source-git / mingw-gnutls

Clone
Source Code
GIT

Blame src/cli-args.def

c8 master
  1.   f6533347d87caea1b0e7da73f23a9ef464150ce5
  2.   src
  3.   cli-args.def
Blob History Raw
Packit 549fdc 
AutoGen Definitions options;
Packit 549fdc 
prog-name     = gnutls-cli;
Packit 549fdc 
prog-title    = "GnuTLS client";
Packit 549fdc 
prog-desc     = "Simple client program to set up a TLS connection.";
Packit 549fdc 
short-usage   = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
Packit 549fdc 
explain       = "";
Packit 549fdc 
detail        = "Simple client program to set up a TLS connection to some other computer.
Packit 549fdc 
It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
Packit 549fdc 
reorder-args;
Packit 549fdc 
argument = "[hostname]";
Packit 549fdc
Packit 549fdc 
#define  VERBOSE_OPT 1
Packit 549fdc 
#include args-std.def
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = tofu;
Packit 549fdc 
    descrip   = "Enable trust on first use authentication";
Packit 549fdc 
    disabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option will, in addition to certificate authentication, perform authentication
Packit 549fdc 
based on previously seen public keys, a model similar to SSH authentication. Note that when tofu
Packit 549fdc 
is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
Packit 549fdc 
process.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = strict-tofu;
Packit 549fdc 
    descrip   = "Fail to connect if a known certificate has changed";
Packit 549fdc 
    disabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed public key, this option will fail in case of public key changes.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = dane;
Packit 549fdc 
    descrip   = "Enable DANE certificate verification (DNSSEC)";
Packit 549fdc 
    disabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option will, in addition to certificate authentication using
Packit 549fdc 
the trusted CAs, verify the server certificates using on the DANE information
Packit 549fdc 
available via DNSSEC.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = local-dns;
Packit 549fdc 
    descrip   = "Use the local DNS server for DNSSEC resolving";
Packit 549fdc 
    disabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option will use the local DNS server for DNSSEC.
Packit 549fdc 
This is disabled by default due to many servers not allowing DNSSEC.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = ca-verification;
Packit 549fdc 
    descrip   = "Enable CA certificate verification";
Packit 549fdc 
    enabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = ocsp;
Packit 549fdc 
    descrip   = "Enable OCSP certificate verification";
Packit 549fdc 
    disabled;
Packit 549fdc 
    disable   = "no";
Packit 549fdc 
    doc       = "This option will enable verification of the peer's certificate using ocsp";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = resume;
Packit 549fdc 
    value     = r;
Packit 549fdc 
    descrip   = "Establish a session and resume";
Packit 549fdc 
    doc       = "Connect, establish a session, reconnect and resume.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = rehandshake;
Packit 549fdc 
    value     = e;
Packit 549fdc 
    descrip   = "Establish a session and rehandshake";
Packit 549fdc 
    doc       = "Connect, establish a session and rehandshake immediately.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = sni-hostname;
Packit 549fdc 
    descrip   = "Server's hostname for server name indication extension";
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    doc      = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = starttls;
Packit 549fdc 
    value     = s;
Packit 549fdc 
    descrip   = "Connect, establish a plain session and start TLS";
Packit 549fdc 
    doc       = "The TLS session will be initiated when EOF or a SIGALRM is received.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = app-proto;
Packit 549fdc 
    aliases   = starttls-proto;
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = starttls-proto;
Packit 549fdc 
    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)";
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    doc       = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
Packit 549fdc 
    flags-cant = starttls;
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = udp;
Packit 549fdc 
    value     = u;
Packit 549fdc 
    descrip   = "Use DTLS (datagram TLS) over UDP";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = mtu;
Packit 549fdc 
    arg-type  = number;
Packit 549fdc 
    arg-range = "0->17000";
Packit 549fdc 
    descrip   = "Set MTU for datagram TLS";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = crlf;
Packit 549fdc 
    descrip   = "Send CR LF instead of LF";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = fastopen;
Packit 549fdc 
    descrip   = "Enable TCP Fast Open";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = x509fmtder;
Packit 549fdc 
    descrip   = "Use DER format for certificates to read from";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = print-cert;
Packit 549fdc 
    descrip   = "Print peer's certificate in PEM format";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = save-cert;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Save the peer's certificate chain in the specified file in PEM format";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = save-ocsp;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Save the peer's OCSP status response in the provided file";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = save-server-trace;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Save the server-side TLS message trace in the provided file";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = save-client-trace;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Save the client-side TLS message trace in the provided file";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = dh-bits;
Packit 549fdc 
    arg-type  = number;
Packit 549fdc 
    descrip   = "The minimum number of bits allowed for DH";
Packit 549fdc 
    doc      = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = priority;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Priorities string";
Packit 549fdc 
    doc      = "TLS algorithms and protocols to enable. You can
Packit 549fdc 
use predefined sets of ciphersuites such as PERFORMANCE,
Packit 549fdc 
NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
Packit 549fdc
Packit 549fdc 
Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
Packit 549fdc 
information on the allowed keywords";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = x509cafile;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Certificate file or PKCS #11 URL to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = x509crlfile;
Packit 549fdc 
    arg-type  = file;
Packit 549fdc 
    file-exists = yes;
Packit 549fdc 
