src/cli-args.def

   1 AutoGen Definitions options;
   2 prog-name     = gnutls-cli;
   3 prog-title    = "GnuTLS client";
   4 prog-desc     = "Simple client program to set up a TLS connection.";
   5 short-usage   = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
   6 explain       = "";
   7 detail        = "Simple client program to set up a TLS connection to some other computer.
   8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
   9 reorder-args;
  10 argument = "[hostname]";
  11
  12 #define  VERBOSE_OPT 1
  13 #include args-std.def
  14
  15 flag = {
  16     name      = tofu;
  17     descrip   = "Enable trust on first use authentication";
  18     disabled;
  19     disable   = "no";
  20     doc       = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
  21 };
  22
  23 flag = {
  24     name      = ocsp;
  25     descrip   = "Enable OCSP certificate verification";
  26     disabled;
  27     disable   = "no";
  28     doc       = "This option will enable verification of the peer's certificate using ocsp";
  29 };
  30
  31 flag = {
  32     name      = resume;
  33     value     = r;
  34     descrip   = "Establish a session and resume";
  35     doc       = "Connect, establish a session, reconnect and resume.";
  36 };
  37
  38 flag = {
  39     name      = heartbeat;
  40     value     = b;
  41     descrip   = "Activate heartbeat support";
  42     doc      = "";
  43 };
  44
  45 flag = {
  46     name      = rehandshake;
  47     value     = e;
  48     descrip   = "Establish a session and rehandshake";
  49     doc       = "Connect, establish a session and rehandshake immediately.";
  50 };
  51
  52 flag = {
  53     name      = noticket;
  54     descrip   = "Don't accept session tickets";
  55     doc      = "";
  56 };
  57
  58 flag = {
  59     name      = status-request-ocsp;
  60     descrip   = "Request OCSP status request";
  61     doc       = "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
  62 };
  63
  64 flag = {
  65     name      = starttls;
  66     value     = s;
  67     descrip   = "Connect, establish a plain session and start TLS.";
  68     doc       = "The TLS session will be initiated when EOF or a SIGALRM is received.";
  69 };
  70
  71 flag = {
  72     name      = udp;
  73     value     = u;
  74     descrip   = "Use DTLS (datagram TLS) over UDP";
  75     doc      = "";
  76 };
  77
  78 flag = {
  79     name      = mtu;
  80     arg-type  = number;
  81     arg-range = "0->17000";
  82     descrip   = "Set MTU for datagram TLS";
  83     doc      = "";
  84 };
  85
  86 flag = {
  87     name      = crlf;
  88     descrip   = "Send CR LF instead of LF";
  89     doc      = "";
  90 };
  91
  92 flag = {
  93     name      = x509fmtder;
  94     descrip   = "Use DER format for certificates to read from";
  95     doc      = "";
  96 };
  97
  98 flag = {
  99     name      = fingerprint;
 100     value     = f;
 101     descrip   = "Send the openpgp fingerprint, instead of the key";
 102     doc      = "";
 103 };
 104
 105 flag = {
 106     name      = disable-extensions;
 107     descrip   = "Disable all the TLS extensions";
 108     doc      = "";
 109 };
 110
 111 flag = {
 112     name      = print-cert;
 113     descrip   = "Print peer's certificate in PEM format";
 114     doc      = "";
 115 };
 116
 117 flag = {
 118     name      = recordsize;
 119     arg-type  = number;
 120     arg-range = "0->4096";
 121     descrip   = "The maximum record size to advertize";
 122     doc      = "";
 123 };
 124
 125 flag = {
 126     name      = dh-bits;
 127     arg-type  = number;
 128     descrip   = "The minimum number of bits allowed for DH";
 129     doc      = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
 130 };
 131
 132 flag = {
 133     name      = priority;
 134     arg-type  = string;
 135     descrip   = "Priorities string";
