|
Packit Service |
4684c1 |
@node gnutls-cli Invocation
|
|
Packit Service |
4684c1 |
@section Invoking gnutls-cli
|
|
Packit Service |
4684c1 |
@pindex gnutls-cli
|
|
Packit Service |
4684c1 |
@ignore
|
|
Packit Service |
4684c1 |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi)
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# It has been AutoGen-ed
|
|
Packit Service |
4684c1 |
# From the definitions ../src/cli-args.def
|
|
Packit Service |
4684c1 |
# and the template file agtexi-cmd.tpl
|
|
Packit Service |
4684c1 |
@end ignore
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Simple client program to set up a TLS connection to some other computer.
|
|
Packit Service |
4684c1 |
It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This section was generated by @strong{AutoGen},
|
|
Packit Service |
4684c1 |
using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli} program.
|
|
Packit Service |
4684c1 |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli usage}
|
|
Packit Service |
4684c1 |
@subheading gnutls-cli help/usage (@option{--help})
|
|
Packit Service |
4684c1 |
@cindex gnutls-cli help
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the automatically generated usage text for gnutls-cli.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The text printed is the same whether selected with the @code{help} option
|
|
Packit Service |
4684c1 |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit Service |
4684c1 |
the usage text by passing it through a pager program.
|
|
Packit Service |
4684c1 |
@code{more-help} is disabled on platforms without a working
|
|
Packit Service |
4684c1 |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit Service |
4684c1 |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit Service |
4684c1 |
with a status code of 0.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@exampleindent 0
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
gnutls-cli - GnuTLS client
|
|
Packit Service |
4684c1 |
Usage: gnutls-cli [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-d, --debug=num Enable debugging
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 9999
|
|
Packit Service |
4684c1 |
-V, --verbose More verbose output
|
|
Packit Service |
4684c1 |
- may appear multiple times
|
|
Packit Service |
4684c1 |
--tofu Enable trust on first use authentication
|
|
Packit Service |
4684c1 |
- disabled as '--no-tofu'
|
|
Packit Service |
4684c1 |
--strict-tofu Fail to connect if a certificate is unknown or a known certificate has
|
|
Packit Service |
4684c1 |
changed
|
|
Packit Service |
4684c1 |
- disabled as '--no-strict-tofu'
|
|
Packit Service |
4684c1 |
--dane Enable DANE certificate verification (DNSSEC)
|
|
Packit Service |
4684c1 |
- disabled as '--no-dane'
|
|
Packit Service |
4684c1 |
--local-dns Use the local DNS server for DNSSEC resolving
|
|
Packit Service |
4684c1 |
- disabled as '--no-local-dns'
|
|
Packit Service |
4684c1 |
--ca-verification Enable CA certificate verification
|
|
Packit Service |
4684c1 |
- disabled as '--no-ca-verification'
|
|
Packit Service |
4684c1 |
- enabled by default
|
|
Packit Service |
4684c1 |
--ocsp Enable OCSP certificate verification
|
|
Packit Service |
4684c1 |
- disabled as '--no-ocsp'
|
|
Packit Service |
4684c1 |
-r, --resume Establish a session and resume
|
|
Packit Service |
4684c1 |
--earlydata=str Send early data on resumption from the specified file
|
|
Packit Service |
4684c1 |
-e, --rehandshake Establish a session and rehandshake
|
|
Packit Service |
4684c1 |
--sni-hostname=str Server's hostname for server name indication extension
|
|
Packit Service |
4684c1 |
--verify-hostname=str Server's hostname to use for validation
|
|
Packit Service |
4684c1 |
-s, --starttls Connect, establish a plain session and start TLS
|
|
Packit Service |
4684c1 |
--app-proto=str an alias for the 'starttls-proto' option
|
|
Packit Service |
4684c1 |
--starttls-proto=str The application protocol to be used to obtain the server's certificate
|
|
Packit Service |
4684c1 |
(https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)
|
|
Packit Service |
4684c1 |
- prohibits the option 'starttls'
|
|
Packit Service |
4684c1 |
-u, --udp Use DTLS (datagram TLS) over UDP
|
|
Packit Service |
4684c1 |
