diff options
Diffstat (limited to 'man/sslclient.1')
| -rw-r--r-- | man/sslclient.1 | 254 |
1 files changed, 254 insertions, 0 deletions
diff --git a/man/sslclient.1 b/man/sslclient.1 new file mode 100644 index 0000000..7ef0041 --- /dev/null +++ b/man/sslclient.1 @@ -0,0 +1,254 @@ +.TH sslclient 1 +.SH NAME +sslclient \- setup a TLS client connection +.SH SYNOPSIS +.B sslclient +[ +.I opts +] +.I host +.I port +.I prog +.SH DESCRIPTION +.I opts +is a series of getopt-style options, +.I host +is a host name for the client to connect to, and +.I prog +is one or more arguments specifying a program to run +for each successful connection. + +.B sslclient +attempts to connect to a TCP server at +.I host +.IR port . +The server's address is given by +.I host +and +.IR port . +.I host +may be +.IR 0 , +which is identical to +.IR 127.0.0.1 , +or +.IR ::1 +referring to the IPv6 loopback address, +a compactified IPv6 address, +a dotted-decimal IPv4 address, +or a host name. +If a host name is given, +.B sslclient +facilitates a DNS lookup and tries each address in turn. + +If the connection succeeds, +.B sslclient +runs +.IR prog , +with file descriptors 6 and 7 reading from and +writing to a child process ssl. +The ssl process attempts an SSL connect via the network. +If it succeeds, it translates data between +.I prog +and the network, performing any necessary SSL encoding and decoding. + +Before running +.I prog, +.B sslclient +sets certain environment variables. +.SH OPTIONS +.B General Options: +.TP +.B \-q +Quiet. Do not print error messages. +.TP +.B \-Q +(Default.) Print error messages. +.TP +.B \-v +Verbose. Print error messages and status messages. +.P +.B Connection options: +.TP +.B \-4 +Use IPv4 sockets for connections and DNS queries. +.TP +.B \-6 +Force IPv6 mode for connections and set up in UCSPI environment variables. +.TP +.B \-T \fIx+y +Give up on the connection attempt or SSL connection attempt after +.I x+y +seconds. The default value is: 2+58. When a +.I host +has several IP addresses, +.B sslclient +tries to connect to the first IP address, waits +.I x +seconds, tries to connect to the second IP address, waits +- Ix +seconds, etc.; then it retries each address that timed out, waiting +.I y +seconds per address. You may omit +.I +y +to skip the second try. +.TP +.B \-i \fIlocalip +Use +.I localip +as the IP address for the local side of the connection; quit if +.I localip +is not available. Normally +.B sslclient +lets the operating system choose an address. +.TP +.B \-p \fIlocalport +Use +.I localport +as the TCP port for the local side of the connection; quit if +.I localport +is not available. Normally +.B sslclient +lets the operating system choose a port. +.TP +.B \-d +Delay sending data for a fraction of a second whenever +the remote host is responding slowly. +This is currently the default, but it may not be in the future; +if you want it, set it explicitly. +.TP +.B \-D +Never delay sending data; enable TCP_NODELAY. +.TP +.B \-I \fIifname +Use +.I ifname +as the local network interface. This is only defined for IPv6 sockets +and needed if you use link-local IPv6 addresses. +.TP +.B \-M +(Default.) No Server Name Indications are present. +.TP +.B \-m +Employ Server Name Indication (SNI) for +the given +.I hostname +in the Client Helo. + +\fINote\fR: You can use \fIDNSCACHEIP\fR to set the DNS resolver IP dynamically. + +.P +.B X509 certificate handling: +.TP +.B \-3 +Read a null-terminated +.I key password +from file descriptor 3. +.TP +.B \-a \fIcafile +Override the compiled-in CA file name. +The CA file contains the list of CAs used to verify the server certificate. +.TP +.B \-A \fIcadir +Override the compiled-in CA directory name. +The CA directory contains certificates files used +to verify the client certificate. This list augments the list from +.I \-a \fIcafile. +.TP +.B \-c \fIcertfile +Use the client certificate in +.IR certfile . +.TP +.B \-k \fIkeyfile +Use the client certificate key in +.IR keyfile . +.TP +.B \-V \fIverifydepth +Verify the server certificate chain to depth +.IR verifydepth . +The default value is 1. +.TP +.B \-z \fIciphers +Use the cipher list specified in +.IR ciphers . +.TP +.B \-x +(Default.) Verify the server certificate. +.TP +.B \-X +Do not verify the server certificate. +.TP +.B \-n +(Default.) Verify that the server host name matches +the FQDN provided in the certificate. +.TP +.B \-N +Do not verify that the server host name matches +the FQDN provided in the certificate. +.P +.B Data-gathering options: +.TP +.B \-h +(Default.) Look up the remote host name in DNS +to set the environment variable $SSLREMOTEHOST. +.TP +.B \-H +Do not look up the remote host name in DNS; +remove the environment variable $SSLREMOTEHOST. +.TP +.B \-l \fIlocalname +Do not look up the local host name in DNS; use +.I localname +for the environment variable $SSLLOCALHOST. +A common choice for +.I localname +is +.I 0 +or +.IR :: . +.TP +.B \-r +Attempt to obtain $SSLREMOTEINFO from the remote host. +.TP +.B \-R +(Default.) Do not attempt to obtain $SSLREMOTEINFO from the remote host. +.TP +.B \-t \fIn +Give up on the $SSLREMOTEINFO connection attempt after +.I n +seconds. The default value is: 26. +.TP +.B \-w \fIn +Give up on a connection or program after waiting +.I n +seconds for read or write. The default value is: 3600. +.TP +.B \-s +Store client and server certificate information in the environment, a la mod_ssl. +.TP +.B \-S +(Default.) Do not store client and server certificate information in the environment. +.TP +.B \-e +Set protocol environment a la +.BR tcpserver . +Set $PROTO, $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, +$TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO +from the corresponding $SSL variables. +.TP +.B \-E +(Default.) Do not set any +.B tcpserver +environment variables. +.SH SEE ALSO +sslserver(1), +sslhandle(1), +sslconnect(1), +sslcat(1), +https@(1), +ucspi-tls(2), +tcpclient(1), +tcpserver(1), +tcp-environ(5). +.SH REFERENCE +http://httpd.apache.org/docs/2.4/mod/mod_ssl.html |