 136     doc      = "TLS algorithms and protocols to enable. You can
 137 use predefined sets of ciphersuites such as PERFORMANCE,
 138 NORMAL, SECURE128, SECURE256.
 139
 140 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 141 information on allowed keywords";
 142 };
 143
 144 flag = {
 145     name      = x509cafile;
 146     arg-type  = string;
 147     descrip   = "Certificate file or PKCS #11 URL to use";
 148     doc      = "";
 149 };
 150
 151 flag = {
 152     name      = x509crlfile;
 153     arg-type  = file;
 154     file-exists = yes;
 155     descrip   = "CRL file to use";
 156     doc      = "";
 157 };
 158
 159 flag = {
 160     name      = pgpkeyfile;
 161     arg-type  = file;
 162     file-exists = yes;
 163     descrip   = "PGP Key file to use";
 164     doc      = "";
 165 };
 166
 167 flag = {
 168     name      = pgpkeyring;
 169     arg-type  = file;
 170     file-exists = yes;
 171     descrip   = "PGP Key ring file to use";
 172     doc      = "";
 173 };
 174
 175 flag = {
 176     name      = pgpcertfile;
 177     arg-type  = file;
 178     file-exists = yes;
 179     descrip   = "PGP Public Key (certificate) file to use";
 180     doc      = "";
 181 };
 182
 183 flag = {
 184     name      = x509keyfile;
 185     arg-type  = string;
 186     descrip   = "X.509 key file or PKCS #11 URL to use";
 187     doc      = "";
 188 };
 189
 190 flag = {
 191     name      = x509certfile;
 192     arg-type  = string;
 193     descrip   = "X.509 Certificate file or PKCS #11 URL to use";
 194     doc      = "";
 195 };
 196
 197 flag = {
 198     name      = pgpsubkey;
 199     arg-type  = string;
 200     descrip   = "PGP subkey to use (hex or auto)";
 201     doc      = "";
 202 };
 203
 204 flag = {
 205     name      = srpusername;
 206     arg-type  = string;
 207     descrip   = "SRP username to use";
 208     doc      = "";
 209 };
 210
 211 flag = {
 212     name      = srppasswd;
 213     arg-type  = string;
 214     descrip   = "SRP password to use";
 215     doc      = "";
 216 };
 217
 218 flag = {
 219     name      = pskusername;
 220     arg-type  = string;
 221     descrip   = "PSK username to use";
 222     doc      = "";
 223 };
 224
 225 flag = {
 226     name      = pskkey;
 227     arg-type  = string;
 228     descrip   = "PSK key (in hex) to use";
 229     doc      = "";
 230 };
 231
 232 flag = {
 233     name      = port;
 234     value     = p;
 235     arg-type  = string;
 236     descrip   = "The port or service to connect to";
 237     doc      = "";
 238 };
 239
 240 flag = {
 241     name      = insecure;
 242     descrip   = "Don't abort program if server certificate can't be validated";
 243     doc      = "";
 244 };
 245
 246 flag = {
 247     name      = benchmark-ciphers;
 248     descrip   = "Benchmark individual ciphers";
 249     doc      = "";
 250 };
 251
 252 flag = {
 253     name      = benchmark-soft-ciphers;
 254     descrip   = "Benchmark individual software ciphers (no hw acceleration)";
 255     doc      = "";
 256 };
 257
 258 flag = {
 259     name      = benchmark-tls-kx;
 260     descrip   = "Benchmark TLS key exchange methods";
 261     doc      = "";
 262 };
 263
 264 flag = {
 265     name      = benchmark-tls-ciphers;
 266     descrip   = "Benchmark TLS ciphers";
 267     doc      = "";
 268 };
 269
 270 flag = {
 271     name      = list;
 272     value     = l;
 273     descrip   = "Print a list of the supported algorithms and modes";
 274     doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
 275 };
 276
 277
 278
 279 doc-section = {
 280   ds-type   = 'SEE ALSO'; // or anything else
 281   ds-format = 'texi';      // or texi or mdoc format
 282   ds-text   = <<-_EOF_
 283 gnutls-cli-debug(1), gnutls-serv(1)
 284 _EOF_;
 285 };
 286
 287 doc-section = {
 288   ds-type = 'EXAMPLES';
 289   ds-format = 'texi';
 290   ds-text   = <<-_EOF_
 291 @subheading Connecting using PSK authentication
 292 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
 293 @example
 294 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
 295     --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
 296     --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
 297 Resolving 'localhost'...
 298 Connecting to '127.0.0.1:5556'...
 299 - PSK authentication.
 300 - Version: TLS1.1
 301 - Key Exchange: PSK
 302 - Cipher: AES-128-CBC
 303 - MAC: SHA1
 304 - Compression: NULL
 305 - Handshake was completed
 306
 307 - Simple Client Mode:
 308 @end example
 309 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
 310
 311 @subheading Listing ciphersuites in a priority string
 312 To list the ciphersuites in a priority string:
 313 @example
 314 $ ./gnutls-cli --priority SECURE192 -l
 315 Cipher suites for SECURE192
 316 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24   TLS1.2
 317 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e   TLS1.2
 318 TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30   TLS1.2
 319 TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b   TLS1.2
 320 TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a   TLS1.2
 321 TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d   TLS1.2
 322
 323 Certificate types: CTYPE-X.509
 324 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
 325 Compression: COMP-NULL
 326 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
 327 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
 328 @end example
 329 _EOF_;
 330 };
 331