--mtu=num Set MTU for datagram TLS
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 17000
|
|
Packit Service |
4684c1 |
--crlf Send CR LF instead of LF
|
|
Packit Service |
4684c1 |
--fastopen Enable TCP Fast Open
|
|
Packit Service |
4684c1 |
--x509fmtder Use DER format for certificates to read from
|
|
Packit Service |
4684c1 |
--print-cert Print peer's certificate in PEM format
|
|
Packit Service |
4684c1 |
--save-cert=str Save the peer's certificate chain in the specified file in PEM format
|
|
Packit Service |
4684c1 |
--save-ocsp=str Save the peer's OCSP status response in the provided file
|
|
Packit Service |
4684c1 |
- prohibits the option 'save-ocsp-multi'
|
|
Packit Service |
4684c1 |
--save-ocsp-multi=str Save all OCSP responses provided by the peer in this file
|
|
Packit Service |
4684c1 |
- prohibits the option 'save-ocsp'
|
|
Packit Service |
4684c1 |
--save-server-trace=str Save the server-side TLS message trace in the provided file
|
|
Packit Service |
4684c1 |
--save-client-trace=str Save the client-side TLS message trace in the provided file
|
|
Packit Service |
4684c1 |
--dh-bits=num The minimum number of bits allowed for DH
|
|
Packit Service |
4684c1 |
--priority=str Priorities string
|
|
Packit Service |
4684c1 |
--x509cafile=str Certificate file or PKCS #11 URL to use
|
|
Packit Service |
4684c1 |
--x509crlfile=file CRL file to use
|
|
Packit Service |
4684c1 |
- file must pre-exist
|
|
Packit Service |
4684c1 |
--x509keyfile=str X.509 key file or PKCS #11 URL to use
|
|
Packit Service |
4684c1 |
--x509certfile=str X.509 Certificate file or PKCS #11 URL to use
|
|
Packit Service |
4684c1 |
- requires the option 'x509keyfile'
|
|
Packit Service |
4684c1 |
--rawpkkeyfile=str Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use
|
|
Packit Service |
4684c1 |
--rawpkfile=str Raw public-key file to use
|
|
Packit Service |
4684c1 |
- requires the option 'rawpkkeyfile'
|
|
Packit Service |
4684c1 |
--srpusername=str SRP username to use
|
|
Packit Service |
4684c1 |
--srppasswd=str SRP password to use
|
|
Packit Service |
4684c1 |
--pskusername=str PSK username to use
|
|
Packit Service |
4684c1 |
--pskkey=str PSK key (in hex) to use
|
|
Packit Service |
4684c1 |
-p, --port=str The port or service to connect to
|
|
Packit Service |
4684c1 |
--insecure Don't abort program if server certificate can't be validated
|
|
Packit Service |
4684c1 |
--verify-allow-broken Allow broken algorithms, such as MD5 for certificate verification
|
|
Packit Service |
4684c1 |
--benchmark-ciphers Benchmark individual ciphers
|
|
Packit Service |
4684c1 |
--benchmark-tls-kx Benchmark TLS key exchange methods
|
|
Packit Service |
4684c1 |
--benchmark-tls-ciphers Benchmark TLS ciphers
|
|
Packit Service |
4684c1 |
-l, --list Print a list of the supported algorithms and modes
|
|
Packit Service |
4684c1 |
- prohibits the option 'port'
|
|
Packit Service |
4684c1 |
--priority-list Print a list of the supported priority strings
|
|
Packit Service |
4684c1 |
--noticket Don't allow session tickets
|
|
Packit Service |
4684c1 |
--srtp-profiles=str Offer SRTP profiles
|
|
Packit Service |
4684c1 |
--alpn=str Application layer protocol
|
|
Packit Service |
4684c1 |
- may appear multiple times
|
|
Packit Service |
4684c1 |
-b, --heartbeat Activate heartbeat support
|
|
Packit Service |
4684c1 |
--recordsize=num The maximum record size to advertize
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 4096
|
|
Packit Service |
4684c1 |
--disable-sni Do not send a Server Name Indication (SNI)
|
|
Packit Service |
4684c1 |
--single-key-share Send a single key share under TLS1.3
|
|
Packit Service |
4684c1 |
--post-handshake-auth Enable post-handshake authentication under TLS1.3
|
|
Packit Service |
4684c1 |
--inline-commands Inline commands of the form ^<cmd>^
|
|
Packit Service |
4684c1 |
--inline-commands-prefix=str Change the default delimiter for inline commands.
|
|
Packit Service |
4684c1 |
--provider=file Specify the PKCS #11 provider library
|
|
Packit Service |
4684c1 |
- file must pre-exist
|
|
Packit Service |
4684c1 |
--fips140-mode Reports the status of the FIPS140-2 mode in gnutls library
|
|
Packit Service |
4684c1 |
--logfile=str Redirect informational messages to a specific file.
