/usr/share/doc/ipsvd/sslsvd.8.html is in ipsvd 1.0.0-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 | <html>
<head>
<title>sslsvd(8) manual page</title>
</head>
<body bgcolor='white'>
<a href='http://smarden.org/pape/'>G. Pape</a><br><a href='index.html'>ipsvd</a><hr>
<h2><a name='sect0'>Name</a></h2>
sslsvd - SSLv3 TCP/IP service daemon
<h2><a name='sect1'>Synopsis</a></h2>
<b>sslsvd</b> [-hpEvv] [-c <i>n</i>] [-C
<i>n:<i>msg</i>] [-b <i>n</i>] [-u <i>user</i>] [-l <i>name</i>] [-i <i>dir</i>|-x <i>cdb</i>] [-t <i>sec</i>] [-U <i>ssluser</i>] [-/ <i>root</i>]
[-Z <i>cert</i>] [-K <i>key</i>] <i>host</i> <i>port</i> <i>prog</i>
<h2><a name='sect2'></i>Description</a></h2>
<b>sslsvd</b> creates a TCP/IP socket,
binds it to the address <i>host</i>:<i>port</i>, and listens on the socket for incoming
SSLv3 connections. <p>
On each incoming connection, <b>sslsvd</b> conditionally runs
a program, with standard input reading from the socket, and standard output
writing to the socket, to handle this connection. The data read and written
to the socket will automatically decrypted and encrypted respectively by
<b>sslsvd</b>. <b>sslsvd</b> keeps listening on the socket for new connections, and can
handle multiple connections simultaneously. <p>
<b>sslsvd</b> optionally checks for
special instructions depending on the IP address or hostname of the client
that initiated the connection, see <i><b>ipsvd-instruct</b>(5)</i>.
<h2><a name='sect3'>Options</a></h2>
<dl>
<dt><i>host</i> </dt>
<dd><i>host</i> either
is a hostname, or a dotted-decimal IP address, or 0. If <i>host</i> is 0, <b>sslsvd</b>
accepts connections to any local IP address. </dd>
<dt><i>port</i> </dt>
<dd><b>sslsvd</b> accepts connections
to <i>host</i>:<i>port</i>. <i>port</i> may be a name from /etc/services or a number. </dd>
<dt><i>prog</i> </dt>
<dd><i>prog</i>
consists of one or more arguments. For each connection, <b>sslsvd</b> normally
runs <i>prog</i>, with file descriptor 0 reading decrypted data from the network,
and file descriptor 1 writing to be encrypted data to the network. By default
it also sets up TCP-related environment variables, see <i><b>tcp-environ</b>(5)</i> </dd>
<dt><b>-i <i>dir</b>
</i></dt>
<dd>read instructions for handling new connections from the instructions directory
<i>dir</i>. See <i><b>ipsvd-instruct</b>(5)</i> for details. </dd>
<dt><b>-x <i>cdb</b> </i></dt>
<dd>read instructions for handling
new connections from the constant database <i>cdb</i>. The constant database normally
is created from an instructions directory by running <i><b>ipsvd-cdb</b>(8)</i>. </dd>
<dt><b>-t <i>sec</b>
</i></dt>
<dd>timeout. This option only takes effect if the -i option is given. While checking
the instructions directory, check the time of last access of the file that
matches the clients address or hostname if any, discard and remove the
file if it wasn’t accessed within the last <i>sec</i> seconds; <b>sslsvd</b> does not
discard or remove a file if the user’s write permission is not set, for
those files the timeout is disabled. Default is 0, which means that the
timeout is disabled. </dd>
<dt><b>-l <i>name</b> </i></dt>
<dd>local hostname. Do not look up the local hostname
in DNS, but use <i>name</i> as hostname. </dd>
<dt><b>-u <i>[:]user[:group]</b> </i></dt>
<dd>drop permissions. Set
uid and gid to the <i>user</i>’s uid and gid, as found in <i>/etc/passwd</i>, before running
<i>prog</i>. If <i>user</i> is followed by a colon and a <i>group</i>, set the gid to <i>group</i>’s
gid, as found in <i>/etc/group</i>, instead of <i>user</i>’s gid. If <i>group</i> consists of
a colon-separated list of group names, set the group ids of all listed groups.
If <i>user</i> is prefixed with a colon, the <i>user</i> and all <i>group</i> arguments are
interpreted as uid and gids respectively, and not looked up in the password
or group file. All supplementary groups are removed. </dd>
<dt><b>-c <i>n</b> </i></dt>
<dd>concurrency. Handle
up to <i>n</i> connections simultaneously. Default is 30. If there are <i>n</i> connections
active, <b>sslsvd</b> defers acceptance of a new connection until an active connection
is closed. </dd>
<dt><b>-C <i>n</i>[:<i>msg</i>]</b> </dt>
<dd>per host concurrency. Allow only up to <i>n</i> connections
from the same IP address simultaneously. If there are <i>n</i> active connections
from one IP address, new incoming connections from this IP address are
closed immediately. If <i>n</i> is followed by :<i>msg,</i> the message <i>msg</i> is written
to the client if possible, before closing the connection. By default <i>msg</i>
is empty. See <i><b>ipsvd-instruct</b>(5)</i> for supported escape sequences in <i>msg</i>.
