.\" -- vax? headers
.\" .TH NAME CHAPTER "Origin" "Public Domain"
.\" .DA dd month yyyy
.\" -- sun choices (4th & 5th args are optional)
.\" .TH NAME CHAPTER "Month dd yyyy" "Origin"
.\" .TH NAME CHAPTER "Month dd yyyy" "Origin" "Type"
.TH SST 1 "March 22 2000"
.SH SST
sst \- simple SSL tunnel
.SH SYNOPSIS
.B sst
[-cdeilsv] [-p\ [host':']port] [-t\ timeout]
[-C\ SSL_cert] [-K\ priv_key] [-D\ SSL_dir] [-M\ SSL_method]
[--\ {auxiliary command}]
.SH DESCRIPTION
.B Sst
can be used to connect to SSL-encrypted network services
or it can be used as an SSL front-end to network servers.
.B Sst
can be used interactively, 
or in an inetd setting,
or it can be embedded inside other programs (eg. Amanda).

.PP
One of the main goals of
.B sst
is to be as basic as possible
so in most non-embedded cases
.B sst
uses
.B netcat
to setup the networking I/O.
.B Sst
uses a
.I socketpair(2)
pipe to stay in contact with its
.B netcat
child process.
In this way
.B sst
has only to concern itself with file descriptors.

.PP
In the embedded mode
.B sst
expects the parent program to handle the actual networking I/O
and to provide the appropriate file descriptors.
In embedded client mode ("-c"),
clear data is read from (or written to) stdin (fildes 0)
and SSL-encrypted data is read from (or written to) stdout (fildes 1).
In embedded server mode ("-s"),
SSL-encrypted data is read from (or written to) stdin 
and clear data read from (or written to) stdout.

.SH OPTIONS

.IP -v
Be verbose.  Display operational messages.

.IP -d
Display debugging messages.  This option implies "-v".
This option can be repeated to increase the amount of detail.

.IP -l
Use 
.I syslog(3)
instead of printing to stderr (fildes 2)
for output resulting from the
verbose ("-v") or debugging ("-d") options.

.IP -c
Client mode (default).
Input read from stdin is SSL-encrypted
and then sent to the remote server.
Data received from the remote server is decrypted
and then printed to stdout.

.IP -e
Shutdown the SSL connection after EOF from the client side.
otherwise
.B sst
expects the server side to be the first to shut down
the SSL connection.  Only useful in client mode ("-c").

.IP "-p [host':']port"
Open a TCP connection to
.I port
on
.I host
If the
.I host
part is not specified, then 127.0.0.1 (ie. localhost) is used.
This option causes a
.B netcat
process to be launched to handle the raw network I/O.

.IP "-t timeout"
Set the maximum number of seconds to wait for
input from either the local or the remote side.
The default is no timeout (ie. wait forever).

.IP -s
Set server mode.
Check that both the SSL certificate and the SSL private key exist
and check that they are both in order.
Input from the remote client is decrypted and printed to stdout.
Input from stdin is SSL-encrypted and sent to the remote client.

.IP -i
Set inetd mode.
This option imples "-l".
This option also implies "-s"
except that both stdin and stdout
are connected with the remote client.
In this mode,
.B sst 
can act as a forwarder (
.B sst
relays the decrypted data to the local server via a TCP connection)
or as a wrapper (
.B sst
launches the local server as a child process - ie. like TCP wrappers).
Note that in this mode,
if the inetd service is run under a non-root userid
then that userid should have read access to
the SSL certificate and private key file(s).

.IP "-D SSL_dir"
Search an alternate directory for SSL files.
The default directory is /local/lib/openssl/.
.IP "-C SSL_cert"
Use an alternate SSL certificate file.
The default path is [SSL_dir]/cert/sst.pem.
.IP "-K SSL_priv_key"
Use an alternate SSL private key file.
The default path is [SSL_dir]/[SSL_cert].

.IP "-M SSL_method"
Use a specific SSL method.
The SSL methods currently supported are "ssl2", "ssl3" or "tls1".
The default SSL method is ssl23 (ie. start with ssl3 but fall back
to ssl2).  This option is useful when the client is only able to use 
a specific method (eg. when using netscape to access email via IMAP
over SSL, netscape seems to want SSLv2).

