SYNOPSIS

sslclient opts host port prog

DESCRIPTION

The sslclient attempts to connect to an SSL socket at host port. If the connection succeeds, sslclient runs prog, with file descriptor 6 and 7 reading from and writing to a child process. The child process process attempts an SSL connect via the network. If it succeeds, it translates data between prog and the network, performing any necessary SSL encoding and decoding. Before running prog, sslclient sets certain environment variables.

OPTIONS

GENERAL OPTIONS

-q

Quiet. Do not print error messages.

-Q

(Default.) Print error messages.

-v

Verbose. Print error messages and status messages.

CONNECTION OPTIONS

-T x+y

Give up on the connection attempt or SSL connection attempt after x+y seconds. The default value is: 2+58. When a host has several IP addresses, sslclient tries to connect to the first IP address, waits x seconds, tries to connect to the second IP address, waits x seconds, etc.; then it retries each address that timed out, waiting y seconds per address. You may omit +y to skip the second try.

-i localip

Use localip as the IP address for the local side of the connection; quit if localip is not available. Normally sslclient lets the operating system choose an address.

-p localport

Use localport as the TCP port for the local side of the connection; quit if localport is not available. Normally sslclient lets the operating system choose a port.

-d

Delay sending data for a fraction of a second whenever the remote host is responding slowly. This is currently the default, but it may not be in the future; if you want it, set it explicitly.

-D

Never delay sending data; enable TCP_NODELAY.

-3

Read a null-terminated key password from file descriptor 3.

-a cafile

Override the compiled-in CA file name. The CA file contains the list of CAs used to verify the server certificate.

-A cadir

Override the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from -a cafile.

-c certfile

Use the client certificate in certfile.

-k keyfile

Use the client certificate key in keyfile.

-V verifydepth

Verify the server certificate chain to depth verifydepth. The default value is 1.

-C ciphers

Use the cipher list specified in ciphers.

-x

(Default.) Verify the server certificate.

-X

Do not verify the server certificate.

DATA-GATHERING OPTIONS

-h

(Default.) Look up the remote host name in DNS to set the environment variable $SSLREMOTEHOST.

-H

Do not look up the remote host name in DNS; remove the environment variable $SSLREMOTEHOST.

-n

(Default.) Verify that the server host name matches the server certificate common name.

-N

Do not verify that the server host name matches the server certificate common name.

-l localname

Do not look up the local host name in DNS; use localname for the environment variable $SSLLOCALHOST. A common choice for localname is 0.

-r

(Default.) Attempt to obtain $SSLREMOTEINFO from the remote host.

-R

Do not attempt to obtain $SSLREMOTEINFO from the remote host.

-t n

Give up on the $SSLREMOTEINFO connection attempt after n seconds. The default value is: 26.

-w n

Give up on a connection or program after waiting n seconds for read or write. The default value is: 3600.

-s

Store client and server certificate information in the environment, a la mod_ssl.

-S

(Default.) Do not store client and server certificate information in the environment.

-e

Set protocol environment a la tcpserver. Set $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, $TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO from the corresponding $SSL variables.

-E

(Default.) Do not set any tcpserver environment variables.

EXIT STATUS

The sslclient program exits 111 for temporary errors and 100 for permanent errors. It exits 0 on success.

EXAMPLES

sslserver localhost 10443 sh -c '
  cat >&7
  exec cat <&6
'