TLS encryption for Client/Server IPv6/IPv4 communication

What is ucspi-ssl?

sslserver, sslclient, and sslhandle are command-line tools for building SSL client-server applications. They conform to the UNIX Client-Server Program Interface, UCSPI.

sslserver listens for IPv6 and/or IPv4 connections, and runs a program for each connection it accepts. The program environment includes variables that hold the local and remote host names, IP addresses, and port numbers. sslserver offers a concurrency limit on acceptance of new connections, and selective handling of connections based on client identity supporting CIDR IP address notation. sslserver supports STARTTLS and STLS.

sslclient requests a connection to either a IPv6 or IPv4 TCP sockets, and runs a program. The program environment includes the same variables as for sslserver.



ucspi-ssl 0.9x is a fork of Superscript's ucspi-ssl 0.70 version, including

ucspi-ssl 0.9 provides a high-level programming interface for OpenSSL and LibreSSL which is mandatory to achieve TLS support for

This is facilited by means the lib ucspissl.a (after compilation; located in ./compile) and the header file ucspissl.h.

How to install ucspi-ssl

ucspi-ssl uses D.J. Bernstein's /package conventions for installation. Typically, un-tar the archive under /package, change to host/<version> and calling package/install would be enough.
ucspi-ssl is pre-packaged to suite the AMD64 environment.
Depending on your Perl settings, you rather succeed with package/install base and package/man for the additional man-pages.

Note: The additional Perl module and the available tests package/rts may not succeed on every Unix plattform.

Description of the programs

Client and Servers:


In oder to build the cdb to control incoming connetions for sslserver, the program tcprules is required which comes with the ucspi-tcp6 package. Older versions of ucspi-tcp can be used as well, but don't provide neither IPv4 CIDR nor IPv6 capabilities. The generated cdb however, is binary compatible among all versions.

General information


Note: These sites may refer to outdated versions of ucspi-ssl.

TLS environment & security

ucspi-ssl's sslserver will display the current Cipher settings, in case the flag -V is provided. Sample of the output using multilog:

sslserver: ok 18850 sslserver: ssl 18849 accept TLSv1.2:ECDHE-RSA-AES128-SHA

Here, ECDHE-RSA-AES128-SHA is the negotiated Cipher in use together with TLS 1.2 as chosen protocol. Of course, this will only work with most recent versions of OpenSSL (see below).

Elliptic Curve Diffie-Hellman

ucspi-ssl supports the following curves from OpenSSL:

You can verify the ECC curves, your OpenSSL version offers with the following command:

openssl ecparam -list_curves

Unlike DH with the Discrete Logarithm, there is no particular DHPRAM file to generate because the ECC parms are taken from internal defaults.

Further information about OpenSSL and it's usage can be found here:

*SSL dependencies and updates

Since ucspi-ssl depends on either OpenSSL or LibreSSL, it is inherently affected by bugs and flaws in here. Thus, please check for CVEs. In case you need to upgrade the OpenSSL libs, proceed as follows:

Note: Though ucspi-ssl did suffer from the Heartbleed bug in OpenSSL it is very unlikely that this could have exploited for security relevant information. sslserver in particular raises a new address space (and containing the vulnerable SSL context) for each new connection and IP. In this sense, sslserver mitigates your risks.

The latest version of ucspi-ssl supports:

Under normal circumstances, ucspi-ssl detects the respective *SSL versions and will compile and work without manual intervention.

Note for MacOS X User

ucspi-ssl will compile with clang in case xcode is installed. You need to adjust conf-cc. The following include solved the situation under MacOS X 'El Capitan' in my case for conf-cc:

clang -O2 -g -Wall -I /Developer/SDKs/MacOSX10.6.sdk/usr/include

You can add that statement into the conf-cc file prior of compilation.

Continue with:

package/compile base

because MacOS X is missing the environ facility.

Note for Gentoo Users

Gentoo includes a ready-to-use package for ucspi-ssl.

Note for RasPi/Raspian Linux

ucspi-ssl supports Raspian Linux and the ARM architecture out-of-the box.

Within the src directory of ucspi-ssl use

sh ./

to display the given SW and HW architecture. Taking some compiler flags from gcc ARM options you can fine-tune settings to your ARM system within conf-cc and conf-ld.

Together with most Linux systems, you need to install the OpenSSL development environment. On a standard Debian system (like Raspian) you succeed with the following:

agt-get update apt-get install libssl-dev

Enjoy the ucspi-ssl package!