sslio(8)sslio(8)NAMEsslio - SSL input/output for service programs
SYNOPSISsslio [-cv] [-u user] [-U user] [-/ root] [-C cert] [-K key] [-A ca]
prog
DESCRIPTIONsslio provides SSL encrypted network connections for service programs
started by tcpsvd(8) or tcpserver(1), and tcpclient(1).
Normally sslio is started by tcpsvd(8) or tcpclient(1), in turn starts
the service program prog, and runs as child process of the service pro‐
gram. After performing the SSL handshake, sslio reads SSL encrypted
data from the network, and writes decrypted data to the service program
prog; it reads data from the service program prog, and writes SSL
encrypted data to the network. sslio should run under a different user
ID than the service program, and with a changed root directory. When
started by root, the -u option must be given, and the -U and -/ options
should be given.
The sslio program uses the SSLv3 implementation of the matrixssl
library.
OPTIONS
prog prog consists of one or more arguments, specifying the service
program normally run directly by tcpsvd(8), or tcpserver(1).
-u [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as
found in /etc/passwd, before reading data from, or writing data
to the network. If user is followed by a colon and a group, set
the gid to group's gid, as found in /etc/group, instead of
user's gid. If group consists of a colon-separated list of
group names, set the group ids of all listed groups. If user is
prefixed with a colon, the user and all group arguments are
interpreted as uid and gids respectively, and not looked up in
the password or group file. All supplementary groups are
removed. This option must be set when sslio is started by root,
and cannot be set otherwise.
-U [:]user[:group]
drop permissions. Set uid and gid to the user's uid and gid, as
found in /etc/passwd, before running prog. If user is followed
by a colon and a group, set the gid to group's gid, as found in
/etc/group, instead of user's gid. If group consists of a
colon-separated list of group names, set the group ids of all
listed groups. If user is prefixed with a colon, the user and
all group arguments are interpreted as uid and gids respec‐
tively, and not looked up in the password or group file. All
supplementary groups are removed. This option should be set
when sslio is started by root, and cannot be set otherwise.
-/ root
chroot. Change the root directory to root before reading data
from, or writing data to the network. This option should be set
when sslio is started by root, and cannot be set otherwise.
-C cert
cert file (server mode). Read the certificate from the file
cert (default is ``./cert.pem''). If the -/ option is given,
first the root directory is changed, then the cert file is read.
-K key private key (server mode). Read the private key from the file
key (default is cert). If the -/ option is given, first the
root directory is changed, then the private key is read.
-A ca ca file (client mode). Read the trusted root certificate from
the file ca. Multiple files can be specified, using a semicolon
as delimiter. If the -/ option is given, first the root direc‐
tory is changed, then the ca file is read.
-c client mode. This option must be given when running sslio under
tcpclient(1). In client mode, filedescriptors 6 and 7 are used
instead of standard input and standard ouput to read from and
write to the network and the service program. If the -A option
is given, sslio refuses to connect to a servers which's certifi‐
cates cannot be verified by the root certificates, it accepts
any server certificate otherwise.
-v verbose. Print verbose messages to standard error.
-vv more verbose. Print more verbose messages to standard error.
-vvv even more verbose. Print even more verbose messages to standard
error.
ENVIRONMENT
SSLIO_BUFIN
The environment variable SSLIO_BUFIN overrides the default input
buffer size for sslio (8192).
SSLIO_BUFOU
The environment variable SSLIO_BUFOU overrides the default out‐
put buffer size for sslio (12288). If the output buffer is too
small to hold encrypted or decrypted data, sslio automatically
blows up the buffer to SSLIO_BUFOU more bytes.
SSLIO_BAD_CERTIFICATE
(client mode) If the environment variable SSLIO_BAD_CERTIFICATE
is set, sslio-c accepts server ceritificates it would normally
reject with
fatal: ssl decode error: bad certificate
SSLIO_HANDSHAKE_TIMOUT
The environment variable SSLIO_HANDSHAKE_TIMEOUT overrides the
default number of seconds sslio will try to complete the ssl
handshake (300). If the handshake isn't completed after this
number of seconds, sslio exits.
SEE ALSOsslsvd(8), tcpsvd(8), udpsvd(8), ipsvd(7), ipsvd-instruct(5), ipsvd-
cdb(8)
http://smarden.org/ipsvd/
AUTHOR
Gerrit Pape <pape@smarden.org>
sslio(8)
