danetool is being built even without libgnutls-dane.
[gnutls.git] / src / cli-args.def
blob052cd59950ea6d825624a1e87f5e44eb1ae18750
1 AutoGen Definitions options;
2 prog-name = gnutls-cli;
3 prog-title = "GnuTLS client";
4 prog-desc = "Simple client program to set up a TLS connection.";
5 short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
6 explain = "";
7 detail = "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
9 reorder-args;
10 argument = "[hostname]";
12 #define VERBOSE_OPT 1
13 #include args-std.def
15 flag = {
16 name = tofu;
17 descrip = "Enable trust on first use authentication";
18 disabled;
19 disable = "no";
20 doc = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
23 flag = {
24 name = dane;
25 descrip = "Enable DANE certificate verification (DNSSEC)";
26 disabled;
27 disable = "no";
28 doc = "This option will, in addition to certificate authentication using
29 the trusted CAs, verify the server certificates using on the DANE information
30 available via DNSSEC.";
33 flag = {
34 name = local-dns;
35 descrip = "Use the local DNS server for DNSSEC resolving.";
36 disabled;
37 disable = "no";
38 doc = "This option will use the local DNS server for DNSSEC.
39 This is disabled by default due to many servers not allowing DNSSEC.";
42 flag = {
43 name = ca-verification;
44 descrip = "Disable CA certificate verification";
45 enabled;
46 disable = "no";
47 doc = "This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.";
50 flag = {
51 name = ocsp;
52 descrip = "Enable OCSP certificate verification";
53 disabled;
54 disable = "no";
55 doc = "This option will enable verification of the peer's certificate using ocsp";
58 flag = {
59 name = resume;
60 value = r;
61 descrip = "Establish a session and resume";
62 doc = "Connect, establish a session, reconnect and resume.";
65 flag = {
66 name = heartbeat;
67 value = b;
68 descrip = "Activate heartbeat support";
69 doc = "";
72 flag = {
73 name = rehandshake;
74 value = e;
75 descrip = "Establish a session and rehandshake";
76 doc = "Connect, establish a session and rehandshake immediately.";
79 flag = {
80 name = noticket;
81 descrip = "Don't accept session tickets";
82 doc = "";
85 flag = {
86 name = starttls;
87 value = s;
88 descrip = "Connect, establish a plain session and start TLS.";
89 doc = "The TLS session will be initiated when EOF or a SIGALRM is received.";
92 flag = {
93 name = udp;
94 value = u;
95 descrip = "Use DTLS (datagram TLS) over UDP";
96 doc = "";
99 flag = {
100 name = mtu;
101 arg-type = number;
102 arg-range = "0->17000";
103 descrip = "Set MTU for datagram TLS";
104 doc = "";
107 flag = {
108 name = srtp_profiles;
109 arg-type = string;
110 descrip = "Offer SRTP profiles";
111 doc = "";
114 flag = {
115 name = crlf;
116 descrip = "Send CR LF instead of LF";
117 doc = "";
120 flag = {
121 name = x509fmtder;
122 descrip = "Use DER format for certificates to read from";
123 doc = "";
126 flag = {
127 name = fingerprint;
128 value = f;
129 descrip = "Send the openpgp fingerprint, instead of the key";
130 doc = "";
133 flag = {
134 name = disable-extensions;
135 descrip = "Disable all the TLS extensions";
136 doc = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
139 flag = {
140 name = print-cert;
141 descrip = "Print peer's certificate in PEM format";
142 doc = "";
145 flag = {
146 name = recordsize;
147 arg-type = number;
148 arg-range = "0->4096";
149 descrip = "The maximum record size to advertize";
150 doc = "";
153 flag = {
154 name = dh-bits;
155 arg-type = number;
156 descrip = "The minimum number of bits allowed for DH";
157 doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
160 flag = {
161 name = priority;
162 arg-type = string;
163 descrip = "Priorities string";
