sslserver [ opts ] host port prog


       opts is a series of getopt-style options, host is a host name or IP
       address, port is a TCP port, and prog is one or more arguments
       specifying a program to run for each accepted connection.

       sslserver listens for connections from TCP clients.  Typically, for
       each connection, it runs prog, with file descriptor 0 reading from, and
       file descriptor 1 writing to a child process ssl.  If however sslserver
       is called with the option -n, it communcates with prog on mutually
       chosen, arbitrary file descriptors.  prog needs to support the UCSPI-
       TLS API.  The ssl process attempts an SSL accept via the network.  If
       it succeeds, it translates data between prog and the network,
       performing any necessary SSL encoding and decoding.  Before running
       prog, sslserver reads and sets certain environment variables.

       sslserver exits when it receives SIGTERM.


       General Options:

       -q     Quiet. Do not print error messages.

       -Q     (Default.) Print error messages.

       -v     Verbose. Print error messages and status messages.

       -V     Print additional verbose SSL connection informations (protocol
              and cipher).

       Connection options:

       -1     After preparing to receive connections, print the local port
              number to standard output.

       -4     Use IPv4 sockets and IPv4 addresses for connections and DNS
              lookups.  Use DNSCACHEIP to set the DNS resolver IP dynamically
              irrespectively from the settings in /etc/resolv.conf.

       -6     Force IPv6 mode in UCSPI environment variables.  This will set
              PROTO to TCP6 and put eventually IPv4-mapped IPv6 addresses in

       -c n   Do not handle more than n simultaneous connections.  If there
              are n simultaneous connections copies of prog running, defer
              acceptance of a new connection until one copy finishes.  n must
              be a positive integer. The default value is 40.

              gid must be a positive integer.

       -u uid Switch user ID to uid after preparing to receive connections.
              uid must be a positive integer.

       -U     Same as -g $GID -u $UID. Typically, $GID and $UID are set by

       -I ifname
              Bind to the network interface ifname ("eth0" on Linux, for
              example).  This is only defined and needed for IPv6 link-local

       -b n   Allow a backlog of approximately n pending connections.

       -o     Leave IP options alone. If the client is sending packets along
              an IP source route, send packets back along the same route.

       -O     (Default.) Kill IP options.  A client can still use source
              routing to connect and to send data, but packets will be sent
              back along the default route.

       -d     Delay sending data for a fraction of a second whenever the
              remote host is responding slowly. This is currently the default,
              but it may not be in the future; if you want it, set it

       -D     Never delay sending data; enable TCP_NODELAY.

       -t n   Give up on the $SSLREMOTEINFO connection attempt after n
              seconds. The default value is: 26.

       -T n   Give up on the SSL connection attempt after n seconds. The
              default value is: 26.

       -w n   Give up on a connection or program after waiting n seconds for
              read or write. The default value is: 3600.

              Note: IPv4-mapped IPv6 addresess are displayed initially in the
              format ::ffff:a.b.c.d and later in their generic IPv4 form,
              which is also used to query the rules.cdb.

       SSL and TLS connection options:

       -n     delay setup of SSL environment until a STARTTLS/STLS command has
              been issued by the client.

       -N     (Default.) Setup the SSL environment immediately.

       -s     Store client and server certificate information in the
              given) against SAN/DN.

       -Z     (Default.) Do not require client certificates.

       Data-gathering options:

       -h     (Default.) Look up the remote host name in DNS to set the
              environment variable $SSLREMOTEHOST.  In this case, additionally
              the CN in the X509 certificate is checked, provided, the option
              -z is set.

       -H     Do not look up the remote host name in DNS; remove the
              environment variable $SSLREMOTEHOST.  To avoid loops, you must
              use this option for servers on TCP port 53.

       -p     Paranoid. After looking up the remote host name in DNS, look up
              the IP addresses in DNS for that host name, and remove the
              environment variable  $SSLREMOTEHOST if none of the addresses
              match the client's IP address.

