| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 |
- .TH SSL 3
- .SH NAME
- ssl \- SSL record layer
- .SH SYNOPSIS
- .nf
- .B bind -a #D /net
- .B /net/ssl/clone
- .BI /net/ssl/ n
- .BI /net/ssl/ n /ctl
- .BI /net/ssl/ n /data
- .BI /net/ssl/ n /encalgs
- .BI /net/ssl/ n /hashalgs
- .BI /net/ssl/ n /secretin
- .BI /net/ssl/ n /secretout
- .fi
- .SH DESCRIPTION
- The SSL device provides the interface to the Secure Socket Layer
- device implementing the record layer protocol of SSLv2
- (but not the handshake protocol, which is responsible for
- mutual authentication and key exchange.)
- The
- .I ssl
- device can be thought of as a filter providing optional encryption
- and anti-tampering.
- .PP
- The top level directory contains a
- .B clone
- file and subdirectories numbered from zero to the number of connections
- configured.
- Opening the
- .B clone
- file reserves a connection. The file descriptor returned from the
- .IR open (2)
- will point to the control file,
- .BR ctl ,
- of the newly allocated connection. Reading the
- .B ctl
- file returns a text
- string representing the number of the
- connection.
- .PP
- A connection is controlled by writing text strings to the associated
- .B ctl
- file. After a connection has been established data may be read from
- and written to the data file.
- .PP
- The SSL protocol provides a stream connection that preserves
- .BR read / write
- boundaries. As long as reads always specify buffers that are
- of equal or greater lengths than the writes at the other end of the
- connection, one write will correspond to one read.
- .PP
- Options are set by writing control messages to the
- .B ctl
- file of the connection.
- .PP
- The following control messages are supported:
- .TP
- .BI fd \ open-file-descriptor
- Run the SSL protocol over the existing file descriptor.
- .TP
- .BI alg \ cryptoalgs
- Connections start in
- .B alg clear
- which means no encryption or digesting.
- Writing
- .B alg sha
- to the control file turns on SHA-1 digest authentication
- for the data channel.
- Similarly, writing
- .B alg rc4_128
- enables encryption.
- Both can be turned on at once by
- .BR "alg sha rc4_128" .
- The digest mode
- .B sha
- may be replaced by
- .BR md5 .
- The encryption mode
- .B rc4_128
- may be replaced by
- .BR rc4_40 ,
- .BR rc4_128 ,
- .BR rc4_256 ,
- .BR des_40_ecb ,
- .BR des_40_cbc ,
- .BR des_56_ecb ,
- and
- .BR des_56_cbc .
- The mode may be changed at any time during the connection.
- .TP
- .BI secretin \ base64-secret
- The secret for decrypting and authenticating incoming messages
- can be specified either as a base64 encoded string by writing to the
- control file, or as a binary byte string using the interface below.
- .TP
- .BI secretout \ base64-secret
- The secret for encrypting and hashing outgoing messages
- can be specified either as a base64 encoded string by writing to the
- control file, or as a binary byte string using the interface below.
- .PP
- Before enabling digesting or encryption, shared secrets must be agreed upon with
- the remote side, one for each direction of transmission,
- and loaded as shown above or by writing to the files
- .I secretin
- and
- .IR secretout .
- If either the incoming or outgoing secret is not specified, the other secret
- is assumed to work for both directions.
- .PP
- The encryption and hash algoritms actually included in the kernel
- may be smaller than the set presented here. Reading
- .I encalgs
- and
- .I hashalgs
- will give the actual space-separated list of algorithms implemented.
- .SH "SEE ALSO"
- .IR listen (8),
- .IR dial (2)
- .SH SOURCE
- .B /sys/src/9/port/devssl.c
- .SH BUGS
- Messages longer than 4096 bytes are truncated.
|
