Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
sslsvd(8)		    System Manager's Manual		     sslsvd(8)

NAME
       sslsvd -	SSLv3 TCP/IP service daemon

SYNOPSIS
       sslsvd [-hpEvv] [-c n] [-C n:msg] [-b n]	[-u user] [-l name] [-i	dir|-x
       cdb] [-t	sec] [-U ssluser] [-/ root] [-Z	cert] [-K key] host port prog

DESCRIPTION
       sslsvd creates a	TCP/IP socket, binds it	to the address host:port,  and
       listens on the socket for incoming SSLv3	connections.

       On  each	incoming connection, sslsvd conditionally runs a program, with
       standard	input reading from the socket, and standard output writing  to
       the  socket,  to	 handle	this connection.  The data read	and written to
       the socket will automatically decrypted and encrypted  respectively  by
       sslsvd.	 sslsvd	keeps listening	on the socket for new connections, and
       can handle multiple connections simultaneously.

       sslsvd optionally checks	for special instructions depending on  the  IP
       address	or  hostname  of the client that initiated the connection, see
       ipsvd-instruct(5).

OPTIONS
       host   host either is a hostname, or a dotted-decimal IP	address, or 0.
	      If  host	is  0,	sslsvd accepts connections to any local	IP ad-
	      dress.

       port   sslsvd accepts connections to host:port.	port  may  be  a  name
	      from /etc/services or a number.

       prog   prog  consists  of  one or more arguments.  For each connection,
	      sslsvd normally runs prog, with file descriptor  0  reading  de-
	      crypted  data from the network, and file descriptor 1 writing to
	      be encrypted data	to the network.	 By default it	also  sets  up
	      TCP-related environment variables, see tcp-environ(5)

       -i dir read instructions	for handling new connections from the instruc-
	      tions directory dir.  See	ipsvd-instruct(5) for details.

       -x cdb read instructions	for handling new connections from the constant
	      database cdb.  The constant database normally is created from an
	      instructions directory by	running	ipsvd-cdb(8).

       -t sec timeout.	This option only takes effect  if  the	-i  option  is
	      given.   While  checking	the  instructions directory, check the
	      time of last access of the file that matches the clients address
	      or hostname if any, discard and remove the file if it wasn't ac-
	      cessed within the	last sec seconds; sslsvd does not  discard  or
	      remove  a	 file  if  the user's write permission is not set, for
	      those files the timeout is disabled.  Default is 0, which	 means
	      that the timeout is disabled.

       -l name
	      local  hostname.	 Do not	look up	the local hostname in DNS, but
	      use name as hostname.

       -u [:]user[:group]
	      drop permissions.	 Set uid and gid to the	user's uid and gid, as
	      found  in	/etc/passwd, before running prog.  If user is followed
	      by a colon and a group, set the gid to group's gid, as found  in
	      /etc/group,  instead  of	user's	gid.   If  group consists of a
	      colon-separated list of group names, set the group  ids  of  all
	      listed  groups.	If user	is prefixed with a colon, the user and
	      all group	arguments are interpreted  as  uid  and	 gids  respec-
	      tively,  and  not	 looked	up in the password or group file.  All
	      supplementary groups are removed.

       -c n   concurrency.  Handle up to n  connections	 simultaneously.   De-
	      fault  is	 30.  If there are n connections active, sslsvd	defers
	      acceptance of a new connection until  an	active	connection  is
	      closed.

       -C n[:msg]
	      per  host	 concurrency.  Allow only up to	n connections from the
	      same IP address simultaneously.  If there	are n  active  connec-
	      tions from one IP	address, new incoming connections from this IP
	      address are closed immediately.  If n is followed	by  :msg,  the
	      message msg is written to	the client if possible,	before closing
	      the connection.  By default msg is empty.	 See ipsvd-instruct(5)
	      for supported escape sequences in	msg.

	      For  each	 accepted connection, the current per host concurrency
	      is available through the environment variable TCPCONCURRENCY.  n
	      and  msg can be overwritten by ipsvd(7) instructions, see	ipsvd-
	      instruct(5).  By default sslsvd doesn't keep  track  of  connec-
	      tions.

       -h     Look up the client's hostname in DNS.

       -p     paranoid.	  After	 looking up the	client's hostname in DNS, look
	      up the IP	addresses in DNS for that hostname, and	 forget	 about
	      the  hostname if none of the addresses match the client's	IP ad-
	      dress.  You should set this option if you	use hostname based in-
	      structions.  The -p option implies the -h	option.

       -b n   backlog.	 Allow a backlog of approximately n TCP	SYNs.  On some
	      systems n	is silently limited.  Default is 20.

       -E     no special environment.  Do not set up  TCP-related  environment
	      variables.

       -v     verbose.	Print verbose messsages	to standard output.

       -vv    more verbose.  Print more	verbose	messages to standard output.

   SSL OPTIONS
       -U [:]user[:group]
	      drop permissions.	 Set uid and gid to the	user's uid and gid, as
	      found in /etc/passwd, before running the	SSLv3  encrypt/decrypt
	      process.	 If  user  is followed by a colon and a	group, set the
	      gid to group's gid, as found in /etc/group,  instead  of	user's
	      gid.   If	 group	consists  of  a	 colon-separated list of group
	      names, set the group ids of all listed groups.  If user is  pre-
	      fixed  with a colon, the user and	all group arguments are	inter-
	      preted as	uid and	gids respectively, and not looked  up  in  the
	      password	or  group file.	 All supplementary groups are removed.
	      This option must be set when sslsvd is started by	root.

       -/ root
	      chroot.  Change the root directory to root  before  running  the
	      SSLv3  encrypt/decrypt  process.	This option should be set when
	      sslsvd is	started	by root.

       -Z cert
	      cert file.  Read the certificate from the	file cert (default  is
	      ``./cert.pem'').	If the -/ option is given, first the cert file
	      is read, then the	root directory is changed.

       -K key private key.  Read the private key from the file key (default is
	      cert).   If the -/ option	is given, first	the cert file is read,
	      then the root directory is changed.

ENVIRONMENT
       SSLIO_BUFIN
	      The environment variable SSLIO_BUFIN overrides the default input
	      buffer size for sslsvd (8192).

       SSLIO_BUFOU
	      The  environment variable	SSLIO_BUFOU overrides the default out-
	      put buffer size for sslsvd (12288).  If the output buffer	is too
	      small  to	 hold encrypted	or decrypted data, sslio automatically
	      blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_HANDSHAKE_TIMOUT
	      The environment variable SSLIO_HANDSHAKE_TIMEOUT	overrides  the
	      default  number  of  seconds sslsvd will try to complete the ssl
	      handshake	(300).	If the handshake isn't	completed  after  this
	      number of	seconds, the client will be disconnected.

SEE ALSO
       ipsvd(7),   tcpsvd(8),	udpsvd(8),   ipsvd-instruct(5),	 ipsvd-cdb(8),
       sslio(8)

       http://smarden.org/ipsvd/

AUTHOR
       Gerrit Pape <pape@smarden.org>

								     sslsvd(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | ENVIRONMENT | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sslsvd&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help