       -P     (Default.) Not paranoid.

       -l localname
              Do not look up the local host name in DNS; use localname for the
              environment variable $SSLLOCALHOST.  A common choice for
              localname is 0. To avoid loops, you must use this option for
              servers on TCP port 53.

       -r     Attempt to obtain $SSLREMOTEINFO from the remote host.

       -R     (Default.) Do not attempt to obtain $SSLREMOTEINFO from the
              remote host.  To avoid loops, you must use this option for
              servers on TCP ports 53 and 113.

       -e     Set protocol environment a la tcpserver .  Set $TCPLOCALIP,
              $TCPREMOTEHOST, and $TCPREMOTEINFO as well as for IPv6
              connections additionally $TCP6REMOTEIP, $TCP6RMEOTEHOST, and
              $TCP6REMOTEINFO from the current $SSL environment (see below).

       -E     (Default.) Do not set any tcpserver environment variables.

       SSL environment variables read:

       These variables define the run-time environment of sslserver and are
       used to specify X509 certificates and keyfile per connection.
       $SSL_USER=name The user, reading the certificates and keyfile.

              The respective user group.
              If set, overrides the compiled-in CA directory name.  The CA
              directory contains certificates files used to verify the client
              certificate.  This list augments the list from $CAFILE.
              Certificates in $CADIR are processed during certificate

              If set, overrides the compiled-in certificate file name.  The
              server presents this certificate to clients.

              If set, overrides the compiled-in certificate chainfile name.
              The server presents this list of certificats to clients.  Note:
              Providing $CERTCHAINFILE has precedence over $CERTFILE.
              Certificates in this file needs to be 'ordered' starting from
              the uppermost root certificates and placing your host's
              certificate at the end.

              If set, override the compiled-in SSL cipher list defining the
              security level for the connection.  A typical choice would be

              If set, overrides the compiled-in DH parameter file name.

              If set, overrides the compiled-in key file name.  The key is
              used when loading the server certificate.  Setting $KEYFILE to
              the empty instructs the server not to use a keyfile when loading
              it's certificate.

              If set, overrides the compiled-in verification depth. Default:

              If set, overrides the compiled-in client CA file name for client
              certificate request.  The client CA file contains the list of
              CAs sent to the client when requesting a client certificate.
              Note: Setting of $CCAFILE is required while using the option -z
              or -m.  However, declaring $CCAFILE="-" disables (on a per-
              connection base) the client certificate request.

              If set, sslserver requests a valid client certificate on a per-
              connection base, unlike the general option -z.

       SSL environment variables set:

       In case sslserver is called with the option -e, the following mod_ssl
              Number of cipher bits (possible).

              The mod_ssl program version.

              The OpenSSL program version.

              The version of the client certificate.

              The serial of the client certificate.

              Subject DN in client's certificate.

              Component of client's Subject DN.

              Issuer DN of client's certificate.

              Component of client's Issuer DN.

              Validity of client's certificate (start time).

              Validity of client's certificate (end time).

              Algorithm used for the signature of client's certificate.

              Algorithm used for the public key of client's certificate.

              PEM-encoded client certificate.

              PEM-encoded certificates in client certificate chain.

              NONE, SUCCESS, GENEROUS or FAILED:reason.

              The serial of the server certificate.

              Validity of server's certificate (end time).

              Algorithm used for the signature of server's certificate.

              Algorithm used for the public key of server's certificate.

              PEM-encoded server certificate.

       For $SSL_CLIENT_x_DN_x509 and $SSL_SERVER_x_DN_x509, x509 denotes a
       component of the DN: C, ST, L, O, OU, CN, T, I, G, S, D, UID, Email.

       Other SSL environment variables set:


       TCP environment variables set:


       TCP6 environment variables set:



       sslclient(1), sslconnect(1), sslcat(1), https@(1), ucspi-tls(2),
       tcprules(1), tcprulescheck(1), tcpserver(1), tcp-environ(5).


Man(1) output converted with man2html