minssl
Software
www.skarnet.org

The minssld program

minssld turns a clear communication channel into an encrypted one, together with minssl. minssld is the server-side program.

minssl is a UCSPI server proxy application: it runs as a UCSPI server application and execs into another UCSPI server application.

Interface

     minssld prog...

• minssld speaks with the network on file descriptors 0 (for reading) and 1 (for writing).
• It looks for a private host key file name in the MINSSL_PRIVKEYFILE environment variable. If the variable is not set, or the file does not contain a valid private key, minssld complains and exits.
• minssld looks for a public host key file name in the MINSSL_PUBKEYFILE environment variable. If the variable is not set, minssld recomputes the public key from the private key.
• It generates a random private session key and makes a public session key from it.
• It sets the MINSSLLOCALHOSTPUBKEY environment variable to the public host key and the MINSSLLOCALSESSIONPUBKEY environment variable to the public session key.
• It performs a Diffie-Hellmann exchange with the client to compute a shared secret.
• It sets the MINSSLREMOTESESSIONKEY environment variable to the client public session key.
• minssld spawns a prog... child.
• minssld execs into minssl-tunnel, which takes care of the network connection. If the MINSSL_TIMEOUT environment variable is set, minssld passes its value to minssl-tunnel as timeout. If minssld runs as root, it tries to drop its privileges before executing minssl-tunnel. The user it runs as is set at compile-time: it is MINSSL_TUNNEL_USER in src/tunnel/minssl.h.
• What prog writes on its stdout is fed to minssl-tunnel, which turns it to ciphertext and writes it to the network. What arrives on the network is read by minssl-tunnel, which deciphers it and feeds it to prog on its stdin.

The details of data exchange between minssl and minssld are described in the protocol description.

Common use

minssld does not contact the network itself. It is designed to be run under some UCSPI server such as tcpserver. For instance, the command line

     tcpserver host port minssld prog...

listens on host:port for "tcpclient minssl" connections. The minsslserver program is an easy way of combining tcpserver with minssld.