1 AutoGen Definitions options
;
2 prog
-name
= gnutls
-cli
;
3 prog
-title
= "GnuTLS client";
4 prog
-desc
= "Simple client program to set up a TLS connection.";
5 short
-usage
= "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
7 detail
= "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
10 argument
= "[hostname]";
17 descrip
= "Enable trust on first use authentication";
20 doc
= "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
25 descrip
= "Enable DANE certificate verification (DNSSEC)";
28 doc
= "This option will, in addition to certificate authentication using
29 the trusted CAs, verify the server certificates using on the DANE information
30 available via DNSSEC.";
35 descrip
= "Use the local DNS server for DNSSEC resolving.";
38 doc
= "This option will use the local DNS server for DNSSEC.
39 This is disabled by default due to many servers not allowing DNSSEC.";
43 name
= ca
-verification
;
44 descrip
= "Disable CA certificate verification";
47 doc
= "This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.";
52 descrip
= "Enable OCSP certificate verification";
55 doc
= "This option will enable verification of the peer's certificate using ocsp";
61 descrip
= "Establish a session and resume";
62 doc
= "Connect, establish a session, reconnect and resume.";
68 descrip
= "Activate heartbeat support";
75 descrip
= "Establish a session and rehandshake";
76 doc
= "Connect, establish a session and rehandshake immediately.";
81 descrip
= "Don't accept session tickets";
88 descrip
= "Connect, establish a plain session and start TLS.";
89 doc
= "The TLS session will be initiated when EOF or a SIGALRM is received.";
95 descrip
= "Use DTLS (datagram TLS) over UDP";
102 arg
-range
= "0->17000";
103 descrip
= "Set MTU for datagram TLS";
108 name
= srtp_profiles
;
110 descrip
= "Offer SRTP profiles";
116 descrip
= "Send CR LF instead of LF";
122 descrip
= "Use DER format for certificates to read from";
129 descrip
= "Send the openpgp fingerprint, instead of the key";
134 name
= disable
-extensions
;
135 descrip
= "Disable all the TLS extensions";
136 doc
= "This option disables all TLS extensions. Deprecated option. Use the priority string.";
141 descrip
= "Print peer's certificate in PEM format";
148 arg
-range
= "0->4096";
149 descrip
= "The maximum record size to advertize";
156 descrip
= "The minimum number of bits allowed for DH";
157 doc
= "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
163 descrip
= "Priorities string";
164 doc
= "TLS algorithms and protocols to enable. You can
165 use predefined sets of ciphersuites such as PERFORMANCE,
166 NORMAL, SECURE128, SECURE256.
168 Check the GnuTLS manual on section ``Priority strings'' for more
169 information on allowed keywords";
175 descrip
= "Certificate file or PKCS #11 URL to use";
183 descrip
= "CRL file to use";
191 descrip
= "PGP Key file to use";
199 descrip
= "PGP Key ring file to use";
207 descrip
= "PGP Public Key (certificate) file to use";
214 descrip
= "X.509 key file or PKCS #11 URL to use";
221 descrip
= "X.509 Certificate file or PKCS #11 URL to use";
228 descrip
= "PGP subkey to use (hex or auto)";
235 descrip
= "SRP username to use";
242 descrip
= "SRP password to use";
249 descrip
= "PSK username to use";
256 descrip
= "PSK key (in hex) to use";
264 descrip
= "The port or service to connect to";
270 descrip
= "Don't abort program if server certificate can't be validated";
275 name
= benchmark
-ciphers
;
276 descrip
= "Benchmark individual ciphers";
281 name
= benchmark
-soft
-ciphers
;
282 descrip
= "Benchmark individual software ciphers (no hw acceleration)";
287 name
= benchmark
-tls
-kx
;
288 descrip
= "Benchmark TLS key exchange methods";
293 name
= benchmark
-tls
-ciphers
;
294 descrip
= "Benchmark TLS ciphers";
301 descrip
= "Print a list of the supported algorithms and modes";
302 doc
= "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
308 ds
-type
= 'SEE ALSO'; // or anything else
309 ds
-format
= 'texi'; // or texi or mdoc format
311 gnutls
-cli
-debug(1), gnutls
-serv(1)
316 ds
-type
= 'EXAMPLES';
319 @subheading Connecting using PSK authentication
320 To connect to a server using PSK authentication
, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
322 $ .
/gnutls
-cli
-p
5556 localhost
--pskusername psk_identity \
323 --pskkey
88f3824b3e5659f52d00e959bacab954b6540344 \
324 --priority NORMAL
:-KX
-ALL
:+ECDHE
-PSK
:+DHE
-PSK
:+PSK
325 Resolving
'localhost'...
326 Connecting to
'127.0.0.1:5556'...
327 - PSK authentication.
330 - Cipher
: AES
-128-CBC
333 - Handshake was completed
335 - Simple Client Mode
:
337 By keeping the
--pskusername parameter and removing the
--pskkey parameter
, it will query only for the password during the handshake.
339 @subheading Listing ciphersuites in a priority string
340 To list the ciphersuites in a priority string
:
342 $ .
/gnutls
-cli
--priority SECURE192
-l
343 Cipher suites for SECURE192
344 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24 TLS1.2
345 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2e TLS1.2
346 TLS_ECDHE_RSA_AES_256_GCM_SHA384
0xc0, 0x30 TLS1.2
347 TLS_DHE_RSA_AES_256_CBC_SHA256
0x00, 0x6b TLS1.2
348 TLS_DHE_DSS_AES_256_CBC_SHA256
0x00, 0x6a TLS1.2
349 TLS_RSA_AES_256_CBC_SHA256
0x00, 0x3d TLS1.2
351 Certificate types
: CTYPE
-X
.509
352 Protocols
: VERS
-TLS1.2
, VERS
-TLS1.1
, VERS
-TLS1.0
, VERS
-SSL3.0
, VERS
-DTLS1.0
353 Compression
: COMP
-NULL
354 Elliptic curves
: CURVE
-SECP384R1
, CURVE
-SECP521R1
355 PK
-signatures
: SIGN
-RSA
-SHA384
, SIGN
-ECDSA
-SHA384
, SIGN
-RSA
-SHA512
, SIGN
-ECDSA
-SHA512