lunar (1) pt-tls-client.1.gz

Provided by: libcharon-extra-plugins_5.9.8-3ubuntu4_amd64 bug

NAME

       pt-tls-client - Simple client using PT-TLS to collect integrity information

SYNOPSIS

       pt-tls-client --connect hostname|address [--port port] [--certid hex|--cert file]+
                     [--keyid hex|--key file] [--key-type rsa|ecdsa] [--client client-id]
                     [--secret password] [--mutual] [--options filename] [--quiet]
                     [--debug level]

       pt-tls-client -h | --help

DESCRIPTION

       pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport protocol to collect
       integrity  measurements  on the client platform. PT-TLS does an initial TLS handshake with
       certificate-based   server   authentication   and   optional   certificate-based    client
       authentication.   Alternatively simple password-based SASL client authentication protected
       by TLS can be used.

       Attribute requests and integrity measurements are exchanged  via  the  PA-TNC  (RFC  5792)
       message  protocol between any number of Integrity Measurement Verifiers (IMVs) residing on
       the remote PT-TLS server and  multiple  Integrity  Measurement  Collectors  (IMCs)  loaded
       dynamically  by  the  PT-TLS client according to a list defined by /etc/tnc_config. PA-TNC
       messages that contain one or several PA-TNC attributes are multiplexed  into  PB-TNC  (RFC
       5793) client or server data batches which in turn are transported via PT-TLS.

OPTIONS

       -h, --help
              Prints usage information and a short summary of the available commands.

       -c, --connect hostname|address
              Set the hostname or IP address of the PT-TLS server.

       -p, --port port
              Set the port of the PT-TLS server, default: 271.

       -x, --cert file
              Set  the  path  to  an  X.509 certificate file. This option can be repeated to load
              multiple client and CA certificates.

       -X, --certid hex
              Set the handle of the certificate stored in  a  smartcard  or  a  TPM  2.0  Trusted
              Platform Module.

       -k, --key file
              Set the path to the client's PKCS#1 or PKCS#8 private key file

       -t, --key-type type
              Define  the type of the private key if stored in PKCS#1 format. Can be omitted with
              PKCS#8 keys.

       -K, --keyid hex
              Set the keyid of the private key stored  in  a  smartcard  or  a  TPM  2.0  Trusted
              Platform Module.

       -i, --client client-id
              Set  the  username  or  client  ID  of  the client required for password-based SASL
              authentication.

       -s, --secret password
              Set the preshared secret  or  client  password  required  for  password-based  SASL
              authentication.

       -q, --mutual
              Enable mutual attestation between PT-TLS client and PT-TLS server.

       -v, --debug level
              Set debug level, default: 1.

       -q, --quiet
              Disable debug output to stderr.

       -+, --options file
              Read command line options from file.

EXAMPLES

       Connect  to  a  PT-TLS  server using certificate-based authentication, storing the private
       ECDSA key in a file:

         pt-tls-client --connect pdp.example.com --cert ca.crt \
                       --cert client.crt --key client.key --key-type ecdsa

       Connect to a PT-TLS server using certificate-based authentication, storing the private key
       in a smartcard or a TPM 2.0 Trusted Platform Module:

         pt-tls-client --connect pdp.example.com --cert ca.crt \
                       --cert client.crt --keyid 0x81010002

       Connect   to   a   PT-TLS   server  listening  on  port  443,  using  SASL  password-based
       authentication:

         pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt \
                       --client jane --password p2Nl9trKlb

FILES

       /etc/tnc_config

SEE ALSO

       strongswan.conf(5)