ref: 47ec5de29e56c4cf223e0582b930b88ca2a589ee
dir: /sys/man/3/ssl/
.TH SSL 3 .SH NAME ssl \- SSL record layer .SH SYNOPSIS .nf .B bind -a #D /net .B /net/ssl/clone .BI /net/ssl/ n .BI /net/ssl/ n /ctl .BI /net/ssl/ n /data .BI /net/ssl/ n /encalgs .BI /net/ssl/ n /hashalgs .BI /net/ssl/ n /secretin .BI /net/ssl/ n /secretout .fi .SH DESCRIPTION The SSL device provides the interface to the Secure Socket Layer device implementing the record layer protocol of SSLv2 (but not the handshake protocol, which is responsible for mutual authentication and key exchange.) The .I ssl device can be thought of as a filter providing optional encryption and anti-tampering. .PP The top level directory contains a .B clone file and subdirectories numbered from zero to the number of connections configured. Opening the .B clone file reserves a connection. The file descriptor returned from the .IR open (2) will point to the control file, .BR ctl , of the newly allocated connection. Reading the .B ctl file returns a text string representing the number of the connection. .PP A connection is controlled by writing text strings to the associated .B ctl file. After a connection has been established data may be read from and written to the data file. .PP The SSL protocol provides a stream connection that preserves .BR read / write boundaries. As long as reads always specify buffers that are of equal or greater lengths than the writes at the other end of the connection, one write will correspond to one read. .PP Options are set by writing control messages to the .B ctl file of the connection. .PP The following control messages are supported: .TP .BI fd \ open-file-descriptor Run the SSL protocol over the existing file descriptor. .TP .BI alg \ cryptoalgs Connections start in .B alg clear which means no encryption or digesting. Writing .B alg sha to the control file turns on SHA-1 digest authentication for the data channel. Similarly, writing .B alg rc4_128 enables encryption. Both can be turned on at once by .BR "alg sha rc4_128" . The digest mode .B sha may be replaced by .BR md5 . The encryption mode .B rc4_128 may be replaced by .BR rc4_40 , .BR rc4_128 , .BR rc4_256 , .BR des_40_ecb , .BR des_40_cbc , .BR des_56_ecb , and .BR des_56_cbc . The mode may be changed at any time during the connection. .TP .BI secretin \ base64-secret The secret for decrypting and authenticating incoming messages can be specified either as a base64 encoded string by writing to the control file, or as a binary byte string using the interface below. .TP .BI secretout \ base64-secret The secret for encrypting and hashing outgoing messages can be specified either as a base64 encoded string by writing to the control file, or as a binary byte string using the interface below. .PP Before enabling digesting or encryption, shared secrets must be agreed upon with the remote side, one for each direction of transmission, and loaded as shown above or by writing to the files .I secretin and .IR secretout . If either the incoming or outgoing secret is not specified, the other secret is assumed to work for both directions. .PP The encryption and hash algoritms actually included in the kernel may be smaller than the set presented here. Reading .I encalgs and .I hashalgs will give the actual space-separated list of algorithms implemented. .SH "SEE ALSO" .IR listen (8), .IR dial (2) .SH SOURCE .B /sys/src/9/port/devssl.c .SH BUGS Messages longer than 4096 bytes are truncated.