ipsvd 1.0.0-3 / usr / share / doc / ipsvd / sslsvd.8.html

This file is indexed.

/usr/share/doc/ipsvd/sslsvd.8.html is in ipsvd 1.0.0-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
<html>
<head>
<title>sslsvd(8) manual page</title>
</head>
<body bgcolor='white'>
<a href='http://smarden.org/pape/'>G. Pape</a><br><a href='index.html'>ipsvd</a><hr>

<h2><a name='sect0'>Name</a></h2>
sslsvd - SSLv3 TCP/IP service daemon 
<h2><a name='sect1'>Synopsis</a></h2>
<b>sslsvd</b> [-hpEvv] [-c <i>n</i>] [-C
<i>n:<i>msg</i>] [-b <i>n</i>] [-u <i>user</i>] [-l <i>name</i>] [-i <i>dir</i>|-x <i>cdb</i>] [-t <i>sec</i>] [-U <i>ssluser</i>] [-/ <i>root</i>]
[-Z <i>cert</i>] [-K <i>key</i>] <i>host</i> <i>port</i> <i>prog</i> 
<h2><a name='sect2'></i>Description</a></h2>
<b>sslsvd</b> creates a TCP/IP socket,
binds it to the address <i>host</i>:<i>port</i>, and listens on the socket for incoming
SSLv3 connections. <p>
On each incoming connection, <b>sslsvd</b> conditionally runs
a program, with standard input reading from the socket, and standard output
writing to the socket, to handle this connection. The data read and written
to the socket will automatically decrypted and encrypted respectively by
<b>sslsvd</b>. <b>sslsvd</b> keeps listening on the socket for new connections, and can
handle multiple connections simultaneously. <p>
<b>sslsvd</b> optionally checks for
special instructions depending on the IP address or hostname of the client
that initiated the connection, see <i><b>ipsvd-instruct</b>(5)</i>. 
<h2><a name='sect3'>Options</a></h2>

<dl>

<dt><i>host</i> </dt>
<dd><i>host</i> either
is a hostname, or a dotted-decimal IP address, or 0. If <i>host</i> is 0, <b>sslsvd</b>
accepts connections to any local IP address. </dd>

<dt><i>port</i> </dt>
<dd><b>sslsvd</b> accepts connections
to <i>host</i>:<i>port</i>. <i>port</i> may be a name from /etc/services or a number. </dd>

<dt><i>prog</i> </dt>
<dd><i>prog</i>
consists of one or more arguments. For each connection, <b>sslsvd</b> normally
runs <i>prog</i>, with file descriptor 0 reading decrypted data from the network,
and file descriptor 1 writing to be encrypted data to the network. By default
it also sets up TCP-related environment variables, see <i><b>tcp-environ</b>(5)</i> </dd>

<dt><b>-i <i>dir</b>
</i></dt>
<dd>read instructions for handling new connections from the instructions directory
<i>dir</i>. See <i><b>ipsvd-instruct</b>(5)</i> for details. </dd>

<dt><b>-x <i>cdb</b> </i></dt>
<dd>read instructions for handling
new connections from the constant database <i>cdb</i>. The constant database normally
is created from an instructions directory by running <i><b>ipsvd-cdb</b>(8)</i>. </dd>

<dt><b>-t <i>sec</b>
</i></dt>
<dd>timeout. This option only takes effect if the -i option is given. While checking
the instructions directory, check the time of last access of the file that
matches the clients address or hostname if any, discard and remove the
file if it wasn&rsquo;t accessed within the last <i>sec</i> seconds; <b>sslsvd</b> does not
discard or remove a file if the user&rsquo;s write permission is not set, for
those files the timeout is disabled. Default is 0, which means that the
timeout is disabled. </dd>

<dt><b>-l <i>name</b> </i></dt>
<dd>local hostname. Do not look up the local hostname
in DNS, but use <i>name</i> as hostname. </dd>

<dt><b>-u <i>[:]user[:group]</b> </i></dt>
<dd>drop permissions. Set
uid and gid to the <i>user</i>&rsquo;s uid and gid, as found in <i>/etc/passwd</i>, before running
<i>prog</i>. If <i>user</i> is followed by a colon and a <i>group</i>, set the gid to <i>group</i>&rsquo;s
gid, as found in <i>/etc/group</i>, instead of <i>user</i>&rsquo;s gid. If <i>group</i> consists of
a colon-separated list of group names, set the group ids of all listed groups.
If <i>user</i> is prefixed with a colon, the <i>user</i> and all <i>group</i> arguments are
interpreted as uid and gids respectively, and not looked up in the password
or group file. All supplementary groups are removed. </dd>

<dt><b>-c <i>n</b> </i></dt>
<dd>concurrency. Handle
up to <i>n</i> connections simultaneously. Default is 30. If there are <i>n</i> connections
active, <b>sslsvd</b> defers acceptance of a new connection until an active connection
is closed. </dd>

