Man page - pt-tls-client(1)

Packages contains this manual

Package:  libcharon-extra-plugins
apt-get install libcharon-extra-plugins

Manuals in package:
• pt-tls-client(1)
Documentations in package:
• libcharon-extra-plugins

Manual

PT-TLS-CLIENT

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
FILES
SEE ALSO

---

NAME

pt-tls-client - Simple client using PT-TLS to collect integrity information

SYNOPSIS

	pt-tls-client		--connect hostname | address [ --port port ] [ --certid hex | --cert file ]+ [ --keyid hex | --key file ] [ --key-type rsa | ecdsa ] [ --client client-id ] [ --secret password ] [ --mutual ] [ --options filename ] [ --quiet ] [ --debug level ]
	pt-tls-client		-h | --help

DESCRIPTION

pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport protocol to collect integrity measurements on the client platform. PT-TLS does an initial TLS handshake with certificate-based server authentication and optional certificate-based client authentication. Alternatively simple password-based SASL client authentication protected by TLS can be used.

Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC 5792) message protocol between any number of Integrity Measurement Verifiers (IMVs) residing on the remote PT-TLS server and multiple Integrity Measurement Collectors (IMCs) loaded dynamically by the PT-TLS client according to a list defined by /etc/tnc_config . PA-TNC messages that contain one or several PA-TNC attributes are multiplexed into PB-TNC (RFC 5793) client or server data batches which in turn are transported via PT-TLS.

OPTIONS

-h, --help

Prints usage information and a short summary of the available commands.

-c, --connect hostname | address

Set the hostname or IP address of the PT-TLS server.

-p, --port port

Set the port of the PT-TLS server, default: 271.

-x, --cert file

Set the path to an X.509 certificate file. This option can be repeated to load multiple client and CA certificates.

-X, --certid hex

Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted Platform Module.

-k, --key file

Set the path to the client’s PKCS#1 or PKCS#8 private key file

-t, --key-type type

Define the type of the private key if stored in PKCS#1 format. Can be omitted with PKCS#8 keys.

-K, --keyid hex

Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted Platform Module.

-i, --client client-id

Set the username or client ID of the client required for password-based SASL authentication.

-s, --secret password

Set the preshared secret or client password required for password-based SASL authentication.

-q, --mutual

Enable mutual attestation between PT-TLS client and PT-TLS server.

-v, --debug level

Set debug level, default: 1.

-q, --quiet

Disable debug output to stderr.

-+, --options file

Read command line options from file .

EXAMPLES

Connect to a PT-TLS server using certificate-based authentication, storing the private ECDSA key in a file:

pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --key client.key --key-type ecdsa

Connect to a PT-TLS server using certificate-based authentication, storing the private key in a smartcard or a TPM 2.0 Trusted Platform Module:

pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --keyid 0x81010002

Connect to a PT-TLS server listening on port 443, using SASL password-based authentication:

pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt \
--client jane --password p2Nl9trKlb

FILES

/etc/tnc_config

SEE ALSO

strongswan.conf (5)

---