|
Packit Service |
4684c1 |
AutoGen Definitions options;
|
|
Packit Service |
4684c1 |
prog-name = gnutls-cli;
|
|
Packit Service |
4684c1 |
prog-title = "GnuTLS client";
|
|
Packit Service |
4684c1 |
prog-desc = "Simple client program to set up a TLS connection.";
|
|
Packit Service |
4684c1 |
short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
|
|
Packit Service |
4684c1 |
explain = "";
|
|
Packit Service |
4684c1 |
detail = "Simple client program to set up a TLS connection to some other computer.
|
|
Packit Service |
4684c1 |
It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
|
|
Packit Service |
4684c1 |
reorder-args;
|
|
Packit Service |
4684c1 |
argument = "[hostname]";
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define VERBOSE_OPT 1
|
|
Packit Service |
4684c1 |
#include args-std.def
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = tofu;
|
|
Packit Service |
4684c1 |
descrip = "Enable trust on first use authentication";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option will, in addition to certificate authentication, perform authentication
|
|
Packit Service |
4684c1 |
based on previously seen public keys, a model similar to SSH authentication. Note that when tofu
|
|
Packit Service |
4684c1 |
is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
|
|
Packit Service |
4684c1 |
process.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = strict-tofu;
|
|
Packit Service |
4684c1 |
descrip = "Fail to connect if a certificate is unknown or a known certificate has changed";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.";
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = dane;
|
|
Packit Service |
4684c1 |
descrip = "Enable DANE certificate verification (DNSSEC)";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option will, in addition to certificate authentication using
|
|
Packit Service |
4684c1 |
the trusted CAs, verify the server certificates using on the DANE information
|
|
Packit Service |
4684c1 |
available via DNSSEC.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = local-dns;
|
|
Packit Service |
4684c1 |
descrip = "Use the local DNS server for DNSSEC resolving";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option will use the local DNS server for DNSSEC.
|
|
Packit Service |
4684c1 |
This is disabled by default due to many servers not allowing DNSSEC.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ca-verification;
|
|
Packit Service |
4684c1 |
descrip = "Enable CA certificate verification";
|
|
Packit Service |
4684c1 |
enabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ocsp;
|
|
Packit Service |
4684c1 |
descrip = "Enable OCSP certificate verification";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "This option will enable verification of the peer's certificate using ocsp";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = resume;
|
|
Packit Service |
4684c1 |
value = r;
|
|
Packit Service |
4684c1 |
descrip = "Establish a session and resume";
|
|
Packit Service |
4684c1 |
doc = "Connect, establish a session, reconnect and resume.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = earlydata;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Send early data on resumption from the specified file";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = rehandshake;
|
|
Packit Service |
4684c1 |
value = e;
|
|
Packit Service |
4684c1 |
descrip = "Establish a session and rehandshake";
|
|
Packit Service |
4684c1 |
doc = "Connect, establish a session and rehandshake immediately.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = sni-hostname;
|
|
Packit Service |
4684c1 |
descrip = "Server's hostname for server name indication extension";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-hostname;
|
|
Packit Service |
4684c1 |
descrip = "Server's hostname to use for validation";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "Set explicitly the server name to be used when validating the server's certificate.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = starttls;
|
|
Packit Service |
4684c1 |
value = s;
|
|
Packit Service |
4684c1 |
descrip = "Connect, establish a plain session and start TLS";
|
|
Packit Service |
4684c1 |
doc = "The TLS session will be initiated when EOF or a SIGALRM is received.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = app-proto;
|
|
Packit Service |
4684c1 |
aliases = starttls-proto;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = starttls-proto;
|
|
Packit Service |
4684c1 |
descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
|
|
Packit Service |
4684c1 |
flags-cant = starttls;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = udp;
|
|
Packit Service |
4684c1 |
value = u;
|
|
Packit Service |
4684c1 |
descrip = "Use DTLS (datagram TLS) over UDP";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = mtu;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
arg-range = "0->17000";
|
|
Packit Service |
4684c1 |
descrip = "Set MTU for datagram TLS";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = crlf;
|
|
Packit Service |
4684c1 |
descrip = "Send CR LF instead of LF";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = fastopen;
|
|
Packit Service |
4684c1 |
descrip = "Enable TCP Fast Open";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = x509fmtder;
