Provided by: ipsvd_1.0.0-2_amd64 
NAME
sslsvd - SSLv3 TCP/IP service daemon
SYNOPSIS
sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x cdb] [-t sec] [-U ssluser] [-/
root] [-Z cert] [-K key] host port prog
DESCRIPTION
sslsvd creates a TCP/IP socket, binds it to the address host:port, and listens on the socket for incoming
SSLv3 connections.
On each incoming connection, sslsvd conditionally runs a program, with standard input reading from the
socket, and standard output writing to the socket, to handle this connection. The data read and written
to the socket will automatically decrypted and encrypted respectively by sslsvd. sslsvd keeps listening
on the socket for new connections, and can handle multiple connections simultaneously.
sslsvd optionally checks for special instructions depending on the IP address or hostname of the client
that initiated the connection, see ipsvd-instruct(5).
OPTIONS
host host either is a hostname, or a dotted-decimal IP address, or 0. If host is 0, sslsvd accepts
connections to any local IP address.
port sslsvd accepts connections to host:port. port may be a name from /etc/services or a number.
prog prog consists of one or more arguments. For each connection, sslsvd normally runs prog, with file
descriptor 0 reading decrypted data from the network, and file descriptor 1 writing to be
encrypted data to the network. By default it also sets up TCP-related environment variables, see
tcp-environ(5)
-i dir read instructions for handling new connections from the instructions directory dir. See ipsvd-
instruct(5) for details.
-x cdb read instructions for handling new connections from the constant database cdb. The constant
database normally is created from an instructions directory by running ipsvd-cdb(8).
-t sec timeout. This option only takes effect if the -i option is given. While checking the
instructions directory, check the time of last access of the file that matches the clients address
or hostname if any, discard and remove the file if it wasn't accessed within the last sec seconds;
sslsvd does not discard or remove a file if the user's write permission is not set, for those
files the timeout is disabled. Default is 0, which means that the timeout is disabled.
-l name
local hostname. Do not look up the local hostname in DNS, but use name as hostname.
-u [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as found in /etc/passwd, before
running prog. If user is followed by a colon and a group, set the gid to group's gid, as found in
/etc/group, instead of user's gid. If group consists of a colon-separated list of group names,
set the group ids of all listed groups. If user is prefixed with a colon, the user and all group
arguments are interpreted as uid and gids respectively, and not looked up in the password or group
file. All supplementary groups are removed.
-c n concurrency. Handle up to n connections simultaneously. Default is 30. If there are n
connections active, sslsvd defers acceptance of a new connection until an active connection is
closed.
-C n[:msg]
per host concurrency. Allow only up to n connections from the same IP address simultaneously. If
there are n active connections from one IP address, new incoming connections from this IP address
are closed immediately. If n is followed by :msg, the message msg is written to the client if
possible, before closing the connection. By default msg is empty. See ipsvd-instruct(5) for
supported escape sequences in msg.
For each accepted connection, the current per host concurrency is available through the
environment variable TCPCONCURRENCY. n and msg can be overwritten by ipsvd(7) instructions, see
ipsvd-instruct(5). By default sslsvd doesn't keep track of connections.
-h Look up the client's hostname in DNS.
-p paranoid. After looking up the client's hostname in DNS, look up the IP addresses in DNS for that
hostname, and forget about the hostname if none of the addresses match the client's IP address.
You should set this option if you use hostname based instructions. The -p option implies the -h
option.
-b n backlog. Allow a backlog of approximately n TCP SYNs. On some systems n is silently limited.
Default is 20.
-E no special environment. Do not set up TCP-related environment variables.
-v verbose. Print verbose messsages to standard output.
-vv more verbose. Print more verbose messages to standard output.
SSL OPTIONS
-U [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as found in /etc/passwd, before
running the SSLv3 encrypt/decrypt process. If user is followed by a colon and a group, set the
gid to group's gid, as found in /etc/group, instead of user's gid. If group consists of a colon-
separated list of group names, set the group ids of all listed groups. If user is prefixed with a
colon, the user and all group arguments are interpreted as uid and gids respectively, and not
looked up in the password or group file. All supplementary groups are removed. This option must
be set when sslsvd is started by root.
-/ root
chroot. Change the root directory to root before running the SSLv3 encrypt/decrypt process. This
option should be set when sslsvd is started by root.
-Z cert
cert file. Read the certificate from the file cert (default is ``./cert.pem''). If the -/ option
is given, first the cert file is read, then the root directory is changed.
-K key private key. Read the private key from the file key (default is cert). If the -/ option is
given, first the cert file is read, then the root directory is changed.
ENVIRONMENT
SSLIO_BUFIN
The environment variable SSLIO_BUFIN overrides the default input buffer size for sslsvd (8192).
SSLIO_BUFOU
The environment variable SSLIO_BUFOU overrides the default output buffer size for sslsvd (12288).
If the output buffer is too small to hold encrypted or decrypted data, sslio automatically blows
up the buffer to SSLIO_BUFOU more bytes.
SSLIO_HANDSHAKE_TIMOUT
The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the default number of seconds sslsvd
will try to complete the ssl handshake (300). If the handshake isn't completed after this number
of seconds, the client will be disconnected.
SEE ALSO
ipsvd(7), tcpsvd(8), udpsvd(8), ipsvd-instruct(5), ipsvd-cdb(8), sslio(8)
http://smarden.org/ipsvd/
AUTHOR
Gerrit Pape <pape@smarden.org>
sslsvd(8)