NAME

       sslsvd - SSLv3 TCP/IP service daemon

SYNOPSIS

       sslsvd  [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x cdb] [-t sec] [-U
       ssluser] [-/ root] [-Z cert] [-K key] host port prog

DESCRIPTION

       sslsvd creates a TCP/IP socket, binds it to the address  host:port,  and  listens  on  the
       socket for incoming SSLv3 connections.

       On  each  incoming  connection,  sslsvd  conditionally runs a program, with standard input
       reading from the socket, and standard  output  writing  to  the  socket,  to  handle  this
       connection.   The  data  read  and  written to the socket will automatically decrypted and
       encrypted  respectively  by  sslsvd.   sslsvd  keeps  listening  on  the  socket  for  new
       connections, and can handle multiple connections simultaneously.

       sslsvd  optionally checks for special instructions depending on the IP address or hostname
       of the client that initiated the connection, see ipsvd-instruct(5).

OPTIONS

       host   host either is a hostname, or a dotted-decimal IP address, or 0.   If  host  is  0,
              sslsvd accepts connections to any local IP address.

       port   sslsvd  accepts connections to host:port.  port may be a name from /etc/services or
              a number.

       prog   prog consists of one or more arguments.  For each connection, sslsvd normally  runs
              prog,  with  file  descriptor  0  reading decrypted data from the network, and file
              descriptor 1 writing to be encrypted data to the network.  By default it also  sets
              up TCP-related environment variables, see tcp-environ(5)

       -i dir read instructions for handling new connections from the instructions directory dir.
              See ipsvd-instruct(5) for details.

       -x cdb read instructions for handling new connections from the constant database cdb.  The
              constant  database  normally  is  created from an instructions directory by running
              ipsvd-cdb(8).

       -t sec timeout.  This option only takes effect if the -i option is given.  While  checking
              the  instructions directory, check the time of last access of the file that matches
              the clients address or hostname if any, discard and remove the file  if  it  wasn't
              accessed  within  the last sec seconds; sslsvd does not discard or remove a file if
              the user's write permission is not set, for those files the  timeout  is  disabled.
              Default is 0, which means that the timeout is disabled.

       -l name
              local  hostname.   Do  not  look  up  the  local  hostname  in DNS, but use name as
              hostname.

       -u [:]user[:group]
              drop permissions.  Set uid and  gid  to  the  user's  uid  and  gid,  as  found  in
              /etc/passwd,  before running prog.  If user is followed by a colon and a group, set
              the gid to group's gid, as found in /etc/group, instead of user's  gid.   If  group
              consists  of a colon-separated list of group names, set the group ids of all listed
              groups.  If user is prefixed with a colon, the user and  all  group  arguments  are
              interpreted  as  uid  and  gids  respectively, and not looked up in the password or
              group file.  All supplementary groups are removed.

       -c n   concurrency.  Handle up to n connections simultaneously.  Default is 30.  If  there
              are  n  connections  active,  sslsvd defers acceptance of a new connection until an
              active connection is closed.

       -C n[:msg]
              per host concurrency.  Allow only up to n connections  from  the  same  IP  address
              simultaneously.   If  there  are  n  active  connections  from  one IP address, new
              incoming connections from this IP address are closed immediately.  If n is followed
              by  :msg,  the message msg is written to the client if possible, before closing the
              connection.  By default msg is empty.  See ipsvd-instruct(5) for  supported  escape
              sequences in msg.

              For each accepted connection, the current per host concurrency is available through
              the environment variable TCPCONCURRENCY.  n and msg can be overwritten by  ipsvd(7)
              instructions,  see  ipsvd-instruct(5).   By  default  sslsvd  doesn't keep track of
              connections.

       -h     Look up the client's hostname in DNS.

       -p     paranoid.  After looking up the client's hostname in DNS, look up the IP  addresses
              in  DNS  for  that hostname, and forget about the hostname if none of the addresses
              match the client's IP address.  You should set this  option  if  you  use  hostname
              based instructions.  The -p option implies the -h option.

       -b n   backlog.   Allow  a  backlog  of  approximately  n  TCP SYNs.  On some systems n is
              silently limited.  Default is 20.

       -E     no special environment.  Do not set up TCP-related environment variables.

       -v     verbose.  Print verbose messsages to standard output.

       -vv    more verbose.  Print more verbose messages to standard output.

   SSL OPTIONS
       -U [:]user[:group]
              drop permissions.  Set uid and  gid  to  the  user's  uid  and  gid,  as  found  in
              /etc/passwd, before running the SSLv3 encrypt/decrypt process.  If user is followed
              by a colon and a group, set the gid to group's gid, as found in /etc/group, instead
              of user's gid.  If group consists of a colon-separated list of group names, set the
              group ids of all listed groups.  If user is prefixed with a colon, the user and all
              group  arguments are interpreted as uid and gids respectively, and not looked up in
              the password or group file.  All supplementary groups  are  removed.   This  option
              must be set when sslsvd is started by root.

       -/ root
              chroot.  Change the root directory to root before running the SSLv3 encrypt/decrypt
              process.  This option should be set when sslsvd is started by root.

       -Z cert
              cert file.  Read the certificate from the file cert  (default  is  ``./cert.pem'').
              If  the -/ option is given, first the cert file is read, then the root directory is
              changed.

       -K key private key.  Read the private key from the file key (default is cert).  If the  -/
              option is given, first the cert file is read, then the root directory is changed.

ENVIRONMENT

       SSLIO_BUFIN
              The  environment  variable  SSLIO_BUFIN overrides the default input buffer size for
              sslsvd (8192).

       SSLIO_BUFOU
              The environment variable SSLIO_BUFOU overrides the default output buffer  size  for
              sslsvd  (12288).   If the output buffer is too small to hold encrypted or decrypted
              data, sslio automatically blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_HANDSHAKE_TIMOUT
              The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the  default  number  of
              seconds  sslsvd  will  try  to  complete the ssl handshake (300).  If the handshake
              isn't completed after this number of seconds, the client will be disconnected.

SEE ALSO

       ipsvd(7), tcpsvd(8), udpsvd(8), ipsvd-instruct(5), ipsvd-cdb(8), sslio(8)

       http://smarden.org/ipsvd/

AUTHOR

       Gerrit Pape <pape@smarden.org>

                                                                                        sslsvd(8)