Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

TLSDATE(1)			 User Manuals			    TLSDATE(1)

NAME
       tlsdate - secure parasitic rdate replacement

SYNOPSIS
       tlsdate	   [-hnvVstlw]	   [-H	  [hostname]]	 [-p	[port]]	   [-P
       [sslv23|sslv3|tlsv1]]	[--certdir    [dirname]]     [-x     [--proxy]
       proxy-type://proxyhost:proxyport]

DESCRIPTION
       tlsdate is a tool for setting the system clock by hand or by communica‐
       tion with the network. It does not set  the  Real  Time	Clock.	It  is
       designed	 to  be as secure as TLS (RFC 2246) but of course the security
       of TLS is often reduced to whichever CA racket you believe is trustwor‐
       thy.  By	 default,  tlsdate trusts your local CA root store - so any of
       these companies could assist in a MITM attack against you and you'd  be
       screwed.

       This  tool is designed to be run by hand or as a system daemon. It must
       be run as root or otherwise have the proper caps; it will not  be  able
       to  set	the  system time without running as root or another privileged
       user.

OPTIONS
       -h | --help
	      Print the help message

       -s | --skip-verification
	      Skip certificate verification

       -H | --host [hostname|ip]
	      Set remote hostname (default: 'google.com')

       -n | --dont-set-clock
	      Do not set the system clock to the time of the remote server

       -p | --port [port]
	      Set remote port (default: '443')

       -P | --protocol [sslv23|sslv3|tlsv1]
	      Set protocol to use when	communicating  with  server  (default:
	      'tlsv1')

       -C | --certdir [dirname]
	      Set the local directory where certificates are located (default:
	      '/etc/ssl/certs') This allows  for  certificate  or  certificate
	      authority (CA) pinning. To ensure that signatures are only valid
	      if they are signed by a specific CA or certificate, set the path
	      to a directory containing only the desired certificates.

       -x | --proxy [proxy-type://proxyhost:proxyport]
	      The  proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as
	      followed:

	       http://127.0.0.1:8118
	       socks4a://127.0.0.1:9050
	       socks5://127.0.0.1:9050

	      The proxy support should not leak DNS requests and  is  suitable
	      for use with Tor.

       -v | --verbose
	      Provide verbose output

       -V | --showtime [human|raw]
	      Show  the time retrieved from the remote server in a human-read‐
	      able format or as a raw time_t.

       -t | --timewarp
	      If the local clock is before  RECENT_COMPILE_DATE;  we  set  the
	      clock  to	 the  RECENT_COMPILE_DATE. If the local clock is after
	      RECENT_COMPILE_DATE, we leave the clock alone. Clock setting  is
	      performed	 as  the  first	 operation and will impact certificate
	      verification. Specifically, this option is helpful if  on	 first
	      boot, the local system clock is set back to the era of Disco and
	      Terrible	    Hair.      This	 should	     ensure	  that
	      X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are
	      not encountered because of a broken RTC or the lack of  a	 local
	      RTC;  we	assume	that tlsdate is recompiled yearly and that all
	      certificates are otherwise considered valid.

       -l | --leap
	      Normally, the passing of time or time yet to come	 ensures  that
	      SSL  verify  functions  will fail to validate certificates. Com‐
	      monly,		 X509_V_ERR_CERT_NOT_YET_VALID		   and
	      X509_V_ERR_CERT_HAS_EXPIRED  are	painfully  annoying  but still
	      very important error states. When the only issue with  the  cer‐
	      tificates	 in  question  is  the timing information, this option
	      allows you to trust the remote system's time, as long as	it  is
	      after  RECENT_COMPILE_DATE  and  before MAX_REASONABLE_TIME. The
	      connection will only be trusted if X509_V_ERR_CERT_NOT_YET_VALID
	      and/or  X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors
	      encountered. The SSL verify function will not  return  X509_V_OK
	      if  there are any other issues, such as self-signed certificates
	      or if the user pins to a CA that	is  not	 used  by  the	remote
	      server. This is useful if your RTC is broken on boot and you are
	      unable to use DNSEC until you've at least had some kind of  leap
	      of cryptographically assured data.

       -w | --http
	      Run  in  web  mode:  look	 for the time in an HTTP "Date" header
	      inside an HTTPS connection, rather than in  the  TLS  connection
	      itself.  The provided hostname and port must support HTTPS.

BUGS
       It's likely! Let us know by contacting jacob@appelbaum.net

       Note that tlsdate(1) is in Beta, and may not work as expected.

AUTHOR
       Jacob Appelbaum <jacob at appelbaum dot net>

SEE ALSO
       tlsdate(1), tlsdate-helper(1), tlsdated(8), tlsdated.conf(5)

Linux				 OCTOBER 2012			    TLSDATE(1)

Vote for polarhome