|SSLCLIENT(1)||DACS Commands Manual||SSLCLIENT(1)|
NAME¶sslclient - an SSL/TLS client
[-caf | --ca_cert_file filename]
[-cad | --ca_cert_dir dirname]
[-ccf | --cert_chain_file filename]
[-C | --ciphers cipherstring]
[--disable-sni] [[-dvp] | [--default_verify_paths] cipherstring]
[-h | --help] [-kf | --key_file filename]
[-kft | --key_file_type pem | asn1]
[-p | -sp | [--server_port] portnum]
[-r | --random filename]
[[-sm | --server_match regex ]...]
[-sni | --enable-sni]
[-vd | --verify_depth depth]
[-vt | --verify_type none | peer] [--] server [:port ]
DESCRIPTION¶This program is part of the DACS suite. It can be used with the usual DACS command line options (dacsoptions), provided they all appear before the program-specific flags (note that the -un flag can be used to suppress configuration file processing). sslclient is also used by the dacshttp(1) command and by requests generated internally by DACS components.
The sslclient utility acts as an SSL/TLS client. After establishing a bidirectional SSL/TLS connection with an SSL/TLS server, it forwards its standard input to the SSL/TLS server and writes data produced by the SSL/TLS server to sslclient's standard output.
sslclient connects to server (a domain name or IP address). If a port number suffix is given (port), it is used; otherwise, if a port number is specified as a separate command line argument (--server_port portnum), that is used; failing that, the default SSL/TLS port for https (443) is used.
The program reads from its standard input and the server asynchronously (using non-blocking I/O). Note that the server side might need to see end-of-file on its input before its output is returned to sslclient.
This program's underlying SSL/TLS functionality is provided by OpenSSL.
OPTIONS¶sslclient recognizes these options:
If you want the client certificate to be sent you must also specify the -kf flag.
The DACS -v (or --verbose) flag causes the program to show some of the server's SSL certificate, print feedback about regular expression matching, and so on. If sslclient is not doing what you expect, try using this flag.
Server Identity Verification¶If the server presents a valid SSL (X.509) certificate, a set of checks is applied to it to help ensure that sslclient is communicating with the intended entity. Verification is successful and checking is terminated as soon as any test is successful. If no test succeeds, the program terminates immediately.
You can use a command like the following one to display an X.509 certificate to stdout in text form:
% openssl x509 -noout -text < cert.crt
Here, cert.crt is the certificate to display.
The server certificate's subjectAltName extension fields have the format field-name:field-value. For each such field, tests are made in the following sequence:
If the above procedure is unsuccessful and the server certificate's commonName attribute value is available, it is matched against each of the regular expressions given on the command line.
EXAMPLES¶The following command line attempts to connect to port 443 at example.com and prints to stdout the server's response to a request for the home page:
% printf "GET https://example.com:443 HTTP/1.0\r\n\r\n" | sslclient example.com:443
When connecting to a web server, note that the request-line and every header-field should be terminated by a CRLF (carriage return, line feed/newline), otherwise the web server may respond with a 400 (Bad Request) error or a 301 (Moved Permanently) redirect. Apparently, Apache has become more strict in this regard. In particular, this may trip you up if you use sslclient interactively, since your input will end with only a newline. Refer to RFC 7230, Section 3.
DIAGNOSTICS¶When used with DACS logging configured, messages are directed to a log file, otherwise error messages and verbose output are written to stderr. The program exits 0 if everything was fine, 1 if an error occurred.
NOTES¶A wrapper mode of operation might be useful.
It would also be useful to have a mode where it listens for an SSL/TLS connection for input (rather than its standard input) and then relays data over that connection to a specified server, possibly but not necessarily via SSL/TLS. This mode might run on a firewall host to forward an approved incoming SSL/TLS connection (presumably authenticated by a client certificate, and possibly by a DACS ruleset) to a service running on an interior host, for instance.
SEE ALSO¶dacshttp(1), openssl(1), s_client(1), stunnel(1), curl(1), sslwrap(1), and others, and regex(3).
A variety of reference material on SSL/TLS is available. Perhaps best is Network Security with OpenSSL by John Viega, Matt Messier, and Pravir Chandra, O'Reilly & Associates, Inc., 2002. Also useful are SSL/TLS Strong Encryption: An Introduction, Netscape SSL 3.0 Specification, RFC 2246, and RFC 6066.
AUTHOR¶Distributed Systems Software (www.dss.ca)
COPYING¶Copyright © 2003-2018 Distributed Systems Software. See the LICENSE file that accompanies the distribution for licensing information.
- default SSL/TLS port for https (443)
- RFC 6066
- Apache has become more strict in this regard
- RFC 7230
- SSL/TLS Strong Encryption: An Introduction
- Netscape SSL 3.0 Specification
- RFC 2246