|
|
Packit Service |
4684c1 |
--keymatexport=str Label used for exporting keying material
|
|
Packit Service |
4684c1 |
--keymatexportsize=num Size of the exported keying material
|
|
Packit Service |
4684c1 |
--waitresumption Block waiting for the resumption data under TLS1.3
|
|
Packit Service |
4684c1 |
-v, --version[=arg] output version information and exit
|
|
Packit Service |
4684c1 |
-h, --help display extended usage information and exit
|
|
Packit Service |
4684c1 |
-!, --more-help extended usage information passed thru pager
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit Service |
4684c1 |
hyphen and the flag character.
|
|
Packit Service |
4684c1 |
Operands and options may be intermixed. They will be reordered.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Simple client program to set up a TLS connection to some other computer. It
|
|
Packit Service |
4684c1 |
sets up a TLS connection and forwards data from the standard input to the
|
|
Packit Service |
4684c1 |
secured socket and vice versa.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
@exampleindent 4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli debug}
|
|
Packit Service |
4684c1 |
@subheading debug option (-d)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable debugging'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
Specifies the debug level.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli tofu}
|
|
Packit Service |
4684c1 |
@subheading tofu option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable trust on first use authentication'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-tofu.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will, in addition to certificate authentication, perform authentication
|
|
Packit Service |
4684c1 |
based on previously seen public keys, a model similar to SSH authentication. Note that when tofu
|
|
Packit Service |
4684c1 |
is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
|
|
Packit Service |
4684c1 |
process.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli strict-tofu}
|
|
Packit Service |
4684c1 |
@subheading strict-tofu option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``fail to connect if a certificate is unknown or a known certificate has changed'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-strict-tofu.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli dane}
|
|
Packit Service |
4684c1 |
@subheading dane option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable dane certificate verification (dnssec)'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-dane.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will, in addition to certificate authentication using
|
|
Packit Service |
4684c1 |
the trusted CAs, verify the server certificates using on the DANE information
|
|
Packit Service |
4684c1 |
available via DNSSEC.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli local-dns}
|
|
Packit Service |
4684c1 |
@subheading local-dns option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use the local dns server for dnssec resolving'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-local-dns.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will use the local DNS server for DNSSEC.
|
|
Packit Service |
4684c1 |
This is disabled by default due to many servers not allowing DNSSEC.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli ca-verification}
|
|
Packit Service |
4684c1 |
@subheading ca-verification option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable ca certificate verification'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-ca-verification.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
It is enabled by default.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli ocsp}
|
|
Packit Service |
4684c1 |
@subheading ocsp option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable ocsp certificate verification'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-ocsp.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will enable verification of the peer's certificate using ocsp
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli resume}
|
|
Packit Service |
4684c1 |
@subheading resume option (-r)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``establish a session and resume'' option.
|
|
Packit Service |
4684c1 |
Connect, establish a session, reconnect and resume.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli rehandshake}
|
|
Packit Service |
4684c1 |
@subheading rehandshake option (-e)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``establish a session and rehandshake'' option.
|
|
Packit Service |
4684c1 |
Connect, establish a session and rehandshake immediately.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli sni-hostname}
|
|
Packit Service |
4684c1 |
@subheading sni-hostname option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``server's hostname for server name indication extension'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli verify-hostname}
|
|
Packit Service |
4684c1 |
@subheading verify-hostname option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``server's hostname to use for validation'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Set explicitly the server name to be used when validating the server's certificate.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli starttls}
|
|
Packit Service |
4684c1 |
@subheading starttls option (-s)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``connect, establish a plain session and start tls'' option.
|
|
Packit Service |
4684c1 |
The TLS session will be initiated when EOF or a SIGALRM is received.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli app-proto}
|
|
Packit Service |
4684c1 |
@subheading app-proto option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{starttls-proto} option,
|
|
Packit Service |
4684c1 |
@pxref{gnutls-cli starttls-proto, the starttls-proto option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli starttls-proto}
|
|
Packit Service |
4684c1 |
@subheading starttls-proto option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
starttls.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli save-ocsp-multi}
|
|
Packit Service |
4684c1 |
@subheading save-ocsp-multi option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``save all ocsp responses provided by the peer in this file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
save-ocsp.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli dh-bits}
|
|
Packit Service |
4684c1 |
@subheading dh-bits option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the minimum number of bits allowed for dh'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli priority}
|
|
Packit Service |
4684c1 |
@subheading priority option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``priorities string'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
TLS algorithms and protocols to enable. You can
|
|
Packit Service |
4684c1 |
use predefined sets of ciphersuites such as PERFORMANCE,
|
|
Packit Service |
4684c1 |
NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on the allowed keywords
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli rawpkkeyfile}
|
|
Packit Service |
4684c1 |
@subheading rawpkkeyfile option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``private key file (pkcs #8 or pkcs #12) or pkcs #11 url to use'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
4684c1 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
4684c1 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on how to set certificate types.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli rawpkfile}
|
|
Packit Service |
4684c1 |
@subheading rawpkfile option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``raw public-key file to use'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must appear in combination with the following options:
|
|
Packit Service |
4684c1 |
rawpkkeyfile.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
4684c1 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
4684c1 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on how to set certificate types.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli ranges}
|
|
Packit Service |
4684c1 |
@subheading ranges option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use length-hiding padding to prevent traffic analysis'' option.
