:: Software :: ucspi-ssl

The sslserver program

Interface

where opts is a series of getopt-style options, host is a host name or IP address, port is a TCP port, and prog is one or more arguments specifying a program to run for each accepted connection.

sslserver listens for connections from TCP clients. For each connection, it runs prog, with file descriptor 0 reading from, and file descriptor 1 writing to a child process ssl. The ssl process attempts an SSL accept via the network. If it succeeds, it translates data between prog and the network, performing any necessary SSL encoding and decoding.

Before running prog, sslserver sets certain environment variables.

sslserver exits when it receives SIGTERM.

Options

General Options:

• -q: Quiet. Do not print error messages.
• -Q: (Default.) Print error messages.
• -v: Verbose. Print error messages and status messages.

Connection options:

• -c n: Do not handle more than n simultaneous connections. If there are n simultaneous connections copies of prog running, defer acceptance of a new connection until one copy finishes. n must be a positive integer. The default value is 40.
• -x cdb: Follow the rules compiled into cdb by tcprules. These rules may specify setting environment variables or rejecting connections from bad sources. You can rerun tcprules to change the rules while sslserver is running.
• -X: With -x cdb, allow connections even if cdb does not exist. Normally sslserver will drop the connection if cdb does not exist.
• -B banner: Write banner to the network immediately after each SSL connection is made. The banner is subject to SSL translation.
• -g gid: Switch group ID to gid after preparing to receive connections. gid must be a positive integer.
• -u uid: Switch user ID to uid after preparing to receive connections. uid must be a positive integer.
• -U: Same as -g $GID -u $UID. Typically, $GID and $UID are set by envuidgid.
• -a: Switch user ID or group ID after reading SSL certificates.
• -A: (Default.) Switch user ID or group ID before reading SSL certificates.
• -1: After preparing to receive connections, print the local port number to standard output.
• -b n: Allow a backlog of approximately n pending connections.
• -o: Leave IP options alone. If the client is sending packets along an IP source route, send packets back along the same route.
• -O: (Default.) Kill IP options. A client can still use source routing to connect and to send data, but packets will be sent back along the default route.
• -d: Delay sending data for a fraction of a second whenever the remote host is responding slowly. This is currently the default, but it may not be in the future; if you want it, set it explicitly.
• -D: Never delay sending data; enable TCP_NODELAY.
• -3: Read a null-terminated key password from file descriptor 3.
• -i: Require valid client certificates.
• -I: (Default.) Do not require client certificates.

Data-gathering options:

• -h: (Default.) Look up the remote host name in DNS to set the environment variable $SSLREMOTEHOST.
• -H: Do not look up the remote host name in DNS; remove the environment variable $SSLREMOTEHOST. To avoid loops, you must use this option for servers on TCP port 53.
• -p: Paranoid. After looking up the remote host name in DNS, look up the IP addresses in DNS for that host name, and remove the environment variable $SSLREMOTEHOST if none of the addresses match the client’s IP address.
• -P: (Default.) Not paranoid.
• -l localname: Do not look up the local host name in DNS; use localname for the environment variable $SSLLOCALHOST. A common choice for localname is 0. To avoid loops, you must use this option for servers on TCP port 53.
• -r: (Default.) Attempt to obtain $SSLREMOTEINFO from the remote host.
• -R: Do not attempt to obtain $SSLREMOTEINFO from the remote host. To avoid loops, you must use this option for servers on TCP ports 53 and 113.
• -t n: Give up on the $SSLREMOTEINFO connection attempt after n seconds. The default value is: 26.
• -T n: Give up on the SSL connection attempt after n seconds. The default value is: 26.
• -w n: Give up on a connection or program after waiting n seconds for read or write. The default value is: 3600.
• -s: Store client and server certificate information in the environment, a la mod_ssl
• -S: (Default.) Do not store client and server certificate information in the environment.
• -e Set protocol environment a la tcpserver. Set $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, $TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO from the corresponding $SSL variables.
• -E: (Default.) Do not set any tcpserver environment variables.

SSL options:

• $CAFILE: If set, overrides the compiled-in CA file name. The CA file contains the list of CAs used to verify the client certificate. Certificates in $CAFILE are processed when the server starts.
• $CADIR: If set, overrides the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from $CAFILE. Certificates in $CADIR are processed during certificate verification. A server running with the -a option may not be able to read certificates in $CADIR.
• $CCAFILE: If set, overrides the compiled-in client CA file name for client certificate request. The client CA file contains the list of CAs sent to the client when requesting a client certificate.
• $CERTFILE: If set, overrides the compiled-in certificate file name. The server presents this certificate to clients.
• $CIPHERS: If set, override the compiled-in SSL cipher list.
• $DHFILE: If set, overrides the compiled-in DH parameter file name.
• $KEYFILE: If set, overrides the compiled-in key file name. The key is used when loading the server certificate. Setting $KEYFILE to the empty string instructs the server not to use a keyfile when loading its certificate.
• $VERIFYDEPTH: If set, overrides the compiled-in verification depth.