|
|
Packit Service |
4684c1 |
descrip = "Use DER format for certificates to read from";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = print-cert;
|
|
Packit Service |
4684c1 |
descrip = "Print peer's certificate in PEM format";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = save-cert;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Save the peer's certificate chain in the specified file in PEM format";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = save-ocsp;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Save the peer's OCSP status response in the provided file";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
flags-cant = save-ocsp-multi;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = save-ocsp-multi;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Save all OCSP responses provided by the peer in this file";
|
|
Packit Service |
4684c1 |
doc = "The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate.";
|
|
Packit Service |
4684c1 |
flags-cant = save-ocsp;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = save-server-trace;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Save the server-side TLS message trace in the provided file";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = save-client-trace;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Save the client-side TLS message trace in the provided file";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = dh-bits;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
descrip = "The minimum number of bits allowed for DH";
|
|
Packit Service |
4684c1 |
doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = priority;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Priorities string";
|
|
Packit Service |
4684c1 |
doc = "TLS algorithms and protocols to enable. You can
|
|
Packit Service |
4684c1 |
use predefined sets of ciphersuites such as PERFORMANCE,
|
|
Packit Service |
4684c1 |
NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on the allowed keywords";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = x509cafile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Certificate file or PKCS #11 URL to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = x509crlfile;
|
|
Packit Service |
4684c1 |
arg-type = file;
|
|
Packit Service |
4684c1 |
file-exists = yes;
|
|
Packit Service |
4684c1 |
descrip = "CRL file to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = x509keyfile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "X.509 key file or PKCS #11 URL to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = x509certfile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
flags-must = x509keyfile;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = rawpkkeyfile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use";
|
|
Packit Service |
4684c1 |
doc = "In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
4684c1 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
4684c1 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on how to set certificate types.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = rawpkfile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Raw public-key file to use";
|
|
Packit Service |
4684c1 |
doc = "In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
4684c1 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
4684c1 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
4684c1 |
information on how to set certificate types.";
|
|
Packit Service |
4684c1 |
flags-must = rawpkkeyfile;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = srpusername;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "SRP username to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = srppasswd;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "SRP password to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pskusername;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "PSK username to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pskkey;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "PSK key (in hex) to use";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = port;
|
|
Packit Service |
4684c1 |
value = p;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "The port or service to connect to";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = insecure;
|
|
Packit Service |
4684c1 |
descrip = "Don't abort program if server certificate can't be validated";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-allow-broken;
|
|
Packit Service |
4684c1 |
descrip = "Allow broken algorithms, such as MD5 for certificate verification";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ranges;
|
|
Packit Service |
4684c1 |
descrip = "Use length-hiding padding to prevent traffic analysis";
|
|
Packit Service |
4684c1 |
doc = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = benchmark-ciphers;
|
|
Packit Service |
4684c1 |
descrip = "Benchmark individual ciphers";
|
|
Packit Service |
4684c1 |
doc = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = benchmark-tls-kx;
|
|
Packit Service |
4684c1 |
descrip = "Benchmark TLS key exchange methods";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = benchmark-tls-ciphers;
|
|
Packit Service |
4684c1 |
descrip = "Benchmark TLS ciphers";
|
|
