NAME

       sslio - SSL input/output for service programs

SYNOPSIS

       sslio [-cv] [-u user] [-U user] [-/ root] [-C cert] [-K key] [-A ca] prog

DESCRIPTION

       sslio provides SSL encrypted network connections for service programs started by tcpsvd(8)
       or tcpserver(1), and tcpclient(1).

       Normally sslio is started by tcpsvd(8) or tcpclient(1), in turn starts the service program
       prog,  and  runs  as  child  process  of  the  service  program.  After performing the SSL
       handshake, sslio reads SSL encrypted data from the network, and writes decrypted  data  to
       the  service  program  prog;  it  reads data from the service program prog, and writes SSL
       encrypted data to the network.  sslio should run  under  a  different  user  ID  than  the
       service  program,  and with a changed root directory.  When started by root, the -u option
       must be given, and the -U and -/ options should be given.

       The sslio program uses the SSLv3 implementation of the matrixssl library.

OPTIONS

       prog   prog consists of one or more arguments, specifying the service program normally run
              directly by tcpsvd(8), or tcpserver(1).

       -u [:]user[:group]
              drop  permissions.   Set  uid  and  gid  to  the  user's  uid  and gid, as found in
              /etc/passwd, before reading data from, or writing data to the network.  If user  is
              followed  by  a  colon  and  a  group,  set  the  gid  to  group's gid, as found in
              /etc/group, instead of user's gid.  If group consists of a colon-separated list  of
              group  names,  set  the group ids of all listed groups.  If user is prefixed with a
              colon,  the  user  and  all  group  arguments  are  interpreted  as  uid  and  gids
              respectively,  and  not looked up in the password or group file.  All supplementary
              groups are removed.  This option must be set when sslio is  started  by  root,  and
              cannot be set otherwise.

       -U [:]user[:group]
              drop  permissions.   Set  uid  and  gid  to  the  user's  uid  and gid, as found in
              /etc/passwd, before running prog.  If user is followed by a colon and a group,  set
              the  gid  to  group's gid, as found in /etc/group, instead of user's gid.  If group
              consists of a colon-separated list of group names, set the group ids of all  listed
              groups.   If  user  is  prefixed with a colon, the user and all group arguments are
              interpreted as uid and gids respectively, and not looked  up  in  the  password  or
              group  file.  All supplementary groups are removed.  This option should be set when
              sslio is started by root, and cannot be set otherwise.

       -/ root
              chroot.  Change the root directory to root before reading  data  from,  or  writing
              data  to the network.  This option should be set when sslio is started by root, and
              cannot be set otherwise.

       -C cert
              cert file (server mode).  Read the certificate  from  the  file  cert  (default  is
              ``./cert.pem'').   If  the -/ option is given, first the root directory is changed,
              then the cert file is read.

       -K key private key (server mode).  Read the private key from  the  file  key  (default  is
              cert).   If  the  -/ option is given, first the root directory is changed, then the
              private key is read.

       -A ca  ca file (client mode).  Read  the  trusted  root  certificate  from  the  file  ca.
              Multiple  files can be specified, using a semicolon as delimiter.  If the -/ option
              is given, first the root directory is changed, then the ca file is read.

       -c     client mode.  This option must be given when running sslio under tcpclient(1).   In
              client  mode,  filedescriptors  6  and  7  are  used  instead of standard input and
              standard ouput to read from and write to the network and the service  program.   If
              the  -A option is given, sslio refuses to connect to a servers which's certificates
              cannot be verified by the root certificates,  it  accepts  any  server  certificate
              otherwise.

       -v     verbose.  Print verbose messages to standard error.

       -vv    more verbose.  Print more verbose messages to standard error.

       -vvv   even more verbose.  Print even more verbose messages to standard error.

ENVIRONMENT

       SSLIO_BUFIN
              The  environment  variable  SSLIO_BUFIN overrides the default input buffer size for
              sslio (8192).

       SSLIO_BUFOU
              The environment variable SSLIO_BUFOU overrides the default output buffer  size  for
              sslio  (12288).   If  the output buffer is too small to hold encrypted or decrypted
              data, sslio automatically blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_BAD_CERTIFICATE
              (client mode)  If the environment variable SSLIO_BAD_CERTIFICATE is set,  sslio  -c
              accepts server ceritificates it would normally reject with
               fatal: ssl decode error: bad certificate

       SSLIO_HANDSHAKE_TIMOUT
              The  environment  variable  SSLIO_HANDSHAKE_TIMEOUT overrides the default number of
              seconds sslio will try to complete the ssl handshake (300).  If the handshake isn't
              completed after this number of seconds, sslio exits.

SEE ALSO

       sslsvd(8), tcpsvd(8), udpsvd(8), ipsvd(7), ipsvd-instruct(5), ipsvd-cdb(8)

       http://smarden.org/ipsvd/

AUTHOR

       Gerrit Pape <pape@smarden.org>

                                                                                         sslio(8)