<html> <head> <title>sslio(8) manual page</title> </head> <body bgcolor='white'> <a href='http://smarden.org/pape/'>G. Pape</a><br><a href='index.html'>ipsvd</a><hr> <h2><a name='sect0'>Name</a></h2> sslio - SSL input/output for service programs <h2><a name='sect1'>Synopsis</a></h2> <b>sslio</b> [-cv] [-u <i>user</i>] [-U <i>user</i>] [-/ <i>root</i>] [-C <i>cert</i>] [-K <i>key</i>] [-A <i>ca</i>] <i>prog</i> <h2><a name='sect2'>Description</a></h2> <b>sslio</b> provides SSL encrypted network connections for service programs started by <i><b>tcpsvd</b>(8)</i> or <i><b>tcpserver</b>(1)</i>, and <i><b>tcpclient</b>(1)</i>. <p> Normally <b>sslio</b> is started by <i><b>tcpsvd</b>(8)</i> or <i><b>tcpclient(1)</i>,</b> in turn starts the service program <i>prog</i>, and runs as child process of the service program. After performing the SSL handshake, <b>sslio</b> reads SSL encrypted data from the network, and writes decrypted data to the service program <i>prog</i>; it reads data from the service program <i>prog</i>, and writes SSL encrypted data to the network. <b>sslio</b> should run under a different user ID than the service program, and with a changed root directory. When started by root, the -u option must be given, and the -U and -/ options should be given. <p> The <b>sslio</b> program uses the SSLv3 implementation of the matrixssl library. <h2><a name='sect3'>Options</a></h2> <dl> <dt><i>prog</i> </dt> <dd><i>prog</i> consists of one or more arguments, specifying the service program normally run directly by <i><b>tcpsvd</b>(8)</i>, or <i><b>tcpserver</b>(1)</i>. </dd> <dt><b>-u <i>user</i>[:<i>group</i>]</b> </dt> <dd>drop permissions. Switch user ID to <i>user</i>’s UID, and group ID to <i>user</i>’s primary GID before reading data from, or writing data to the network. If <i>user</i> is followed by a colon and a group name, the group ID is switched to the GID of <i>group</i> instead. All supplementary groups are removed. This option must be set when <b>sslio</b> is started by root, and cannot be set otherwise. </dd> <dt><b>-U <i>user</i>[:<i>group</i>]</b> </dt> <dd>drop permissions. Switch user ID to <i>user</i>’s UID, and group ID to <i>user</i>’s primary GID before starting the service program <i>prog</i>. If <i>user</i> is followed by a colon and a group name, the group ID is switched to the GID of <i>group</i> instead. All supplementary groups are removed. This option should be set when <b>sslio</b> is started by root, and cannot be set otherwise. </dd> <dt><b>-/ <i>root</b> </i></dt> <dd>chroot. Change the root directory to <i>root</i> before reading data from, or writing data to the network. This option should be set when <b>sslio</b> is started by root, and cannot be set otherwise. </dd> <dt><b>-C <i>cert</b> </i></dt> <dd>cert file (server mode). Read the certificate from the file <i>cert</i> (default is ‘‘./cert.pem’’). If the -/ option is given, first the root directory is changed, then the cert file is read. </dd> <dt><b>-K <i>key</b> </i></dt> <dd>private key (server mode). Read the private key from the file <i>key</i> (default is <i>cert</i>). If the -/ option is given, first the root directory is changed, then the private key is read. </dd> <dt><b>-A <i>ca</b> </i></dt> <dd>ca file (client mode). Read the trusted root certificate from the file <i>ca</i>. Multiple files can be specified, using a semicolon as delimiter. If the -/ option is given, first the root directory is changed, then the ca file is read. </dd> <dt><b>-c</b> </dt> <dd>client mode. This option must be given when running <b>sslio</b> under <i><b>tcpclient</b>(1)</i>. In client mode, filedescriptors 6 and 7 are used instead of standard input and standard ouput to read from and write to the network and the service program. If the -A option is given, <b>sslio</b> refuses to connect to a servers which’s certificates cannot be verified by the root certificates, it accepts any server certificate otherwise. </dd> <dt><b>-v</b> </dt> <dd>verbose. Print verbose messages to standard error. </dd> <dt><b>-vv</b> </dt> <dd>more verbose. Print more verbose messages to standard error. </dd> <dt><b>-vvv</b> </dt> <dd>even more verbose. Print even more verbose messages to standard error. </dd> </dl> <h2><a name='sect4'>Environment</a></h2> <dl> <dt>SSLIO_BUFIN </dt> <dd>The environment variable <i>SSLIO_BUFIN</i> overrides the default input buffer size for <b>sslio</b> (8192). </dd> <dt>SSLIO_BUFOU </dt> <dd>The environment variable <i>SSLIO_BUFOU</i> overrides the default output buffer size for <b>sslio</b> (12288). If the output buffer is too small to hold encrypted or decrypted data, <b>sslio</b> automatically blows up the buffer to <i>SSLIO_BUFOU</i> more bytes. </dd> </dl> <h2><a name='sect5'>See Also</a></h2> <i>sslsvd(8)</i>, <i>tcpsvd(8)</i>, <i>udpsvd(8)</i>, <i>ipsvd(7)</i>, <i>ipsvd-instruct(5)</i>, <i>ipsvd-cdb(8)</i> <p> <i>http://smarden.org/ipsvd/</i> <h2><a name='sect6'>Author</a></h2> Gerrit Pape <pape@smarden.org> <p> <hr><p> <a name='toc'><b>Table of Contents</b></a><p> <ul> <li><a name='toc0' href='#sect0'>Name</a></li> <li><a name='toc1' href='#sect1'>Synopsis</a></li> <li><a name='toc2' href='#sect2'>Description</a></li> <li><a name='toc3' href='#sect3'>Options</a></li> <li><a name='toc4' href='#sect4'>Environment</a></li> <li><a name='toc5' href='#sect5'>See Also</a></li> <li><a name='toc6' href='#sect6'>Author</a></li> </ul> </body> </html>