1TLSDATE(1)                       User Manuals                       TLSDATE(1)
2
3
4

NAME

6       tlsdate - secure parasitic rdate replacement
7

SYNOPSIS

9       tlsdate     [-hnvVstlw]     [-H    [hostname]]    [-p    [port]]    [-P
10       [sslv23|sslv3|tlsv1]]    [--certdir    [dirname]]     [-x     [--proxy]
11       proxy-type://proxyhost:proxyport]
12

DESCRIPTION

14       tlsdate is a tool for setting the system clock by hand or by communica‐
15       tion with the network. It does not set  the  Real  Time  Clock.  It  is
16       designed  to  be as secure as TLS (RFC 2246) but of course the security
17       of TLS is often reduced to whichever CA racket you believe is trustwor‐
18       thy.  By  default,  tlsdate trusts your local CA root store - so any of
19       these companies could assist in a MITM attack against you and you'd  be
20       screwed.
21
22       This  tool is designed to be run by hand or as a system daemon. It must
23       be run as root or otherwise have the proper caps; it will not  be  able
24       to  set  the  system time without running as root or another privileged
25       user.
26

OPTIONS

28       -h | --help
29              Print the help message
30
31       -s | --skip-verification
32              Skip certificate verification
33
34       -H | --host [hostname|ip]
35              Set remote hostname (default: 'google.com')
36
37       -n | --dont-set-clock
38              Do not set the system clock to the time of the remote server
39
40       -p | --port [port]
41              Set remote port (default: '443')
42
43       -P | --protocol [sslv23|sslv3|tlsv1]
44              Set protocol to use when  communicating  with  server  (default:
45              'tlsv1')
46
47       -C | --certdir [dirname]
48              Set the local directory where certificates are located (default:
49              '/etc/ssl/certs') This allows  for  certificate  or  certificate
50              authority (CA) pinning. To ensure that signatures are only valid
51              if they are signed by a specific CA or certificate, set the path
52              to a directory containing only the desired certificates.
53
54       -x | --proxy [proxy-type://proxyhost:proxyport]
55              The  proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as
56              followed:
57
58               http://127.0.0.1:8118
59               socks4a://127.0.0.1:9050
60               socks5://127.0.0.1:9050
61
62              The proxy support should not leak DNS requests and  is  suitable
63              for use with Tor.
64
65       -v | --verbose
66              Provide verbose output
67
68       -V | --showtime [human|raw]
69              Show  the time retrieved from the remote server in a human-read‐
70              able format or as a raw time_t.
71
72       -t | --timewarp
73              If the local clock is before  RECENT_COMPILE_DATE;  we  set  the
74              clock  to  the  RECENT_COMPILE_DATE. If the local clock is after
75              RECENT_COMPILE_DATE, we leave the clock alone. Clock setting  is
76              performed  as  the  first  operation and will impact certificate
77              verification. Specifically, this option is helpful if  on  first
78              boot, the local system clock is set back to the era of Disco and
79              Terrible      Hair.      This      should      ensure       that
80              X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are
81              not encountered because of a broken RTC or the lack of  a  local
82              RTC;  we  assume  that tlsdate is recompiled yearly and that all
83              certificates are otherwise considered valid.
84
85       -l | --leap
86              Normally, the passing of time or time yet to come  ensures  that
87              SSL  verify  functions  will fail to validate certificates. Com‐
88              monly,             X509_V_ERR_CERT_NOT_YET_VALID             and
89              X509_V_ERR_CERT_HAS_EXPIRED  are  painfully  annoying  but still
90              very important error states. When the only issue with  the  cer‐
91              tificates  in  question  is  the timing information, this option
92              allows you to trust the remote system's time, as long as  it  is
93              after  RECENT_COMPILE_DATE  and  before MAX_REASONABLE_TIME. The
94              connection will only be trusted if X509_V_ERR_CERT_NOT_YET_VALID
95              and/or  X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors
96              encountered. The SSL verify function will not  return  X509_V_OK
97              if  there are any other issues, such as self-signed certificates
98              or if the user pins to a CA that  is  not  used  by  the  remote
99              server. This is useful if your RTC is broken on boot and you are
100              unable to use DNSEC until you've at least had some kind of  leap
101              of cryptographically assured data.
102
103       -w | --http
104              Run  in  web  mode:  look  for the time in an HTTP "Date" header
105              inside an HTTPS connection, rather than in  the  TLS  connection
106              itself.  The provided hostname and port must support HTTPS.
107

BUGS

109       It's likely! Let us know by contacting jacob@appelbaum.net
110
111       Note that tlsdate(1) is in Beta, and may not work as expected.
112

AUTHOR

114       Jacob Appelbaum <jacob at appelbaum dot net>
115

SEE ALSO

117       tlsdate(1), tlsdate-helper(1), tlsdated(8), tlsdated.conf(5)
118
119
120
121Linux                            OCTOBER 2012                       TLSDATE(1)