|
|
Packit Service |
4684c1 |
When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli benchmark-ciphers}
|
|
Packit Service |
4684c1 |
@subheading benchmark-ciphers option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``benchmark individual ciphers'' option.
|
|
Packit Service |
4684c1 |
By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli benchmark-tls-ciphers}
|
|
Packit Service |
4684c1 |
@subheading benchmark-tls-ciphers option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``benchmark tls ciphers'' option.
|
|
Packit Service |
4684c1 |
By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli list}
|
|
Packit Service |
4684c1 |
@subheading list option (-l)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print a list of the supported algorithms and modes'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
port.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli priority-list}
|
|
Packit Service |
4684c1 |
@subheading priority-list option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print a list of the supported priority strings'' option.
|
|
Packit Service |
4684c1 |
Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli noticket}
|
|
Packit Service |
4684c1 |
@subheading noticket option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``don't allow session tickets'' option.
|
|
Packit Service |
4684c1 |
Disable the request of receiving of session tickets under TLS1.2 or earlier
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli alpn}
|
|
Packit Service |
4684c1 |
@subheading alpn option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``application layer protocol'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
may appear an unlimited number of times.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli disable-extensions}
|
|
Packit Service |
4684c1 |
@subheading disable-extensions option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``disable all the tls extensions'' option.
|
|
Packit Service |
4684c1 |
This option disables all TLS extensions. Deprecated option. Use the priority string.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli single-key-share}
|
|
Packit Service |
4684c1 |
@subheading single-key-share option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``send a single key share under tls1.3'' option.
|
|
Packit Service |
4684c1 |
This option switches the default mode of sending multiple
|
|
Packit Service |
4684c1 |
key shares, to send a single one (the top one).
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli post-handshake-auth}
|
|
Packit Service |
4684c1 |
@subheading post-handshake-auth option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable post-handshake authentication under tls1.3'' option.
|
|
Packit Service |
4684c1 |
This option enables post-handshake authentication when under TLS1.3.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli inline-commands}
|
|
Packit Service |
4684c1 |
@subheading inline-commands option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``inline commands of the form ^<cmd>^'' option.
|
|
Packit Service |
4684c1 |
Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli inline-commands-prefix}
|
|
Packit Service |
4684c1 |
@subheading inline-commands-prefix option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``change the default delimiter for inline commands.'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli provider}
|
|
Packit Service |
4684c1 |
@subheading provider option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the pkcs #11 provider library'' option.
|
|
Packit Service |
4684c1 |
This option takes a file argument.
|
|
Packit Service |
4684c1 |
This will override the default options in /etc/gnutls/pkcs11.conf
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli logfile}
|
|
Packit Service |
4684c1 |
@subheading logfile option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``redirect informational messages to a specific file.'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli waitresumption}
|
|
Packit Service |
4684c1 |
@subheading waitresumption option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``block waiting for the resumption data under tls1.3'' option.
|
|
Packit Service |
4684c1 |
This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided.
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli exit status}
|
|
Packit Service |
4684c1 |
@subheading gnutls-cli exit status
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
One of the following exit values will be returned:
|
|
Packit Service |
4684c1 |
@table @samp
|
|
Packit Service |
4684c1 |
@item 0 (EXIT_SUCCESS)
|
|
Packit Service |
4684c1 |
Successful program execution.
|
|
Packit Service |
4684c1 |
@item 1 (EXIT_FAILURE)
|
|
Packit Service |
4684c1 |
The operation failed or the command syntax was not valid.
