136 lines
3.7 KiB
Groff
136 lines
3.7 KiB
Groff
.TH PT-TLS-CLIENT 1 "2018-11-20" "@PACKAGE_VERSION@" "strongSwan"
|
|
.
|
|
.SH "NAME"
|
|
.
|
|
pt-tls-client \- Simple client using PT-TLS to collect integrity information
|
|
.
|
|
.SH "SYNOPSIS"
|
|
.
|
|
.SY "pt-tls-client"
|
|
.BI \-\-connect
|
|
.IR hostname |\fIaddress
|
|
.OP \-\-port port
|
|
.RB [ \-\-certid
|
|
.IR hex |\fB\-\-cert
|
|
.IR file ]+
|
|
.RB [ \-\-keyid
|
|
.IR hex |\fB\-\-key
|
|
.IR file ]
|
|
.RB [ \-\-key-type
|
|
.BR rsa |\fBecdsa\fR]
|
|
.OP \-\-client client-id
|
|
.OP \-\-secret password
|
|
.OP \-\-mutual
|
|
.OP \-\-options filename
|
|
.OP \-\-quiet
|
|
.OP \-\-debug level
|
|
.YS
|
|
.
|
|
.SY "pt-tls-client"
|
|
.B \-h
|
|
|
|
|
.B \-\-help
|
|
.YS
|
|
.
|
|
.SH "DESCRIPTION"
|
|
.
|
|
.B pt-tls-client
|
|
is a simple client using the PT-TLS (RFC 6876) transport protocol to collect
|
|
integrity measurements on the client platform. PT-TLS does an initial TLS
|
|
handshake with certificate-based server authentication and optional
|
|
certificate-based client authentication. Alternatively simple password-based
|
|
SASL client authentication protected by TLS can be used.
|
|
.P
|
|
Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC
|
|
5792) message protocol between any number of Integrity Measurement Verifiers
|
|
(IMVs) residing on the remote PT-TLS server and multiple Integrity Measurement
|
|
Collectors (IMCs) loaded dynamically by the PT-TLS client according to a list
|
|
defined by \fI/etc/tnc_config\fR. PA-TNC messages that contain one or several
|
|
PA-TNC attributes are multiplexed into PB-TNC (RFC 5793) client or server data
|
|
batches which in turn are transported via PT-TLS.
|
|
.
|
|
.SH "OPTIONS"
|
|
.
|
|
.TP
|
|
.B "\-h, \-\-help"
|
|
Prints usage information and a short summary of the available commands.
|
|
.TP
|
|
.BI "\-c, \-\-connect " hostname\fR|\fIaddress
|
|
Set the hostname or IP address of the PT-TLS server.
|
|
.TP
|
|
.BI "\-p, \-\-port " port
|
|
Set the port of the PT-TLS server, default: 271.
|
|
.TP
|
|
.BI "\-x, \-\-cert " file
|
|
Set the path to an X.509 certificate file. This option can be repeated to load
|
|
multiple client and CA certificates.
|
|
.TP
|
|
.BI "\-X, \-\-certid " hex
|
|
Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
|
|
Platform Module.
|
|
.TP
|
|
.BI "\-k, \-\-key " file
|
|
Set the path to the client's PKCS#1 or PKCS#8 private key file
|
|
.TP
|
|
.BI "\-t, \-\-key\-type " type
|
|
Define the type of the private key if stored in PKCS#1 format. Can be omitted
|
|
with PKCS#8 keys.
|
|
.TP
|
|
.BI "\-K, \-\-keyid " hex
|
|
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
|
|
Platform Module.
|
|
.TP
|
|
.BI "\-i, \-\-client " client-id
|
|
Set the username or client ID of the client required for password-based SASL
|
|
authentication.
|
|
.TP
|
|
.BI "\-s, \-\-secret " password
|
|
Set the preshared secret or client password required for password-based SASL
|
|
authentication.
|
|
.TP
|
|
.B "\-q, \-\-mutual
|
|
Enable mutual attestation between PT-TLS client and PT-TLS server.
|
|
.TP
|
|
.BI "\-v, \-\-debug " level
|
|
Set debug level, default: 1.
|
|
.TP
|
|
.B "\-q, \-\-quiet
|
|
Disable debug output to stderr.
|
|
.TP
|
|
.BI "\-+, \-\-options " file
|
|
Read command line options from \fIfile\fR.
|
|
.
|
|
.SH "EXAMPLES"
|
|
.
|
|
Connect to a PT-TLS server using certificate-based authentication,
|
|
storing the private ECDSA key in a file:
|
|
.PP
|
|
.EX
|
|
pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
|
|
\-\-cert client.crt \-\-key client.key \-\-key\-type ecdsa
|
|
.EE
|
|
.PP
|
|
Connect to a PT-TLS server using certificate-based authentication,
|
|
storing the private key in a smartcard or a TPM 2.0 Trusted Platform Module:
|
|
.PP
|
|
.EX
|
|
pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
|
|
\-\-cert client.crt \-\-keyid 0x81010002
|
|
.EE
|
|
.PP
|
|
Connect to a PT-TLS server listening on port 443, using SASL password-based
|
|
authentication:
|
|
.PP
|
|
.EX
|
|
pt-tls-client \-\-connect pdp.example.com --port 443 \-\-cert ca.crt \\
|
|
\-\-client jane \-\-password p2Nl9trKlb
|
|
.EE
|
|
.SH FILES
|
|
.TP
|
|
/etc/tnc_config
|
|
.
|
|
.SH "SEE ALSO"
|
|
.
|
|
.BR strongswan.conf (5)
|
|
|