164 doc = "TLS algorithms and protocols to enable. You can
165 use predefined sets of ciphersuites such as PERFORMANCE,
166 NORMAL, SECURE128, SECURE256.
168 Check the GnuTLS manual on section ``Priority strings'' for more
169 information on allowed keywords";
172 flag = {
173 name = x509cafile;
174 arg-type = string;
175 descrip = "Certificate file or PKCS #11 URL to use";
176 doc = "";
179 flag = {
180 name = x509crlfile;
181 arg-type = file;
182 file-exists = yes;
183 descrip = "CRL file to use";
184 doc = "";
187 flag = {
188 name = pgpkeyfile;
189 arg-type = file;
190 file-exists = yes;
191 descrip = "PGP Key file to use";
192 doc = "";
195 flag = {
196 name = pgpkeyring;
197 arg-type = file;
198 file-exists = yes;
199 descrip = "PGP Key ring file to use";
200 doc = "";
203 flag = {
204 name = pgpcertfile;
205 arg-type = file;
206 file-exists = yes;
207 descrip = "PGP Public Key (certificate) file to use";
208 doc = "";
211 flag = {
212 name = x509keyfile;
213 arg-type = string;
214 descrip = "X.509 key file or PKCS #11 URL to use";
215 doc = "";
218 flag = {
219 name = x509certfile;
220 arg-type = string;
221 descrip = "X.509 Certificate file or PKCS #11 URL to use";
222 doc = "";
225 flag = {
226 name = pgpsubkey;
227 arg-type = string;
228 descrip = "PGP subkey to use (hex or auto)";
229 doc = "";
232 flag = {
233 name = srpusername;
234 arg-type = string;
235 descrip = "SRP username to use";
236 doc = "";
239 flag = {
240 name = srppasswd;
241 arg-type = string;
242 descrip = "SRP password to use";
243 doc = "";
246 flag = {
247 name = pskusername;
248 arg-type = string;
249 descrip = "PSK username to use";
250 doc = "";
253 flag = {
254 name = pskkey;
255 arg-type = string;
256 descrip = "PSK key (in hex) to use";
257 doc = "";
260 flag = {
261 name = port;
262 value = p;
263 arg-type = string;
264 descrip = "The port or service to connect to";
265 doc = "";
268 flag = {
269 name = insecure;
270 descrip = "Don't abort program if server certificate can't be validated";
271 doc = "";
274 flag = {
275 name = benchmark-ciphers;
276 descrip = "Benchmark individual ciphers";
277 doc = "";
280 flag = {
281 name = benchmark-soft-ciphers;
282 descrip = "Benchmark individual software ciphers (no hw acceleration)";
283 doc = "";
286 flag = {
287 name = benchmark-tls-kx;
288 descrip = "Benchmark TLS key exchange methods";
289 doc = "";
292 flag = {
293 name = benchmark-tls-ciphers;
294 descrip = "Benchmark TLS ciphers";
295 doc = "";
298 flag = {
299 name = list;
300 value = l;
301 descrip = "Print a list of the supported algorithms and modes";
302 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
307 doc-section = {
308 ds-type = 'SEE ALSO'; // or anything else
309 ds-format = 'texi'; // or texi or mdoc format
310 ds-text = <<-_EOF_
311 gnutls-cli-debug(1), gnutls-serv(1)
312 _EOF_;
315 doc-section = {
316 ds-type = 'EXAMPLES';
317 ds-format = 'texi';
318 ds-text = <<-_EOF_
319 @subheading Connecting using PSK authentication
320 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
321 @example
322 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
323 --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
324 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
325 Resolving 'localhost'...
326 Connecting to '127.0.0.1:5556'...
327 - PSK authentication.
328 - Version: TLS1.1
329 - Key Exchange: PSK
330 - Cipher: AES-128-CBC
331 - MAC: SHA1
332 - Compression: NULL
333 - Handshake was completed
335 - Simple Client Mode:
336 @end example
337 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
339 @subheading Listing ciphersuites in a priority string
340 To list the ciphersuites in a priority string:
341 @example
342 $ ./gnutls-cli --priority SECURE192 -l
343 Cipher suites for SECURE192
344 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
345 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
346 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
347 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
348 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
349 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
351 Certificate types: CTYPE-X.509
352 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
353 Compression: COMP-NULL
354 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
355 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
356 @end example
357 _EOF_;