n   backlog.   Allow a backlog of approximately n TCP SYNs.  On some
              systems n is silently limited.  Default is 20.

       -E     no special environment.  Do not set up  TCP-related  environment

       -v     verbose.  Print verbose messsages to standard output.

       -vv    more verbose.  Print more verbose messages to standard output.

       -U ssluser
              drop permissions.  Switch user ID to ssluser’s UID, and group ID
              to   ssluser’s   primary   GID   before   running   the    SSLv3
              encrypt/decrypt  process.  If ssluser is followed by a colon and
              a group name, the group ID is  switched  to  the  GID  of  group
              instead.   This  option  must  be  set when sslsvd is started by

       -/ root
              chroot.  Change the root directory to root  before  running  the
              SSLv3  encrypt/decrypt  process.  This option should be set when
              sslsvd is started by root.

       -Z cert
              cert file.  Read the certificate from the file cert (default  is
              ‘‘./cert.pem’’).  If the -/ option is given, first the cert file
              is read, then the root directory is changed.

       -K key private key.  Read the private key from the file key (default is
              cert).   If the -/ option is given, first the cert file is read,
              then the root directory is changed.


              The environment variable SSLIO_BUFIN overrides the default input
              buffer size for sslsvd (8192).

              The  environment  variable  SSLIO_BUFOU  overrides  the  default
              output buffer size for sslsvd (12288).  If the output buffer  is
              too   small   to   hold   encrypted  or  decrypted  data,  sslio
              automatically blows up the buffer to SSLIO_BUFOU more bytes.

              The environment variable SSLIO_HANDSHAKE_TIMEOUT  overrides  the
              default  number  of  seconds sslsvd will try to complete the ssl
              handshake (300).  If the handshake isn’t  completed  after  this
              number of seconds, the client will be disconnected.


       ipsvd(7),   tcpsvd(8),   udpsvd(8),   ipsvd-instruct(5),  ipsvd-cdb(8),


       Gerrit Pape <>