Usage: tstclnt -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port] [-D | -d certdir] [-C] [-b | -R root-module] [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z] [-V [min-version]:[max-version]] [-K] [-T] [-U] [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups] [-A requestfile] [-L totalconnections] -a name Send different SNI name. 1st_hs_name - at first handshake, 2nd_hs_name - at second handshake. Default is host from the -h argument. -h host Hostname to connect with -p port Port number for SSL server -d certdir Directory with cert database (default is ~/.netscape) -D Run without a cert database -b Load the default "builtins" root CA module -R Load the given root CA module -C Print certificate chain information (use -C twice to print more certificate details) (use -C three times to include PEM format certificate dumps) -n nickname Nickname of key and cert for client auth -V [min]:[max] Restricts the set of enabled SSL/TLS protocols versions. All versions are enabled by default. Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3 Example: "-V ssl3:" enables SSL 3 and newer. -K Send TLS_FALLBACK_SCSV -S Prints only payload data. Skips HTTP header. -f Client speaks first. -O Use synchronous certificate validation -o Override bad server cert. Make it OK. -s Disable SSL socket locking. -v Verbose progress reporting. -q Ping the server and then exit. -t seconds Timeout for server ping (default: no timeout). -r N Renegotiate N times (resuming session if N>1). -u Enable the session ticket extension. -z Enable compression. -g Enable false start. -T Enable the cert_status extension (OCSP stapling). -U Enable the signed_certificate_timestamp extension. -F Require fresh revocation info from side channel. -F once means: require for server cert only -F twice means: require for intermediates, too (Connect, handshake with server, disable dynamic download of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.) Exit code: 0: have fresh and valid revocation data, status good 1: cert failed to verify, prior to revocation checking 2: missing, old or invalid revocation data 3: have fresh and valid revocation data, status revoked -M Test -F allows 0=any (default), 1=only OCSP, 2=only CRL -c ciphers Restrict ciphers -Y Print cipher values allowed for parameter -c and exit -4 Enforce using an IPv4 destination address -6 Enforce using an IPv6 destination address (Options -4 and -6 cannot be combined.) -G Enable the extended master secret extension [RFC7627] -H Require the use of FFDHE supported groups [RFC7919] -A Read from a file instead of stdin -Z Allow 0-RTT data (TLS 1.3 only) -L Disconnect and reconnect up to N times total -I Comma separated list of enabled groups for TLS key exchange. The following values are valid: P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192

Usage: tstclnt -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port] [-D | -d certdir] [-C] [-b | -R root-module] [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z] [-V [min-version]:[max-version]] [-K] [-T] [-U] [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups] [-A requestfile] [-L totalconnections] -a name Send different SNI name. 1st_hs_name - at first handshake, 2nd_hs_name - at second handshake. Default is host from the -h argument. -h host Hostname to connect with -p port Port number for SSL server -d certdir Directory with cert database (default is ~/.netscape) -D Run without a cert database -b Load the default "builtins" root CA module -R Load the given root CA module -C Print certificate chain information (use -C twice to print more certificate details) (use -C three times to include PEM format certificate dumps) -n nickname Nickname of key and cert for client auth -V [min]:[max] Restricts the set of enabled SSL/TLS protocols versions. All versions are enabled by default. Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3 Example: "-V ssl3:" enables SSL 3 and newer. -K Send TLS_FALLBACK_SCSV -S Prints only payload data. Skips HTTP header. -f Client speaks first. -O Use synchronous certificate validation -o Override bad server cert. Make it OK. -s Disable SSL socket locking. -v Verbose progress reporting. -q Ping the server and then exit. -t seconds Timeout for server ping (default: no timeout). -r N Renegotiate N times (resuming session if N>1). -u Enable the session ticket extension. -z Enable compression. -g Enable false start. -T Enable the cert_status extension (OCSP stapling). -U Enable the signed_certificate_timestamp extension. -F Require fresh revocation info from side channel. -F once means: require for server cert only -F twice means: require for intermediates, too (Connect, handshake with server, disable dynamic download of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.) Exit code: 0: have fresh and valid revocation data, status good 1: cert failed to verify, prior to revocation checking 2: missing, old or invalid revocation data 3: have fresh and valid revocation data, status revoked -M Test -F allows 0=any (default), 1=only OCSP, 2=only CRL -c ciphers Restrict ciphers -Y Print cipher values allowed for parameter -c and exit -4 Enforce using an IPv4 destination address -6 Enforce using an IPv6 destination address (Options -4 and -6 cannot be combined.) -G Enable the extended master secret extension [RFC7627] -H Require the use of FFDHE supported groups [RFC7919] -A Read from a file instead of stdin -Z Allow 0-RTT data (TLS 1.3 only) -L Disconnect and reconnect up to N times total -I Comma separated list of enabled groups for TLS key exchange. The following values are valid: P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192