pt-tls-client Tool

Synopsis

pt-tls-client --connect hostname|address [--port port] [--certid hex|--cert file]+
             [--keyid hex|--key file] [--key-type rsa|ecdsa] [--client client-id]
             [--secret password] [--mutual] [--optionsfrom filename] [--quiet]
             [--debug level]

pt-tls-client -h | --help

Description

pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport protocol to collect integrity measurements on the client platform. PT-TLS does an initial TLS handshake with certificate-based server authentication and optional certificate-based client authentication. Alternatively simple password-based SASL client authentication protected by TLS can be used.

Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC 5792) message protocol between any number of Integrity Measurement Verifiers (IMVs) residing on the remote PT-TLS server and multiple Integrity Measurement Collectors (IMCs) loaded dynamically by the PT-TLS client according to a list defined by /etc/tnc_config. PA-TNC messages that contain one or several PA-TNC attributes are multiplexed into PB-TNC (RFC 5793) client or server data batches which in turn are transported via PT-TLS.

Options

-h

--help

Prints usage information and a short summary of the available commands

-c

--connect

Set the hostname or IP address of the PT-TLS server

-p

--port

Set the port of the PT-TLS server, default: 271

-x

--cert

Set the path to an X.509 certificate file. This option can be repeated to load multiple client and CA certificates

-X

--certid

Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted Platform Module

-k

--key

Set the path to the client’s PKCS#1 or PKCS#8 private key file

-K

--keyid

Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted Platform Module

-t

--key-type

Define the type of the private key if stored in PKCS#1 format. Can be omitted with PKCS#8 keys

-i

--client

Set the username or client ID of the client required for password-based SASL authentication

-s

--secret

Set the preshared secret or client password required for password-based SASL authentication

-q

--mutual

Enable mutual attestation between PT-TLS client and PT-TLS server

-v

--debug

Set debug level, default: 1

-q

--quiet

Disable debug output to stderr

-+

--options

Read command line options from file.

TLS Options

The pt-tl-client command uses the strongSwan libtls library that can be configured and fine-tuned with the following TLS options.

It is especially recommended to set version_max = 1.3 in order to profit from the latest TLS 1.3 version.

Examples

  • Connect to a PT-TLS server using certificate-based authentication, storing the private ECDSA key in a file:

    pt-tls-client --connect pdp.example.com --cert ca.crt --cert client.crt \
                  --key client.key --key-type ecdsa
  • Connect to a PT-TLS server using certificate-based authentication, storing the private key in a smartcard or a TPM 2.0 Trusted Platform Module:

    pt-tls-client --connect pdp.example.com --cert ca.crt --cert client.crt \
                  --keyid 0x81010002
  • Connect to a PT-TLS server listening on port 443, using `SASL? password-based authentication:

    pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt --client jane \
                  --password p2Nl9trKlb

Files

/etc/tnc_config defines the IMCs to be loaded by the pt-tls-client.

Example

#IMC-Configuration

IMC "OS"          /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA"       /usr/lib/ipsec/imcvs/imc-swima.so
IMC "ATTESTATION" /usr/lib/ipsec/imcvs/imc-attestation.so