ssl 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124
  1. .TH SSL 3
  2. .SH NAME
  3. ssl \- SSL record layer
  4. .SH SYNOPSIS
  5. .nf
  6. .B bind -a #D /net
  7. .B /net/ssl/clone
  8. .BI /net/ssl/ n
  9. .BI /net/ssl/ n /ctl
  10. .BI /net/ssl/ n /data
  11. .BI /net/ssl/ n /encalgs
  12. .BI /net/ssl/ n /hashalgs
  13. .BI /net/ssl/ n /secretin
  14. .BI /net/ssl/ n /secretout
  15. .fi
  16. .SH DESCRIPTION
  17. The SSL device provides the interface to the Secure Socket Layer
  18. device implementing the record layer protocol of SSLv2
  19. (but not the handshake protocol, which is responsible for
  20. mutual authentication and key exchange.)
  21. The
  22. .I ssl
  23. device can be thought of as a filter providing optional encryption
  24. and anti-tampering.
  25. .PP
  26. The top level directory contains a
  27. .B clone
  28. file and subdirectories numbered from zero to the number of connections
  29. configured.
  30. Opening the
  31. .B clone
  32. file reserves a connection. The file descriptor returned from the
  33. .IR open (2)
  34. will point to the control file,
  35. .BR ctl ,
  36. of the newly allocated connection. Reading the
  37. .B ctl
  38. file returns a text
  39. string representing the number of the
  40. connection.
  41. .PP
  42. A connection is controlled by writing text strings to the associated
  43. .B ctl
  44. file. After a connection has been established data may be read from
  45. and written to the data file.
  46. .PP
  47. The SSL protocol provides a stream connection that preserves
  48. .BR read / write
  49. boundaries. As long as reads always specify buffers that are
  50. of equal or greater lengths than the writes at the other end of the
  51. connection, one write will correspond to one read.
  52. .PP
  53. Options are set by writing control messages to the
  54. .B ctl
  55. file of the connection.
  56. .PP
  57. The following control messages are supported:
  58. .TP
  59. .BI fd \ open-file-descriptor
  60. Run the SSL protocol over the existing file descriptor.
  61. .TP
  62. .BI alg \ cryptoalgs
  63. Connections start in
  64. .B alg clear
  65. which means no encryption or digesting.
  66. Writing
  67. .B alg sha
  68. to the control file turns on SHA-1 digest authentication
  69. for the data channel.
  70. Similarly, writing
  71. .B alg rc4_128
  72. enables encryption.
  73. Both can be turned on at once by
  74. .BR "alg sha rc4_128" .
  75. The digest mode
  76. .B sha
  77. may be replaced by
  78. .BR md5 .
  79. The encryption mode
  80. .B rc4_128
  81. may be replaced by
  82. .BR rc4_40 ,
  83. .BR rc4_128 ,
  84. .BR rc4_256 ,
  85. .BR des_40_ecb ,
  86. .BR des_40_cbc ,
  87. .BR des_56_ecb ,
  88. and
  89. .BR des_56_cbc .
  90. The mode may be changed at any time during the connection.
  91. .TP
  92. .BI secretin \ base64-secret
  93. The secret for decrypting and authenticating incoming messages
  94. can be specified either as a base64 encoded string by writing to the
  95. control file, or as a binary byte string using the interface below.
  96. .TP
  97. .BI secretout \ base64-secret
  98. The secret for encrypting and hashing outgoing messages
  99. can be specified either as a base64 encoded string by writing to the
  100. control file, or as a binary byte string using the interface below.
  101. .PP
  102. Before enabling digesting or encryption, shared secrets must be agreed upon with
  103. the remote side, one for each direction of transmission,
  104. and loaded as shown above or by writing to the files
  105. .I secretin
  106. and
  107. .IR secretout .
  108. If either the incoming or outgoing secret is not specified, the other secret
  109. is assumed to work for both directions.
  110. .PP
  111. The encryption and hash algoritms actually included in the kernel
  112. may be smaller than the set presented here. Reading
  113. .I encalgs
  114. and
  115. .I hashalgs
  116. will give the actual space-separated list of algorithms implemented.
  117. .SH "SEE ALSO"
  118. .IR listen (8),
  119. .IR dial (2)
  120. .SH SOURCE
  121. .B /sys/src/9/port/devssl.c
  122. .SH BUGS
  123. Messages longer than 4096 bytes are truncated.