sslserver (1)

Quiet. Do not print error messages.

(Default.) Print error messages.

Verbose. Print error messages and status messages.

Switch user ID or group ID after reading SSL certificates.

(Default.) Switch user ID or group ID before reading SSL certificates.

Allow a backlog of approximately n pending connections.

Write banner to the network immediately after each SSL connection is made. The banner is subject to SSL translation.

Do not handle more than n simultaneous connections. If there are n simultaneous connections copies of prog running, defer acceptance of a new connection until one copy finishes. n must be a positive integer. The default value is 40.

Delay sending data for a fraction of a second whenever the remote host is responding slowly. This is currently the default, but it may not be in the future; if you want it, set it explicitly.

Never delay sending data; enable TCP_NODELAY.

Switch group ID to gid after preparing to receive connections. NB: gid must be a positive integer.

Require valid client certificates.

(Default.) Do not require client certificates.

Leave IP options alone. If the client is sending packets along an IP source route, send packets back along the same route.

(Default.) Kill IP options. A client can still use source routing to connect and to send data, but packets will be sent back along the default route.

Switch user ID to uid after preparing to receive connections. NB: uid must be a positive integer.

Same as -g $GID -u $UID. Typically, $GID and $UID are set by envuidgid.

Follow the rules compiled into cdb by tcprules. These rules may specify setting environment variables or rejecting connections from bad sources. You can rerun tcprules to change the rules while sslserver is running.

With -x cdb, allow connections even if cdb does not exist. Normally sslserver will drop the connection if cdb does not exist.

After preparing to receive connections, print the local port number to standard output.

Read a null-terminated key password from file descriptor 3.

Set protocol environment a la tcpserver. Set $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, $TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO from the corresponding $SSL variables.

(Default.) Do not set any tcpserver environment variables.

(Default.) Look up the remote host name in DNS to set the environment variable $SSLREMOTEHOST.

Do not look up the remote host name in DNS; remove the environment variable $SSLREMOTEHOST. To avoid loops, you must use this option for servers on TCP port 53.

Do not look up the local host name in DNS; use localname for the environment variable $SSLLOCALHOST. A common choice for localname is 0. To avoid loops, you must use this option for servers on TCP port 53.

Paranoid. After looking up the remote host name in DNS, look up the IP addresses in DNS for that host name, and remove the environment variable $SSLREMOTEHOST if none of the addresses match the client’s IP address.

(Default.) Not paranoid.

(Default.) Attempt to obtain $SSLREMOTEINFO from the remote host.

Do not attempt to obtain $SSLREMOTEINFO from the remote host. To avoid loops, you must use this option for servers on TCP ports 53 and 113.

Store client and server certificate information in the environment, a la mod_ssl.

(Default.) Do not store client and server certificate information in the environment.

Give up on the $SSLREMOTEINFO connection attempt after n seconds. The default value is: 26.

Give up on the SSL connection attempt after n seconds. The default value is: 26.

Give up on a connection or program after waiting n seconds for read or write. The default value is: 3600.

If set, overrides the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from $CAFILE. Certificates in $CADIR are processed during certificate verification. A server running with the -a option may not be able to read certificates in $CADIR.

If set, overrides the compiled-in CA file name. The CA file contains the list of CAs used to verify the client certificate. Certificates in $CAFILE are processed when the server starts.

If set, overrides the compiled-in client CA file name for client certificate request. The client CA file contains the list of CAs sent to the client when requesting a client certificate.

If set, overrides the compiled-in certificate file name. The server presents this certificate to clients.

If set, override the compiled-in SSL cipher list.

If set, overrides the compiled-in DH parameter file name.

If set, overrides the compiled-in key file name. The key is used when loading the server certificate. Setting $KEYFILE to the empty string instructs the server not to use a keyfile when loading its certificate.

If set, overrides the compiled-in verification depth.