<dt><b>-C <i>n</i>[:<i>msg</i>]</b> </dt>
<dd>per host concurrency. Allow only up to <i>n</i> connections
from the same IP address simultaneously. If there are <i>n</i> active connections
from one IP address, new incoming connections from this IP address are
closed immediately. If <i>n</i> is followed by :<i>msg,</i> the message <i>msg</i> is written
to the client if possible, before closing the connection. By default <i>msg</i>
is empty. See <i><b>ipsvd-instruct</b>(5)</i> for supported escape sequences in <i>msg</i>. 
<p> For
each accepted connection, the current per host concurrency is available
through the environment variable <i>TCPCONCURRENCY</i>. <i>n</i> and <i>msg</i> can be overwritten
by <i><b>ipsvd</b>(7)</i> instructions, see <i><b>ipsvd-instruct</b>(5)</i>.<b></b> By default <b>sslsvd</b> doesn&rsquo;t
keep track of connections. </dd>

<dt><b>-h</b> </dt>
<dd>Look up the client&rsquo;s hostname in DNS. </dd>

<dt><b>-p</b> </dt>
<dd>paranoid.
After looking up the client&rsquo;s hostname in DNS, look up the IP addresses
in DNS for that hostname, and forget about the hostname if none of the
addresses match the client&rsquo;s IP address. You should set this option if you
use hostname based instructions. The -p option implies the -h option. </dd>

<dt><b>-b <i>n</b> </i></dt>
<dd>backlog.
Allow a backlog of approximately <i>n</i> TCP SYNs. On some systems <i>n</i> is silently
limited. Default is 20. </dd>

<dt><b>-E</b> </dt>
<dd>no special environment. Do not set up TCP-related
environment variables. </dd>

<dt><b>-v</b> </dt>
<dd>verbose. Print verbose messsages to standard output.
</dd>

<dt><b>-vv</b> </dt>
<dd>more verbose. Print more verbose messages to standard output. </dd>
</dl>

<h3><a name='sect4'>Ssl Options</a></h3>

<dl>

<dt><b>-U
<i>[:]user[:group]</b> </i></dt>
<dd>drop permissions. Set uid and gid to the <i>user</i>&rsquo;s uid and gid,
as found in <i>/etc/passwd</i>, before running the SSLv3 encrypt/decrypt process.
If <i>user</i> is followed by a colon and a <i>group</i>, set the gid to <i>group</i>&rsquo;s gid,
as found in <i>/etc/group</i>, instead of <i>user</i>&rsquo;s gid. If <i>group</i> consists of a colon-separated
list of group names, set the group ids of all listed groups. If <i>user</i> is
prefixed with a colon, the <i>user</i> and all <i>group</i> arguments are interpreted
as uid and gids respectively, and not looked up in the password or group
file. All supplementary groups are removed. This option must be set when
<b>sslsvd</b> is started by root. </dd>

<dt><b>-/ <i>root</b> </i></dt>
<dd>chroot. Change the root directory to <i>root</i>
before running the SSLv3 encrypt/decrypt process. This option should be
set when <b>sslsvd</b> is started by root. </dd>

<dt><b>-Z <i>cert</b> </i></dt>
<dd>cert file. Read the certificate
from the file <i>cert</i> (default is &lsquo;&lsquo;./cert.pem&rsquo;&rsquo;). If the -/ option is given, first
the cert file is read, then the root directory is changed. </dd>

<dt><b>-K <i>key</b> </i></dt>
<dd>private
key. Read the private key from the file <i>key</i> (default is <i>cert</i>). If the -/ option
is given, first the cert file is read, then the root directory is changed.
</dd>
</dl>

<h2><a name='sect5'>Environment</a></h2>

<dl>

<dt>SSLIO_BUFIN </dt>
<dd>The environment variable <i>SSLIO_BUFIN</i> overrides the
default input buffer size for <b>sslsvd</b> (8192). </dd>

<dt>SSLIO_BUFOU </dt>
<dd>The environment
variable <i>SSLIO_BUFOU</i> overrides the default output buffer size for <b>sslsvd</b>
(12288). If the output buffer is too small to hold encrypted or decrypted
data, <b>sslio</b> automatically blows up the buffer to <i>SSLIO_BUFOU</i> more bytes.
</dd>

<dt>SSLIO_HANDSHAKE_TIMOUT </dt>
<dd>The environment variable <i>SSLIO_HANDSHAKE_TIMEOUT</i>
overrides the default number of seconds <b>sslsvd</b> will try to complete the
ssl handshake (300). If the handshake isn&rsquo;t completed after this number of
seconds, the client will be disconnected. </dd>
</dl>

<h2><a name='sect6'>See Also</a></h2>
<i>ipsvd(7)</i>, <i>tcpsvd(8)</i>, <i>udpsvd(8)</i>,
<i>ipsvd-instruct(5)</i>, <i>ipsvd-cdb(8)</i>, <i>sslio(8)</i> <p>
<i>http://smarden.org/ipsvd/</i> 
<h2><a name='sect7'>Author</a></h2>
Gerrit
Pape &lt;pape@smarden.org&gt; <p>

<hr><p>
<a name='toc'><b>Table of Contents</b></a><p>
<ul>
<li><a name='toc0' href='#sect0'>Name</a></li>
<li><a name='toc1' href='#sect1'>Synopsis</a></li>
<li><a name='toc2' href='#sect2'>Description</a></li>
<li><a name='toc3' href='#sect3'>Options</a></li>
<ul>
<li><a name='toc4' href='#sect4'>Ssl Options</a></li>
</ul>
<li><a name='toc5' href='#sect5'>Environment</a></li>
<li><a name='toc6' href='#sect6'>See Also</a></li>
<li><a name='toc7' href='#sect7'>Author</a></li>
</ul>
</body>
</html>

APT Browse - Built by Thomas Orozco.