:: Software :: ucspi-ssl

The sslclient program

Interface

where opts is a series of getopt-style options, host is a host name for the client to connect to, and prog is one or more arguments specifying a program to run for each successful connection.

sslclient attempts to connect to a TCP server at host port. If the connection succeeds, sslclient runs prog, with file descriptors 6 and 7 reading from and writing to a child process ssl. The ssl process attempts an SSL connect via the network. If it succeeds, it translates data between prog and the network, performing any necessary SSL encoding and decoding.

Before running prog, sslclient sets certain environment variables.

Options

General Options:

• -q: Quiet. Do not print error messages.
• -Q: (Default.) Print error messages.
• -v: Verbose. Print error messages and status messages.

Connection options:

• -T x+y: Give up on the connection attempt or SSL connection attempt after x+y seconds. The default value is: 2+58. When a host has several IP addresses, sslclient tries to connect to the first IP address, waits x seconds, tries to connect to the second IP address, waits x seconds, etc.; then it retries each address that timed out, waiting y seconds per address. You may omit +y to skip the second try.
• -i localip: Use localip as the IP address for the local side of the connection; quit if localip is not available. Normally sslclient lets the operating system choose an address.
• -p localport: Use localport as the TCP port for the local side of the connection; quit if localport is not available. Normally sslclient lets the operating system choose a port.
• -d: Delay sending data for a fraction of a second whenever the remote host is responding slowly. This is currently the default, but it may not be in the future; if you want it, set it explicitly.
• -D: Never delay sending data; enable TCP_NODELAY.
• -3: Read a null-terminated key password from file descriptor 3.
• -a cafile: Override the compiled-in CA file name. The CA file contains the list of CAs used to verify the server certificate.
• -A cadir: Override the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from -a cafile.
• -c certfile: Use the client certificate in certfile.
• -k keyfile: Use the client certificate key in keyfile.
• -V verifydepth: Verify the server certificate chain to depth verifydepth. The default value is 1.
• -C ciphers: Use the cipher list specified in ciphers.
• -x: (Default.) Verify the server certificate.
• -X: Do not verify the server certificate.

Data-gathering options:

• -h: (Default.) Look up the remote host name in DNS to set the environment variable $SSLREMOTEHOST.
• -H: Do not look up the remote host name in DNS; remove the environment variable $SSLREMOTEHOST.
• -n: (Default.) Verify that the server host name matches the server certificate common name.
• -N: Do not verify that the server host name matches the server certificate common name.
• -l localname: Do not look up the local host name in DNS; use localname for the environment variable $SSLLOCALHOST. A common choice for localname is 0.
• -r: (Default.) Attempt to obtain $SSLREMOTEINFO from the remote host.
• -R: Do not attempt to obtain $SSLREMOTEINFO from the remote host.
• -t n: Give up on the $SSLREMOTEINFO connection attempt after n seconds. The default value is: 26.
• -w n: Give up on a connection or program after waiting n seconds for read or write. The default value is: 3600.
• -s: Store client and server certificate information in the environment, a la mod_ssl
• -S: (Default.) Do not store client and server certificate information in the environment.
• -e Set protocol environment a la tcpserver. Set $TCPLOCALIP, $TCPLOCALPORT, $TCPLOCALHOST, $TCPREMOTEIP, $TCPREMOTEPORT, $TCPREMOTEHOST, and $TCPREMOTEINFO from the corresponding $SSL variables.
• -E: (Default.) Do not set any tcpserver environment variables.