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli See Also}
|
|
Packit Service |
4684c1 |
@subheading gnutls-cli See Also
|
|
Packit Service |
4684c1 |
gnutls-cli-debug(1), gnutls-serv(1)
|
|
Packit Service |
4684c1 |
@anchor{gnutls-cli Examples}
|
|
Packit Service |
4684c1 |
@subheading gnutls-cli Examples
|
|
Packit Service |
4684c1 |
@subheading Connecting using PSK authentication
|
|
Packit Service |
4684c1 |
To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
|
|
Packit Service |
4684c1 |
--pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
|
|
Packit Service |
4684c1 |
--priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
|
|
Packit Service |
4684c1 |
Resolving 'localhost'...
|
|
Packit Service |
4684c1 |
Connecting to '127.0.0.1:5556'...
|
|
Packit Service |
4684c1 |
- PSK authentication.
|
|
Packit Service |
4684c1 |
- Version: TLS1.1
|
|
Packit Service |
4684c1 |
- Key Exchange: PSK
|
|
Packit Service |
4684c1 |
- Cipher: AES-128-CBC
|
|
Packit Service |
4684c1 |
- MAC: SHA1
|
|
Packit Service |
4684c1 |
- Compression: NULL
|
|
Packit Service |
4684c1 |
- Handshake was completed
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
- Simple Client Mode:
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting using raw public-key authentication
|
|
Packit Service |
4684c1 |
To connect to a server using raw public-key authentication, you need to enable the option to negotiate raw public-keys via the priority strings such as in the example below.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli -p 5556 localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK \
|
|
Packit Service |
4684c1 |
--rawpkkeyfile cli.key.pem \
|
|
Packit Service |
4684c1 |
--rawpkfile cli.rawpk.pem
|
|
Packit Service |
4684c1 |
Processed 1 client raw public key pair...
|
|
Packit Service |
4684c1 |
Resolving 'localhost'...
|
|
Packit Service |
4684c1 |
Connecting to '127.0.0.1:5556'...
|
|
Packit Service |
4684c1 |
- Successfully sent 1 certificate(s) to server.
|
|
Packit Service |
4684c1 |
- Server has requested a certificate.
|
|
Packit Service |
4684c1 |
- Certificate type: X.509
|
|
Packit Service |
4684c1 |
- Got a certificate list of 1 certificates.
|
|
Packit Service |
4684c1 |
- Certificate[0] info:
|
|
Packit Service |
4684c1 |
- skipped
|
|
Packit Service |
4684c1 |
- Description: (TLS1.3-Raw Public Key-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
|
|
Packit Service |
4684c1 |
- Options:
|
|
Packit Service |
4684c1 |
- Handshake was completed
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
- Simple Client Mode:
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting to STARTTLS services
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
You could also use the client to connect to services with starttls capability.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ gnutls-cli --starttls-proto smtp --port 25 localhost
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Listing ciphersuites in a priority string
|
|
Packit Service |
4684c1 |
To list the ciphersuites in a priority string:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli --priority SECURE192 -l
|
|
Packit Service |
4684c1 |
Cipher suites for SECURE192
|
|
Packit Service |
4684c1 |
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
|
|
Packit Service |
4684c1 |
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
|
|
Packit Service |
4684c1 |
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
|
|
Packit Service |
4684c1 |
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
|
|
Packit Service |
4684c1 |
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
|
|
Packit Service |
4684c1 |
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Certificate types: CTYPE-X.509
|
|
Packit Service |
4684c1 |
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
|
|
Packit Service |
4684c1 |
Compression: COMP-NULL
|
|
Packit Service |
4684c1 |
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
|
|
Packit Service |
4684c1 |
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting using a PKCS #11 token
|
|
Packit Service |
4684c1 |
To connect to a server using a certificate and a private key present in a PKCS #11 token you
|
|
Packit Service |
4684c1 |
need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Those can be found using "p11tool --list-tokens" and then listing all the objects in the
|
|
Packit Service |
4684c1 |
needed token, and using the appropriate.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ p11tool --list-tokens
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Token 0:
|
|
Packit Service |
4684c1 |
URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
|
|
Packit Service |
4684c1 |
Label: Test
|
|
Packit Service |
4684c1 |
Manufacturer: EnterSafe
|
|
Packit Service |
4684c1 |
Model: PKCS15
|
|
Packit Service |
4684c1 |
Serial: 1234
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Object 0:
|
|
Packit Service |
4684c1 |
URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert
|
|
Packit Service |
4684c1 |
Type: X.509 Certificate
|
|
Packit Service |
4684c1 |
Label: client
|
|
Packit Service |
4684c1 |
ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert"
|
|
Packit Service |
4684c1 |
$ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private"
|
|
Packit Service |
4684c1 |
$ export MYCERT MYKEY
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
Notice that the private key only differs from the certificate in the type.
|