@node gnutls-cli-debug Invocation

@section Invoking gnutls-cli-debug

@pindex gnutls-cli-debug

@ignore

#  -*- buffer-read-only: t -*- vi: set ro:

#

# DO NOT EDIT THIS FILE   (invoke-gnutls-cli-debug.texi)

#

# It has been AutoGen-ed

# From the definitions    ../src/cli-debug-args.def

# and the template file   agtexi-cmd.tpl

@end ignore

TLS debug client. It sets up multiple TLS connections to 

a server and queries its capabilities. It was created to assist in debugging 

GnuTLS, but it might be useful to extract a TLS server's capabilities.

It connects to a TLS server, performs tests and print the server's 

capabilities. If called with the `-V' parameter more checks will be performed.

Can be used to check for servers with special needs or bugs.

This section was generated by @strong{AutoGen},

using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli-debug} program.

This software is released under the GNU General Public License, version 3 or later.

@anchor{gnutls-cli-debug usage}

@subheading gnutls-cli-debug help/usage (@option{--help})

@cindex gnutls-cli-debug help

This is the automatically generated usage text for gnutls-cli-debug.

The text printed is the same whether selected with the @code{help} option

(@option{--help}) or the @code{more-help} option (@option{--more-help}).  @code{more-help} will print

the usage text by passing it through a pager program.

@code{more-help} is disabled on platforms without a working

@code{fork(2)} function.  The @code{PAGER} environment variable is

used to select the program, defaulting to @file{more}.  Both will exit

with a status code of 0.

@exampleindent 0

@example

gnutls-cli-debug - GnuTLS debug client

Usage:  gnutls-cli-debug [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... 

   -d, --debug=num            Enable debugging

                                - it must be in the range:

                                  0 to 9999

   -V, --verbose              More verbose output

                                - may appear multiple times

   -p, --port=num             The port to connect to

                                - it must be in the range:

                                  0 to 65536

       --app-proto=str        an alias for the 'starttls-proto' option

       --starttls-proto=str   The application protocol to be used to obtain the server's certificate

(https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)

   -v, --version[=arg]        output version information and exit

   -h, --help                 display extended usage information and exit

   -!, --more-help            extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single

hyphen and the flag character.

Operands and options may be intermixed.  They will be reordered.

TLS debug client.  It sets up multiple TLS connections to a server and

queries its capabilities.  It was created to assist in debugging GnuTLS,

but it might be useful to extract a TLS server's capabilities.  It connects

to a TLS server, performs tests and print the server's capabilities.  If

called with the `-V' parameter more checks will be performed.  Can be used

to check for servers with special needs or bugs.

@end example

@exampleindent 4

@anchor{gnutls-cli-debug debug}

@subheading debug option (-d)

This is the ``enable debugging'' option.

This option takes a number argument.

Specifies the debug level.

@anchor{gnutls-cli-debug app-proto}

@subheading app-proto option

This is an alias for the @code{starttls-proto} option,

@pxref{gnutls-cli-debug starttls-proto, the starttls-proto option documentation}.

@anchor{gnutls-cli-debug starttls-proto}

@subheading starttls-proto option

This is the ``the application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)'' option.

This option takes a string argument.

Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.

@anchor{gnutls-cli-debug exit status}

@subheading gnutls-cli-debug exit status

One of the following exit values will be returned:

@table @samp

@item 0 (EXIT_SUCCESS)

Successful program execution.

@item 1 (EXIT_FAILURE)

The operation failed or the command syntax was not valid.

@end table

@anchor{gnutls-cli-debug See Also}

@subheading gnutls-cli-debug See Also

gnutls-cli(1), gnutls-serv(1)

@anchor{gnutls-cli-debug Examples}

@subheading gnutls-cli-debug Examples

@example

$ gnutls-cli-debug localhost

GnuTLS debug client 3.5.0

Checking localhost:443

                             for SSL 3.0 (RFC6101) support... yes

                        whether we need to disable TLS 1.2... no

                        whether we need to disable TLS 1.1... no

                        whether we need to disable TLS 1.0... no

                        whether %NO_EXTENSIONS is required... no

                               whether %COMPAT is required... no

                             for TLS 1.0 (RFC2246) support... yes

                             for TLS 1.1 (RFC4346) support... yes

                             for TLS 1.2 (RFC5246) support... yes

                                  fallback from TLS 1.6 to... TLS1.2

                        for RFC7507 inappropriate fallback... yes

                                     for HTTPS server name... Local

                               for certificate chain order... sorted

                  for safe renegotiation (RFC5746) support... yes

                     for Safe renegotiation support (SCSV)... no

                    for encrypt-then-MAC (RFC7366) support... no

                   for ext master secret (RFC7627) support... no

                           for heartbeat (RFC6520) support... no

                       for version rollback bug in RSA PMS... dunno

                  for version rollback bug in Client Hello... no

            whether the server ignores the RSA PMS version... yes

whether small records (512 bytes) are tolerated on handshake... yes

    whether cipher suites not in SSL 3.0 spec are accepted... yes

whether a bogus TLS record version in the client hello is accepted... yes

         whether the server understands TLS closure alerts... partially

            whether the server supports session resumption... yes

                      for anonymous authentication support... no

                      for ephemeral Diffie-Hellman support... no

                   for ephemeral EC Diffie-Hellman support... yes

                    ephemeral EC Diffie-Hellman group info... SECP256R1

                  for AES-128-GCM cipher (RFC5288) support... yes

                  for AES-128-CCM cipher (RFC6655) support... no

                for AES-128-CCM-8 cipher (RFC6655) support... no

                  for AES-128-CBC cipher (RFC3268) support... yes

             for CAMELLIA-128-GCM cipher (RFC6367) support... no

             for CAMELLIA-128-CBC cipher (RFC5932) support... no

                     for 3DES-CBC cipher (RFC2246) support... yes

                  for ARCFOUR 128 cipher (RFC2246) support... yes

                                       for MD5 MAC support... yes

                                      for SHA1 MAC support... yes

                                    for SHA256 MAC support... yes

                              for ZLIB compression support... no

                     for max record size (RFC6066) support... no

                for OCSP status response (RFC6066) support... no

              for OpenPGP authentication (RFC6091) support... no

@end example

You could also use the client to debug services with starttls capability.

@example

$ gnutls-cli-debug --starttls-proto smtp --port 25 localhost

@end example