Packit Service |
4684c1 |
doc = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = list;
|
|
Packit Service |
4684c1 |
value = l;
|
|
Packit Service |
4684c1 |
descrip = "Print a list of the supported algorithms and modes";
|
|
Packit Service |
4684c1 |
doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
|
|
Packit Service |
4684c1 |
flags-cant = port;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = priority-list;
|
|
Packit Service |
4684c1 |
descrip = "Print a list of the supported priority strings";
|
|
Packit Service |
4684c1 |
doc = "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = noticket;
|
|
Packit Service |
4684c1 |
descrip = "Don't allow session tickets";
|
|
Packit Service |
4684c1 |
doc = "Disable the request of receiving of session tickets under TLS1.2 or earlier";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = srtp_profiles;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Offer SRTP profiles";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = alpn;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Application layer protocol";
|
|
Packit Service |
4684c1 |
max = NOLIMIT; /* occurrence limit (none) */
|
|
Packit Service |
4684c1 |
stack-arg; /* save opt args in a stack */
|
|
Packit Service |
4684c1 |
doc = "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = heartbeat;
|
|
Packit Service |
4684c1 |
value = b;
|
|
Packit Service |
4684c1 |
descrip = "Activate heartbeat support";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = recordsize;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
arg-range = "0->4096";
|
|
Packit Service |
4684c1 |
descrip = "The maximum record size to advertize";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = disable-sni;
|
|
Packit Service |
4684c1 |
descrip = "Do not send a Server Name Indication (SNI)";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = disable-extensions;
|
|
Packit Service |
4684c1 |
descrip = "Disable all the TLS extensions";
|
|
Packit Service |
4684c1 |
doc = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = single-key-share;
|
|
Packit Service |
4684c1 |
descrip = "Send a single key share under TLS1.3";
|
|
Packit Service |
4684c1 |
doc = "This option switches the default mode of sending multiple
|
|
Packit Service |
4684c1 |
key shares, to send a single one (the top one).";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = post-handshake-auth;
|
|
Packit Service |
4684c1 |
descrip = "Enable post-handshake authentication under TLS1.3";
|
|
Packit Service |
4684c1 |
doc = "This option enables post-handshake authentication when under TLS1.3.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = inline-commands;
|
|
Packit Service |
4684c1 |
descrip = "Inline commands of the form ^<cmd>^";
|
|
Packit Service |
4684c1 |
doc = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = inline-commands-prefix;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Change the default delimiter for inline commands.";
|
|
Packit Service |
4684c1 |
doc = "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = provider;
|
|
Packit Service |
4684c1 |
arg-type = file;
|
|
Packit Service |
4684c1 |
file-exists = yes;
|
|
Packit Service |
4684c1 |
descrip = "Specify the PKCS #11 provider library";
|
|
Packit Service |
4684c1 |
doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = fips140-mode;
|
|
Packit Service |
4684c1 |
descrip = "Reports the status of the FIPS140-2 mode in gnutls library";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = logfile;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Redirect informational messages to a specific file.";
|
|
Packit Service |
4684c1 |
doc = "Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = keymatexport;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Label used for exporting keying material";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = keymatexportsize;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
descrip = "Size of the exported keying material";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = waitresumption;
|
|
Packit Service |
4684c1 |
descrip = "Block waiting for the resumption data under TLS1.3";
|
|
Packit Service |
4684c1 |
doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
doc-section = {
|
|
Packit Service |
4684c1 |
ds-type = 'SEE ALSO'; // or anything else
|
|
Packit Service |
4684c1 |
ds-format = 'texi'; // or texi or mdoc format
|
|
Packit Service |
4684c1 |
ds-text = <<-_EOF_
|
|
Packit Service |
4684c1 |
gnutls-cli-debug(1), gnutls-serv(1)
|
|
Packit Service |
4684c1 |
_EOF_;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
doc-section = {
|
|
Packit Service |
4684c1 |
ds-type = 'EXAMPLES';
|
|
Packit Service |
4684c1 |
ds-format = 'texi';
|
|
Packit Service |
4684c1 |
ds-text = <<-_EOF_
|
|
Packit Service |
4684c1 |
@subheading Connecting using PSK authentication
|
|
Packit Service |
4684c1 |
To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
|
|
Packit Service |
4684c1 |
--pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
|
|
Packit Service |
4684c1 |
--priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
|
|
Packit Service |
4684c1 |
Resolving 'localhost'...
|
|
Packit Service |
4684c1 |
Connecting to '127.0.0.1:5556'...
|
|
Packit Service |
4684c1 |
- PSK authentication.