.IP "-- aux_prog aux_arg1 aux_arg2 ..."
Launch an auxiliary command to be used instead of the default
.B netcat.
The "--" prevents
.I getopt(3)
from processing any further command-line arguments.
The remaining command-line arguments make up
the auxiliary command which is to be launched by
.B sst
as a child process (this feature uses
.I execvp(3)
so
.I aux_prog
does not have to be a full pathname if the auxiliary
program can be expected to be in the user's PATH).
For example, the following two usages are identical
in that they both result in the launch of a netcat child
process to make a TCP connection to "hostname" on "port":
.RS
	sst -p hostname:port
.RE
.RS
	sst -- nc hostname port
.RE

.PP
The only options of any significance for the embedded
mode are "-e", "-s" and the SSL-specific options.
Since the parent process is expected to
provide the file descriptors for an embedded
.B sst,
the only things which matter are strictly SSL-related
(ie. which fildes should be encrypted, which side is expected
to provide certification, and which side will be expected to
shutdown the connection).

.SH EXAMPLES
.IP "sst -p mainbox:993"
Interactively connect to host "mainbox" on port 993 (IMAP over SSL).
.IP "sst -s -p 1789"
Interactively start a standalone server on port 1789
(this is really only useful for debugging).
.IP "sst -p 1789"
Interactively connect to the standalone server in the preceding example.
.IP "sst -- nc 127.0.0.1 1789"
Same as the preceding example but demonstrating the auxiliary feature
.IP "sst -e -p 1789"
Same as the two preceding examples
but the connection closes on EOF from the client
instead of on EOF from the server.
.IP "simap\ stream\ tcp\ nowait\ nobody\ /local/bin/sst\ sst\ -i\ -M\ ssl2\ -p\ 143"
An example inetd.conf entry to provide SSL-encrypted access
to the local IMAP server.
This is an example of forwarding.
In this case
.B sst
acts as an SSL front-end to the localhost's IMAP2 server.
Here, 
.B sst
will process the SSL-encrypted stream (inherited from inetd)
and it will launch a
.B netcat
child process to do the TCP connection to the localhost's IMAP2 port.
Here, to accomodate netscape clients the SSL method is set at ssl2.

.IP "sqotd\ stream\ tcp\ nowait\ nobody\ /local/bin/sst\ sst\ -i\ --\ /usr/games/fortune\ -l"
An example inetd.conf entry to provide some SSL-encrypted random text.
This is an example of wrapping.
In this case
.B sst
launches the server/service (ie. "/usr/games/fortune\ -l")
as a child process and communicates with that child by way of a
.I socketpair(2)
pipe.

.SH FILES
.IP /local/lib/openssl/
default location for SSL files.
.IP /local/lib/openssl/certs/sst.pem
default SSL certificate file.
.IP /local/lib/openssl/certs/sst.pem
default SSL private key file.

.SH SEE ALSO
socketpair(2), exec(3), getopt(3), syslog(3)
.IP OpenSSL
http://www.openssl.org/
.IP "Netcat (nc)"
There's no man page for
.B netcat.
Run "nc\ -h" to display its usage summary.
.IP "SSL encryption for Amanda"
http://utcc.utoronto.ca/~pkern/stuff/amanda-patch


.\" .SH DIAGNOSTICS
.\" This section appears ONLY if there is something unobvious and important about
.\" the diagnostics or the general behavior in case of error.

.SH HISTORY
.PP
Written by P Kern <pkern@utcc.utoronto.ca>
to try to provide a generic way for Amanda to encrypt backup images
(to prevent disk backups from traversing networks in the clear).
.PP
.B Sst
was written after pondering sslwrap
[ written by Rick Kaseguma, http://www.rickk.com/sslwrap ]
and especially stunnel
[written by Michal Trojnara <Michal.Trojnara@centertel.pl>,
http://mike.daewoo.com.pl/computer/stunnel ]

.SH BUGS
Most of the command-line options don't apply in the cases where 
.B sst
is embedded. If those options are used in an embedded situation then
they'll probably result in the parent processes hanging or becoming
severely confused.
.PP
This man page should probably be rewritten for clarity.