trusty (8) sslio.8.gz

Provided by: ipsvd_1.0.0-2_amd64 bug

NAME
       sslio - SSL input/output for service programs


SYNOPSIS
       sslio [-cv] [-u user] [-U user] [-/ root] [-C cert] [-K key] [-A ca] prog


DESCRIPTION
       sslio  provides  SSL  encrypted  network  connections  for  service  programs  started  by  tcpsvd(8)  or
       tcpserver(1), and tcpclient(1).

       Normally sslio is started by tcpsvd(8) or tcpclient(1), in turn starts the service program prog, and runs
       as  child  process of the service program.  After performing the SSL handshake, sslio reads SSL encrypted
       data from the network, and writes decrypted data to the service program prog;  it  reads  data  from  the
       service  program  prog, and writes SSL encrypted data to the network.  sslio should run under a different
       user ID than the service program, and with a changed root directory.  When started by root, the -u option
       must be given, and the -U and -/ options should be given.

       The sslio program uses the SSLv3 implementation of the matrixssl library.


OPTIONS
       prog   prog  consists  of  one or more arguments, specifying the service program normally run directly by
              tcpsvd(8), or tcpserver(1).

       -u [:]user[:group]
              drop permissions.  Set uid and gid to the user's uid and gid,  as  found  in  /etc/passwd,  before
              reading  data  from,  or writing data to the network.  If user is followed by a colon and a group,
              set the gid to group's gid, as found in /etc/group, instead of user's gid.  If group consists of a
              colon-separated  list of group names, set the group ids of all listed groups.  If user is prefixed
              with a colon, the user and all group arguments are interpreted as uid and gids  respectively,  and
              not  looked  up in the password or group file.  All supplementary groups are removed.  This option
              must be set when sslio is started by root, and cannot be set otherwise.

       -U [:]user[:group]
              drop permissions.  Set uid and gid to the user's uid and gid,  as  found  in  /etc/passwd,  before
              running prog.  If user is followed by a colon and a group, set the gid to group's gid, as found in
              /etc/group, instead of user's gid.  If group consists of a colon-separated list  of  group  names,
              set  the group ids of all listed groups.  If user is prefixed with a colon, the user and all group
              arguments are interpreted as uid and gids respectively, and not looked up in the password or group
              file.   All  supplementary groups are removed.  This option should be set when sslio is started by
              root, and cannot be set otherwise.

       -/ root
              chroot.  Change the root directory to root before reading  data  from,  or  writing  data  to  the
              network.  This option should be set when sslio is started by root, and cannot be set otherwise.

       -C cert
              cert file (server mode).  Read the certificate from the file cert (default is ``./cert.pem'').  If
              the -/ option is given, first the root directory is changed, then the cert file is read.

       -K key private key (server mode).  Read the private key from the file key (default is cert).  If  the  -/
              option is given, first the root directory is changed, then the private key is read.

       -A ca  ca file (client mode).  Read the trusted root certificate from the file ca.  Multiple files can be
              specified, using a semicolon as delimiter.  If the -/ option is given, first the root directory is
              changed, then the ca file is read.

       -c     client  mode.   This  option must be given when running sslio under tcpclient(1).  In client mode,
              filedescriptors 6 and 7 are used instead of standard input and standard ouput  to  read  from  and
              write to the network and the service program.  If the -A option is given, sslio refuses to connect
              to a servers which's certificates cannot be verified by the  root  certificates,  it  accepts  any
              server certificate otherwise.

       -v     verbose.  Print verbose messages to standard error.

       -vv    more verbose.  Print more verbose messages to standard error.

       -vvv   even more verbose.  Print even more verbose messages to standard error.


ENVIRONMENT
       SSLIO_BUFIN
              The environment variable SSLIO_BUFIN overrides the default input buffer size for sslio (8192).

       SSLIO_BUFOU
              The  environment  variable SSLIO_BUFOU overrides the default output buffer size for sslio (12288).
              If the output buffer is too small to hold encrypted or decrypted data, sslio  automatically  blows
              up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_BAD_CERTIFICATE
              (client  mode)   If the environment variable SSLIO_BAD_CERTIFICATE is set, sslio -c accepts server
              ceritificates it would normally reject with
               fatal: ssl decode error: bad certificate

       SSLIO_HANDSHAKE_TIMOUT
              The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the default  number  of  seconds  sslio
              will  try to complete the ssl handshake (300).  If the handshake isn't completed after this number
              of seconds, sslio exits.


SEE ALSO
       sslsvd(8), tcpsvd(8), udpsvd(8), ipsvd(7), ipsvd-instruct(5), ipsvd-cdb(8)

       http://smarden.org/ipsvd/


AUTHOR
       Gerrit Pape <pape@smarden.org>

                                                                                                        sslio(8)