|
|
Packit Service |
4684c1 |
- Version: TLS1.1
|
|
Packit Service |
4684c1 |
- Key Exchange: PSK
|
|
Packit Service |
4684c1 |
- Cipher: AES-128-CBC
|
|
Packit Service |
4684c1 |
- MAC: SHA1
|
|
Packit Service |
4684c1 |
- Compression: NULL
|
|
Packit Service |
4684c1 |
- Handshake was completed
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
- Simple Client Mode:
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting using raw public-key authentication
|
|
Packit Service |
4684c1 |
To connect to a server using raw public-key authentication, you need to enable the option to negotiate raw public-keys via the priority strings such as in the example below.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli -p 5556 localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK \
|
|
Packit Service |
4684c1 |
--rawpkkeyfile cli.key.pem \
|
|
Packit Service |
4684c1 |
--rawpkfile cli.rawpk.pem
|
|
Packit Service |
4684c1 |
Processed 1 client raw public key pair...
|
|
Packit Service |
4684c1 |
Resolving 'localhost'...
|
|
Packit Service |
4684c1 |
Connecting to '127.0.0.1:5556'...
|
|
Packit Service |
4684c1 |
- Successfully sent 1 certificate(s) to server.
|
|
Packit Service |
4684c1 |
- Server has requested a certificate.
|
|
Packit Service |
4684c1 |
- Certificate type: X.509
|
|
Packit Service |
4684c1 |
- Got a certificate list of 1 certificates.
|
|
Packit Service |
4684c1 |
- Certificate[0] info:
|
|
Packit Service |
4684c1 |
- skipped
|
|
Packit Service |
4684c1 |
- Description: (TLS1.3-Raw Public Key-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
|
|
Packit Service |
4684c1 |
- Options:
|
|
Packit Service |
4684c1 |
- Handshake was completed
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
- Simple Client Mode:
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting to STARTTLS services
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
You could also use the client to connect to services with starttls capability.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ gnutls-cli --starttls-proto smtp --port 25 localhost
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Listing ciphersuites in a priority string
|
|
Packit Service |
4684c1 |
To list the ciphersuites in a priority string:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./gnutls-cli --priority SECURE192 -l
|
|
Packit Service |
4684c1 |
Cipher suites for SECURE192
|
|
Packit Service |
4684c1 |
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
|
|
Packit Service |
4684c1 |
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
|
|
Packit Service |
4684c1 |
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
|
|
Packit Service |
4684c1 |
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
|
|
Packit Service |
4684c1 |
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
|
|
Packit Service |
4684c1 |
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Certificate types: CTYPE-X.509
|
|
Packit Service |
4684c1 |
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
|
|
Packit Service |
4684c1 |
Compression: COMP-NULL
|
|
Packit Service |
4684c1 |
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
|
|
Packit Service |
4684c1 |
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Connecting using a PKCS #11 token
|
|
Packit Service |
4684c1 |
To connect to a server using a certificate and a private key present in a PKCS #11 token you
|
|
Packit Service |
4684c1 |
need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Those can be found using "p11tool --list-tokens" and then listing all the objects in the
|
|
Packit Service |
4684c1 |
needed token, and using the appropriate.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ p11tool --list-tokens
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Token 0:
|
|
Packit Service |
4684c1 |
URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
|
|
Packit Service |
4684c1 |
Label: Test
|
|
Packit Service |
4684c1 |
Manufacturer: EnterSafe
|
|
Packit Service |
4684c1 |
Model: PKCS15
|
|
Packit Service |
4684c1 |
Serial: 1234
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Object 0:
|
|
Packit Service |
4684c1 |
URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert
|
|
Packit Service |
4684c1 |
Type: X.509 Certificate
|
|
Packit Service |
4684c1 |
Label: client
|
|
Packit Service |
4684c1 |
ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert"
|
|
Packit Service |
4684c1 |
$ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private"
|
|
Packit Service |
4684c1 |
$ export MYCERT MYKEY
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
Notice that the private key only differs from the certificate in the type.
|
|
Packit Service |
4684c1 |
_EOF_;
|
|
Packit Service |
4684c1 |
};
|