sslclient
Section: User Commands (1)
Index
Return to Main Contents
NAME
sslclient - setup a TLS client connection
SYNOPSIS
sslclient
[
opts
]
host
port
prog
DESCRIPTION
opts
is a series of getopt-style options,
host
is a host name for the client to connect to, and
prog
is one or more arguments specifying a program to run
for each successful connection.
sslclient
attempts to connect to a TCP server at
host
port.
The server's address is given by
host
and
port.
host
may be
0,
which is identical to
127.0.0.1,
or
::1
referring to the IPv6 loopback address,
a compactified IPv6 address,
a dotted-decimal IPv4 address,
or a host name.
If a host name is given,
sslclient
facilitates a DNS lookup and tries each address in turn.
If the connection succeeds,
sslclient
runs
prog,
with file descriptors 6 and 7 reading from and
writing to a child process ssl.
The ssl process attempts an SSL connect via the network.
If it succeeds, it translates data between
prog
and the network, performing any necessary SSL encoding and decoding.
Before running
prog,
sslclient
sets certain environment variables.
OPTIONS
General Options:
- -q
-
Quiet. Do not print error messages.
- -Q
-
(Default.) Print error messages.
- -v
-
Verbose. Print error messages and status messages.
Connection options:
- -4
-
Use IPv4 sockets for connections and DNS queries.
- -6
-
Force IPv6 mode for connections.
- -T x+y
-
Give up on the connection attempt or SSL connection attempt after
x+y
seconds. The default value is: 2+58. When a
host
has several IP addresses,
sslclient
tries to connect to the first IP address, waits
x
seconds, tries to connect to the second IP address, waits again
x
seconds, etc.; then it retries each address that timed out, waiting
y
seconds per address. You may omit
+y
to skip the second try.
- -i localip
-
Use
localip
as the IP address for the local side of the connection; quit if
localip
is not available. Normally
sslclient
lets the operating system choose an address.
- -p localport
-
Use
localport
as the TCP port for the local side of the connection; quit if
localport
is not available. Normally
sslclient
lets the operating system choose a port.
- -d
-
Delay sending data for a fraction of a second whenever
the remote host is responding slowly.
This is currently the default, but it may not be in the future;
if you want it, set it explicitly.
- -D
-
Never delay sending data; enable TCP_NODELAY.
- -I ifname
-
Use
ifname
as the local network interface. This is only defined for IPv6 sockets
and needed if you use link-local IPv6 addresses.
- -M
-
(Default.) No Server Name Indications are present.
- -m
-
Employ Server Name Indication (SNI) for
the given
hostname
in the Client Helo.
Note: You can use DNSCACHEIP to set the DNS resolver IP dynamically.
X509 certificate handling:
- -3
-
Read a null-terminated
key password
from file descriptor 3 or alternatively,
- -K keypassfile
-
Read a null-terminated
key password
from
keypassfile.
- -a cafile
-
Override the compiled-in CA file name.
The CA file contains the list of CAs used to verify the server certificate.
- -A cadir
-
Override the compiled-in CA directory name.
The CA directory contains certificates files used
to verify the client certificate. This list augments the list from
-a cafile.
- -c certfile
-
Use the client certificate in
certfile.
- -k keyfile
-
Use the client certificate key in
keyfile.
- -V verifydepth
-
Verify the server certificate chain to depth
verifydepth.
The default value is 1.
- -z ciphers
-
Use the cipher list specified in
ciphers.
- -x
-
(Default.) Verify the server certificate.
- -X
-
Do not verify the server certificate.
- -n
-
(Default.) Verify that the server host name matches
the FQDN provided in the certificate.
- -N
-
Do not verify that the server host name matches
the FQDN provided in the certificate.
Data-gathering options:
- -h
-
(Default.) Look up the remote host name in DNS
to set the environment variable $SSLREMOTEHOST.
- -H
-
Do not look up the remote host name in DNS;
remove the environment variable $SSLREMOTEHOST.
- -l localname
-
Do not look up the local host name in DNS; use
localname
for the environment variable $SSLLOCALHOST.
A common choice for
localname
is
0
or
::.
- -r
-
Attempt to obtain $SSLREMOTEINFO from the remote host.
- -R
-
(Default.) Do not attempt to obtain $SSLREMOTEINFO from the remote host.
- -t n
-
Give up on the $SSLREMOTEINFO connection attempt after
n
seconds. The default value is: 26.
- -w n
-
Give up on a connection or program after waiting
n
seconds for read or write. The default value is: 3600.
- -s
-
Store client and server certificate information in the environment, a la mod_ssl.
- -S
-
(Default.) Do not store client and server certificate information in the environment.
- -e
-
Set protocol environment a la
tcpserver.
Set $PROTO, $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP,
$TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO
from the corresponding $SSL variables.
- -E
-
(Default.) Do not set any
tcpserver
environment variables.
SEE ALSO
sslserver(1),
sslhandle(1),
sslconnect(1),
sslcat(1),
https@(1),
ucspi-tls(2),
tcpclient(1),
tcpserver(1),
tcp-environ(5).
REFERENCE
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- OPTIONS
-
- SEE ALSO
-
- REFERENCE
-
This document was created by
man2html,
using the manual pages.
Time: 11:37:09 GMT, September 23, 2024