sslclient - setup a TLS client IPv6/IPv4 connection
sslclient [ -346hHrRdDqQveEsSnNxX ] [ -i localip ] [ -p localport ] [ -T timeoutconn ] [ -l localname ] [ -t timeoutinfo ] [ -a cafile ] [ -A cadir ] [ -c certfile ] [ -z ciphers ] [ -k keyfile ] [ -V verifydepth ] [ -w progtimeout ] host port prog
A a series of getopt-style options is followed by host, the host name or IP address for the client to connect to, and prog is one or more arguments specifying a program to run for each successful connection.
sslclient attempts to connect to a TCP server at host port. If the connection succeeds, sslclient runs prog with file descriptors 6 and 7 reading from and writing to a child process ssl. The ssl process attempts an SSL connect via the network. If it succeeds, it translates data between prog and the network, performing any necessary SSL encoding and decoding.
Before running prog, sslclient sets certain environment variables.
- -q: Quiet. Do not print error messages.
- -Q: (Default.) Print error messages.
- -v: Verbose. Print error messages and status messages.
Use IPv4 sockets for connections and DNS queries. Use DNSCACHEIP to set the DNS resolver IP dynamically.
Force IPv6 mode for connections and set up in UCSPI environment variables. This will set PROTO to TCP6 and put IPv4-mapped IPv6 addresses in TCPLOCALIP and TCPREMOTEIP.
- -T x+y
Give up on the connection attempt or SSL connection attempt after x+y seconds. The default value is: 2+58. When a host has several IP addresses, sslclient tries to connect to the first IP address, waits x seconds, tries to connect to the second IP address, waits - Ix seconds, etc.; then it retries each address that timed out, waiting y seconds per address. You may omit +y to skip the second try.
- -i localip
Use localip as the IP address for the local side of the connection; quit if localip is not available. Normally sslclient lets the operating system choose an address.
- -p localport
Use localport as the TCP port for the local side of the connection; quit if localport is not available. Normally sslclient lets the operating system choose a port.
Delay sending data for a fraction of a second whenever the remote host is responding slowly. This is currently the default, but it may not be in the future; if you want it, set it explicitly.
Never delay sending data; enable TCP_NODELAY.
- -I ifname
Use ifname as the local network interface. This is only defined for IPv6 sockets and needed if you use link-local IPv6 addresses.
X509 certificate handling:
Read a null-terminated key password from file descriptor 3.
- -a cafile
Override the compiled-in CA file name. The CA file contains the list of CAs used to verify the server certificate.
- -A cadir
Override the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certifi‐ cate. This list augments the list from -a cafile.
- -c certfile
Use the client certificate in certfile.
- -k keyfile
Use the client certificate key in keyfile.
- -V verifydepth
Verify the server certificate chain to depth verifydepth. The default value is 1.
- -z ciphers
Use the cipher list specified in ciphers.
- -x (Default.)
Verify the server certificate.
Do not verify the server certificate.
- -n (Default.)
Verify, that the server host name matches the FQDN in the certificate.
Do not verify that the server host name matches the FQDN in the certificate.
- -h (Default.)
Look up the remote host name in DNS to set the environment variable $SSLREMOTEHOST.
Do not look up the remote host name in DNS; remove the environment variable $SSLREMOTEHOST. To avoid loops, you must use this option for servers on TCP port 53.
- -l localname
Do not look up the local host name in DNS; use localname for the environment variable $SSLLOCALHOST. A common choice for localname is 0. To avoid loops, you must use this option for servers on TCP port 53.
- -r (Default.)
Attempt to obtain $SSLREMOTEINFO from the remote host.
Do not attempt to obtain $SSLREMOTEINFO from the remote host. To avoid loops, you must use this option for servers on TCP ports 53 and 113.
- -t n
Give up on the $SSLREMOTEINFO connection attempt after n seconds. The default value is: 26.
- -w n
Give up on a connection or program after waiting n seconds for read or write. The default value is: 3600.
Store client and server certificate information in the environment, a la mod_ssl.
- -S (Default.)
Do not store client and server certificate information in the environment.
Set protocol environment a la tcpserver. Set $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, $TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO from the corresponding $SSL variables.
- -E (Default.)
Do not set any tcpserver environment variables.