Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
sslio(8)		    System Manager's Manual		      sslio(8)

NAME
       sslio - SSL input/output	for service programs

SYNOPSIS
       sslio  [-cv]  [-u  user]	[-U user] [-/ root] [-C	cert] [-K key] [-A ca]
       prog

DESCRIPTION
       sslio provides SSL encrypted network connections	for  service  programs
       started by tcpsvd(8) or tcpserver(1), and tcpclient(1).

       Normally	 sslio is started by tcpsvd(8) or tcpclient(1),	in turn	starts
       the service program prog, and runs as child process of the service pro-
       gram.   After  performing  the SSL handshake, sslio reads SSL encrypted
       data from the network, and writes decrypted data	to the service program
       prog;  it  reads	data from the service program prog, and	writes SSL en-
       crypted data to the network.  sslio should run under a  different  user
       ID  than	 the service program, and with a changed root directory.  When
       started by root,	the -u option must be given, and the -U	and -/ options
       should be given.

       The  sslio  program  uses the SSLv3 implementation of the matrixssl li-
       brary.

OPTIONS
       prog   prog consists of one or more arguments, specifying  the  service
	      program normally run directly by tcpsvd(8), or tcpserver(1).

       -u [:]user[:group]
	      drop permissions.	 Set uid and gid to the	user's uid and gid, as
	      found in /etc/passwd, before reading data	from, or writing  data
	      to the network.  If user is followed by a	colon and a group, set
	      the gid to group's gid,  as  found  in  /etc/group,  instead  of
	      user's  gid.   If	 group	consists  of a colon-separated list of
	      group names, set the group ids of	all listed groups.  If user is
	      prefixed	with a colon, the user and all group arguments are in-
	      terpreted	as uid and gids	respectively, and not looked up	in the
	      password	or  group file.	 All supplementary groups are removed.
	      This option must be set when sslio is started by root, and  can-
	      not be set otherwise.

       -U [:]user[:group]
	      drop permissions.	 Set uid and gid to the	user's uid and gid, as
	      found in /etc/passwd, before running prog.  If user is  followed
	      by  a colon and a	group, set the gid to group's gid, as found in
	      /etc/group, instead of user's  gid.   If	group  consists	 of  a
	      colon-separated  list  of	 group names, set the group ids	of all
	      listed groups.  If user is prefixed with a colon,	the  user  and
	      all  group  arguments  are  interpreted  as uid and gids respec-
	      tively, and not looked up	in the password	or  group  file.   All
	      supplementary  groups  are  removed.   This option should	be set
	      when sslio is started by root, and cannot	be set otherwise.

       -/ root
	      chroot.  Change the root directory to root before	 reading  data
	      from, or writing data to the network.  This option should	be set
	      when sslio is started by root, and cannot	be set otherwise.

       -C cert
	      cert file	(server	mode).	Read the  certificate  from  the  file
	      cert  (default  is  ``./cert.pem'').  If the -/ option is	given,
	      first the	root directory is changed, then	the cert file is read.

       -K key private key (server mode).  Read the private key from  the  file
	      key  (default  is	 cert).	  If the -/ option is given, first the
	      root directory is	changed, then the private key is read.

       -A ca  ca file (client mode).  Read the trusted root  certificate  from
	      the file ca.  Multiple files can be specified, using a semicolon
	      as delimiter.  If	the -/ option is given,	first the root	direc-
	      tory is changed, then the	ca file	is read.

       -c     client mode.  This option	must be	given when running sslio under
	      tcpclient(1).  In	client mode, filedescriptors 6 and 7 are  used
	      instead  of  standard  input and standard	ouput to read from and
	      write to the network and the service program.  If	the -A	option
	      is given,	sslio refuses to connect to a servers which's certifi-
	      cates cannot be verified by the root  certificates,  it  accepts
	      any server certificate otherwise.

       -v     verbose.	Print verbose messages to standard error.

       -vv    more verbose.  Print more	verbose	messages to standard error.

       -vvv   even more	verbose.  Print	even more verbose messages to standard
	      error.

ENVIRONMENT
       SSLIO_BUFIN
	      The environment variable SSLIO_BUFIN overrides the default input
	      buffer size for sslio (8192).

       SSLIO_BUFOU
	      The  environment variable	SSLIO_BUFOU overrides the default out-
	      put buffer size for sslio	(12288).  If the output	buffer is  too
	      small  to	 hold encrypted	or decrypted data, sslio automatically
	      blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_BAD_CERTIFICATE
	      (client mode)  If	the environment	variable SSLIO_BAD_CERTIFICATE
	      is  set, sslio -c	accepts	server ceritificates it	would normally
	      reject with
	       fatal: ssl decode error:	bad certificate

       SSLIO_HANDSHAKE_TIMOUT
	      The environment variable SSLIO_HANDSHAKE_TIMEOUT	overrides  the
	      default  number  of  seconds  sslio will try to complete the ssl
	      handshake	(300).	If the handshake isn't	completed  after  this
	      number of	seconds, sslio exits.

SEE ALSO
       sslsvd(8),  tcpsvd(8),  udpsvd(8),  ipsvd(7), ipsvd-instruct(5),	ipsvd-
       cdb(8)

       http://smarden.org/ipsvd/

AUTHOR
       Gerrit Pape <pape@smarden.org>

								      sslio(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | ENVIRONMENT | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sslio&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help