Man Linux: Main Page and Category List

NAME

       sslio - SSL input/output for service programs

SYNOPSIS

       sslio  [-cv]  [-u  user] [-U user] [-/ root] [-C cert] [-K key] [-A ca]
       prog

DESCRIPTION

       sslio provides SSL encrypted network connections for  service  programs
       started by tcpsvd(8) or tcpserver(1), and tcpclient(1).

       Normally  sslio is started by tcpsvd(8) or tcpclient(1), in turn starts
       the service program prog, and runs as  child  process  of  the  service
       program.  After performing the SSL handshake, sslio reads SSL encrypted
       data from the network, and writes decrypted data to the service program
       prog;  it  reads  data  from  the  service program prog, and writes SSL
       encrypted data to the network.  sslio should run under a different user
       ID  than  the service program, and with a changed root directory.  When
       started by root, the -u option must be given, and the -U and -/ options
       should be given.

       The  sslio  program  uses  the  SSLv3  implementation  of the matrixssl
       library.

OPTIONS

       prog   prog consists of one or more arguments, specifying  the  service
              program normally run directly by tcpsvd(8), or tcpserver(1).

       -u [:]user[:group]
              drop permissions.  Set uid and gid to the user’s uid and gid, as
              found in /etc/passwd, before reading data from, or writing  data
              to the network.  If user is followed by a colon and a group, set
              the gid to group’s gid,  as  found  in  /etc/group,  instead  of
              user’s  gid.   If  group  consists  of a colon-separated list of
              group names, set the group ids of all listed groups.  If user is
              prefixed  with  a  colon,  the  user and all group arguments are
              interpreted as uid and gids respectively, and not looked  up  in
              the  password  or  group  file.   All  supplementary  groups are
              removed.  This option must be set when sslio is started by root,
              and cannot be set otherwise.

       -U [:]user[:group]
              drop permissions.  Set uid and gid to the user’s uid and gid, as
              found in /etc/passwd, before running prog.  If user is  followed
              by  a colon and a group, set the gid to group’s gid, as found in
              /etc/group, instead of user’s  gid.   If  group  consists  of  a
              colon-separated  list  of  group names, set the group ids of all
              listed groups.  If user is prefixed with a colon, the  user  and
              all   group   arguments   are   interpreted   as  uid  and  gids
              respectively, and not looked up in the password or  group  file.
              All supplementary groups are removed.  This option should be set
              when sslio is started by root, and cannot be set otherwise.

       -/ root
              chroot.  Change the root directory to root before  reading  data
              from, or writing data to the network.  This option should be set
              when sslio is started by root, and cannot be set otherwise.

       -C cert
              cert file (server mode).  Read the  certificate  from  the  file
              cert  (default  is  ‘‘./cert.pem’’).  If the -/ option is given,
              first the root directory is changed, then the cert file is read.

       -K key private  key  (server mode).  Read the private key from the file
              key (default is cert).  If the -/ option  is  given,  first  the
              root directory is changed, then the private key is read.

       -A ca  ca  file  (client mode).  Read the trusted root certificate from
              the file ca.  Multiple files can be specified, using a semicolon
              as  delimiter.   If  the  -/  option  is  given,  first the root
              directory is changed, then the ca file is read.

       -c     client mode.  This option must be given when running sslio under
              tcpclient(1).   In client mode, filedescriptors 6 and 7 are used
              instead of standard input and standard ouput to  read  from  and
              write  to the network and the service program.  If the -A option
              is  given,  sslio  refuses  to  connect  to  a  servers  which’s
              certificates  cannot  be  verified  by the root certificates, it
              accepts any server certificate otherwise.

       -v     verbose.  Print verbose messages to standard error.

       -vv    more verbose.  Print more verbose messages to standard error.

       -vvv   even more verbose.  Print even more verbose messages to standard
              error.

ENVIRONMENT

       SSLIO_BUFIN
              The environment variable SSLIO_BUFIN overrides the default input
              buffer size for sslio (8192).

       SSLIO_BUFOU
              The  environment  variable  SSLIO_BUFOU  overrides  the  default
              output  buffer  size for sslio (12288).  If the output buffer is
              too  small  to  hold  encrypted   or   decrypted   data,   sslio
              automatically blows up the buffer to SSLIO_BUFOU more bytes.

       SSLIO_BAD_CERTIFICATE
              (client mode)  If the environment variable SSLIO_BAD_CERTIFICATE
              is set, sslio -c accepts server ceritificates it would  normally
              reject with
               fatal: ssl decode error: bad certificate

       SSLIO_HANDSHAKE_TIMOUT
              The  environment  variable SSLIO_HANDSHAKE_TIMEOUT overrides the
              default number of seconds sslio will try  to  complete  the  ssl
              handshake  (300).   If  the handshake isn’t completed after this
              number of seconds, sslio exits.

SEE ALSO

       sslsvd(8), tcpsvd(8), udpsvd(8),  ipsvd(7),  ipsvd-instruct(5),  ipsvd-
       cdb(8)

       http://smarden.org/ipsvd/

AUTHOR

       Gerrit Pape <pape@smarden.org>

                                                                      sslio(8)