Provided by: ipsvd_1.0.0-1_i386 bug

NAME

       sslsvd - SSLv3 TCP/IP service daemon

SYNOPSIS

       sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x
       cdb] [-t sec] [-U ssluser] [-/ root] [-Z cert] [-K key] host port prog

DESCRIPTION

       sslsvd creates a TCP/IP socket, binds it to the address host:port,  and
       listens on the socket for incoming SSLv3 connections.

       On  each incoming connection, sslsvd conditionally runs a program, with
       standard input reading from the socket, and standard output writing  to
       the  socket,  to  handle this connection.  The data read and written to
       the socket will automatically decrypted and encrypted  respectively  by
       sslsvd.   sslsvd keeps listening on the socket for new connections, and
       can handle multiple connections simultaneously.

       sslsvd optionally checks for special instructions depending on  the  IP
       address  or  hostname  of the client that initiated the connection, see
       ipsvd-instruct(5).

OPTIONS

       host   host either is a hostname, or a dotted-decimal IP address, or 0.
              If  host  is  0,  sslsvd  accepts  connections  to  any local IP
              address.

       port   sslsvd accepts connections to host:port.  port  may  be  a  name
              from /etc/services or a number.

       prog   prog  consists  of  one or more arguments.  For each connection,
              sslsvd normally  runs  prog,  with  file  descriptor  0  reading
              decrypted  data  from the network, and file descriptor 1 writing
              to be encrypted data to the network.  By default it also sets up
              TCP-related environment variables, see tcp-environ(5)

       -i dir read   instructions   for  handling  new  connections  from  the
              instructions directory dir.  See ipsvd-instruct(5) for  details.

       -x cdb read instructions for handling new connections from the constant
              database cdb.  The constant database normally is created from an
              instructions directory by running ipsvd-cdb(8).

       -t sec timeout.   This  option  only  takes  effect if the -i option is
              given.  While checking the  instructions  directory,  check  the
              time of last access of the file that matches the clients address
              or hostname if any, discard and remove the  file  if  it  wasn’t
              accessed within the last sec seconds; sslsvd does not discard or
              remove a file if the user’s write permission  is  not  set,  for
              those  files the timeout is disabled.  Default is 0, which means
              that the timeout is disabled.

       -l name
              local hostname.  Do not look up the local hostname in  DNS,  but
              use name as hostname.

       -u [:]user[:group]
              drop permissions.  Set uid and gid to the user’s uid and gid, as
              found in /etc/passwd, before running prog.  If user is  followed
              by  a colon and a group, set the gid to group’s gid, as found in
              /etc/group, instead of user’s  gid.   If  group  consists  of  a
              colon-separated  list  of  group names, set the group ids of all
              listed groups.  If user is prefixed with a colon, the  user  and
              all   group   arguments   are   interpreted   as  uid  and  gids
              respectively, and not looked up in the password or  group  file.
              All supplementary groups are removed.

       -c n   concurrency.    Handle   up  to  n  connections  simultaneously.
              Default is 30.  If there are n connections active, sslsvd defers
              acceptance  of  a  new  connection until an active connection is
              closed.

       -C n[:msg]
              per host concurrency.  Allow only up to n connections  from  the
              same   IP   address  simultaneously.   If  there  are  n  active
              connections from one IP address, new incoming  connections  from
              this  IP  address  are  closed immediately.  If n is followed by
              :msg, the message msg is written  to  the  client  if  possible,
              before  closing  the  connection.  By default msg is empty.  See
              ipsvd-instruct(5) for supported escape sequences in msg.

              For each accepted connection, the current per  host  concurrency
              is available through the environment variable TCPCONCURRENCY.  n
              and msg can be overwritten by ipsvd(7) instructions, see  ipsvd-
              instruct(5).    By   default   sslsvd   doesn’t  keep  track  of
              connections.

       -h     Look up the client’s hostname in DNS.

       -p     paranoid.  After looking up the client’s hostname in  DNS,  look
              up  the  IP addresses in DNS for that hostname, and forget about
              the hostname if none of the  addresses  match  the  client’s  IP
              address.   You  should set this option if you use hostname based
              instructions.  The -p option implies the -h option.

       -b n   backlog.  Allow a backlog of approximately n TCP SYNs.  On  some
              systems n is silently limited.  Default is 20.

       -E     no  special  environment.  Do not set up TCP-related environment
              variables.

       -v     verbose.  Print verbose messsages to standard output.

       -vv    more verbose.  Print more verbose messages to standard output.

   SSL OPTIONS
       -U [:]user[:group]
              drop permissions.  Set uid and gid to the user’s uid and gid, as
              found  in  /etc/passwd, before running the SSLv3 encrypt/decrypt
              process.  If user is followed by a colon and a  group,  set  the
              gid  to  group’s  gid, as found in /etc/group, instead of user’s
              gid.  If group consists  of  a  colon-separated  list  of  group
              names,  set  the  group  ids  of  all listed groups.  If user is
              prefixed with a colon, the user  and  all  group  arguments  are
              interpreted  as  uid and gids respectively, and not looked up in
              the password  or  group  file.   All  supplementary  groups  are
              removed.   This  option  must  be  set when sslsvd is started by
              root.

       -/ root
              chroot.  Change the root directory to root  before  running  the
              SSLv3  encrypt/decrypt  process.  This option should be set when
              sslsvd is started by root.

       -Z cert
              cert file.  Read the certificate from the file cert (default  is
              ‘‘./cert.pem’’).  If the -/ option is given, first the cert file
              is read, then the root directory is changed.

       -K key private key.  Read the private key from the file key (default is
              cert).   If the -/ option is given, first the cert file is read,
              then the root directory is changed.

ENVIRONMENT

       SSLIO_BUFIN
              The environment variable SSLIO_BUFIN overrides the default input
              buffer size for sslsvd (8192).

       SSLIO_BUFOU
              The  environment  variable  SSLIO_BUFOU  overrides  the  default
              output buffer size for sslsvd (12288).  If the output buffer  is
              too   small   to   hold   encrypted  or  decrypted  data,  sslio
              automatically blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_HANDSHAKE_TIMOUT
              The environment variable SSLIO_HANDSHAKE_TIMEOUT  overrides  the
              default  number  of  seconds sslsvd will try to complete the ssl
              handshake (300).  If the handshake isn’t  completed  after  this
              number of seconds, the client will be disconnected.

SEE ALSO

       ipsvd(7),   tcpsvd(8),   udpsvd(8),   ipsvd-instruct(5),  ipsvd-cdb(8),
       sslio(8)

       http://smarden.org/ipsvd/

AUTHOR

       Gerrit Pape <pape@smarden.org>

                                                                     sslsvd(8)