<p> For
each accepted connection, the current per host concurrency is available
through the environment variable <i>TCPCONCURRENCY</i>. <i>n</i> and <i>msg</i> can be overwritten
by <i><b>ipsvd</b>(7)</i> instructions, see <i><b>ipsvd-instruct</b>(5)</i>.<b></b> By default <b>sslsvd</b> doesn’t
keep track of connections. </dd>
<dt><b>-h</b> </dt>
<dd>Look up the client’s hostname in DNS. </dd>
<dt><b>-p</b> </dt>
<dd>paranoid.
After looking up the client’s hostname in DNS, look up the IP addresses
in DNS for that hostname, and forget about the hostname if none of the
addresses match the client’s IP address. You should set this option if you
use hostname based instructions. The -p option implies the -h option. </dd>
<dt><b>-b <i>n</b> </i></dt>
<dd>backlog.
Allow a backlog of approximately <i>n</i> TCP SYNs. On some systems <i>n</i> is silently
limited. Default is 20. </dd>
<dt><b>-E</b> </dt>
<dd>no special environment. Do not set up TCP-related
environment variables. </dd>
<dt><b>-v</b> </dt>
<dd>verbose. Print verbose messsages to standard output.
</dd>
<dt><b>-vv</b> </dt>
<dd>more verbose. Print more verbose messages to standard output. </dd>
</dl>
<h3><a name='sect4'>Ssl Options</a></h3>
<dl>
<dt><b>-U
<i>[:]user[:group]</b> </i></dt>
<dd>drop permissions. Set uid and gid to the <i>user</i>’s uid and gid,
as found in <i>/etc/passwd</i>, before running the SSLv3 encrypt/decrypt process.
If <i>user</i> is followed by a colon and a <i>group</i>, set the gid to <i>group</i>’s gid,
as found in <i>/etc/group</i>, instead of <i>user</i>’s gid. If <i>group</i> consists of a colon-separated
list of group names, set the group ids of all listed groups. If <i>user</i> is
prefixed with a colon, the <i>user</i> and all <i>group</i> arguments are interpreted
as uid and gids respectively, and not looked up in the password or group
file. All supplementary groups are removed. This option must be set when
<b>sslsvd</b> is started by root. </dd>
<dt><b>-/ <i>root</b> </i></dt>
<dd>chroot. Change the root directory to <i>root</i>
before running the SSLv3 encrypt/decrypt process. This option should be
set when <b>sslsvd</b> is started by root. </dd>
<dt><b>-Z <i>cert</b> </i></dt>
<dd>cert file. Read the certificate
from the file <i>cert</i> (default is ‘‘./cert.pem’’). If the -/ option is given, first
the cert file is read, then the root directory is changed. </dd>
<dt><b>-K <i>key</b> </i></dt>
<dd>private
key. Read the private key from the file <i>key</i> (default is <i>cert</i>). If the -/ option
is given, first the cert file is read, then the root directory is changed.
</dd>
</dl>
<h2><a name='sect5'>Environment</a></h2>
<dl>
<dt>SSLIO_BUFIN </dt>
<dd>The environment variable <i>SSLIO_BUFIN</i> overrides the
default input buffer size for <b>sslsvd</b> (8192). </dd>
<dt>SSLIO_BUFOU </dt>
<dd>The environment
variable <i>SSLIO_BUFOU</i> overrides the default output buffer size for <b>sslsvd</b>
(12288). If the output buffer is too small to hold encrypted or decrypted
data, <b>sslio</b> automatically blows up the buffer to <i>SSLIO_BUFOU</i> more bytes.
</dd>
<dt>SSLIO_HANDSHAKE_TIMOUT </dt>
<dd>The environment variable <i>SSLIO_HANDSHAKE_TIMEOUT</i>
overrides the default number of seconds <b>sslsvd</b> will try to complete the
ssl handshake (300). If the handshake isn’t completed after this number of
seconds, the client will be disconnected. </dd>
</dl>
<h2><a name='sect6'>See Also</a></h2>
<i>ipsvd(7)</i>, <i>tcpsvd(8)</i>, <i>udpsvd(8)</i>,
<i>ipsvd-instruct(5)</i>, <i>ipsvd-cdb(8)</i>, <i>sslio(8)</i> <p>
<i>http://smarden.org/ipsvd/</i>
<h2><a name='sect7'>Author</a></h2>
Gerrit
Pape <pape@smarden.org> <p>
<hr><p>
<a name='toc'><b>Table of Contents</b></a><p>
<ul>
<li><a name='toc0' href='#sect0'>Name</a></li>
<li><a name='toc1' href='#sect1'>Synopsis</a></li>
<li><a name='toc2' href='#sect2'>Description</a></li>
<li><a name='toc3' href='#sect3'>Options</a></li>
<ul>
<li><a name='toc4' href='#sect4'>Ssl Options</a></li>
</ul>
<li><a name='toc5' href='#sect5'>Environment</a></li>
<li><a name='toc6' href='#sect6'>See Also</a></li>
<li><a name='toc7' href='#sect7'>Author</a></li>
</ul>
</body>
</html>
|