    descrip   = "CRL file to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = x509keyfile;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "X.509 key file or PKCS #11 URL to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = x509certfile;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "X.509 Certificate file or PKCS #11 URL to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
    flags-must = x509keyfile;
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = srpusername;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "SRP username to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = srppasswd;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "SRP password to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = pskusername;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "PSK username to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = pskkey;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "PSK key (in hex) to use";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = port;
Packit 549fdc 
    value     = p;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "The port or service to connect to";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = insecure;
Packit 549fdc 
    descrip   = "Don't abort program if server certificate can't be validated";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = verify-allow-broken;
Packit 549fdc 
    descrip   = "Allow broken algorithms, such as MD5 for certificate verification";
Packit 549fdc 
    doc = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = ranges;
Packit 549fdc 
    descrip   = "Use length-hiding padding to prevent traffic analysis";
Packit 549fdc 
    doc      = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = benchmark-ciphers;
Packit 549fdc 
    descrip   = "Benchmark individual ciphers";
Packit 549fdc 
    doc      = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = benchmark-tls-kx;
Packit 549fdc 
    descrip   = "Benchmark TLS key exchange methods";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = benchmark-tls-ciphers;
Packit 549fdc 
    descrip   = "Benchmark TLS ciphers";
Packit 549fdc 
    doc      = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = list;
Packit 549fdc 
    value     = l;
Packit 549fdc 
    descrip   = "Print a list of the supported algorithms and modes";
Packit 549fdc 
    doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
Packit 549fdc 
    flags-cant = port;
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = priority-list;
Packit 549fdc 
    descrip   = "Print a list of the supported priority strings";
Packit 549fdc 
    doc      = "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = noticket;
Packit 549fdc 
    descrip   = "Don't allow session tickets";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = srtp_profiles;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Offer SRTP profiles";
Packit 549fdc 
    doc       = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = alpn;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Application layer protocol";
Packit 549fdc 
    max       = NOLIMIT;  /* occurrence limit (none)     */
Packit 549fdc 
    stack-arg;            /* save opt args in a stack    */
Packit 549fdc 
    doc      = "This option will set and enable the Application Layer Protocol Negotiation  (ALPN) in the TLS protocol.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = heartbeat;
Packit 549fdc 
    value     = b;
Packit 549fdc 
    descrip   = "Activate heartbeat support";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = recordsize;
Packit 549fdc 
    arg-type  = number;
Packit 549fdc 
    arg-range = "0->4096";
Packit 549fdc 
    descrip   = "The maximum record size to advertize";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = disable-sni;
Packit 549fdc 
    descrip   = "Do not send a Server Name Indication (SNI)";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = disable-extensions;
Packit 549fdc 
    descrip   = "Disable all the TLS extensions";
Packit 549fdc 
    doc      = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = inline-commands;
Packit 549fdc 
    descrip   = "Inline commands of the form ^<cmd>^";
Packit 549fdc 
    doc       = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate.";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = inline-commands-prefix;
Packit 549fdc 
    arg-type  = string;
Packit 549fdc 
    descrip   = "Change the default delimiter for inline commands.";
Packit 549fdc 
    doc       = "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = provider;
Packit 549fdc 
    arg-type  = file;
Packit 549fdc 
    file-exists = yes;
Packit 549fdc 
    descrip   = "Specify the PKCS #11 provider library";
Packit 549fdc 
    doc      = "This will override the default options in /etc/gnutls/pkcs11.conf";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
flag = {
Packit 549fdc 
    name      = fips140-mode;
Packit 549fdc 
    descrip   = "Reports the status of the FIPS140-2 mode in gnutls library";
Packit 549fdc 
    doc      = "";
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
doc-section = {
Packit 549fdc 
  ds-type   = 'SEE ALSO'; // or anything else
Packit 549fdc 
  ds-format = 'texi';      // or texi or mdoc format
Packit 549fdc 
  ds-text   = <<-_EOF_
Packit 549fdc 
gnutls-cli-debug(1), gnutls-serv(1)
Packit 549fdc 
_EOF_;
Packit 549fdc 
};
Packit 549fdc
Packit 549fdc 
doc-section = {
Packit 549fdc 
  ds-type = 'EXAMPLES';
Packit 549fdc 
  ds-format = 'texi';
Packit 549fdc 
  ds-text   = <<-_EOF_
Packit 549fdc 
@subheading Connecting using PSK authentication
Packit 549fdc 
To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
Packit 549fdc 
@example
Packit 549fdc 
$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
Packit 549fdc 
    --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
Packit 549fdc 
    --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
Packit 549fdc 
Resolving 'localhost'...
Packit 549fdc 
Connecting to '127.0.0.1:5556'...
Packit 549fdc 
- PSK authentication.
Packit 549fdc 
- Version: TLS1.1
Packit 549fdc 
- Key Exchange: PSK
Packit 549fdc 
- Cipher: AES-128-CBC
Packit 549fdc 
- MAC: SHA1
Packit 549fdc 
- Compression: NULL
Packit 549fdc 
- Handshake was completed
Packit 549fdc
Packit 549fdc 
- Simple Client Mode:
Packit 549fdc 
@end example
Packit 549fdc 
By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
Packit 549fdc
Packit 549fdc 
@subheading Connecting to STARTTLS services
Packit 549fdc
Packit 549fdc 
You could also use the client to connect to services with starttls capability.
Packit 549fdc 
@example
Packit 549fdc 
$ gnutls-cli --starttls-proto smtp --port 25 localhost
Packit 549fdc 
@end example
Packit 549fdc
Packit 549fdc 
@subheading Listing ciphersuites in a priority string
Packit 549fdc 
To list the ciphersuites in a priority string:
Packit 549fdc 
@example
Packit 549fdc 
$ ./gnutls-cli --priority SECURE192 -l
Packit 549fdc 
Cipher suites for SECURE192
Packit 549fdc 
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24	TLS1.2
Packit 549fdc 
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e	TLS1.2
Packit 549fdc 
TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30	TLS1.2
Packit 549fdc 
TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b	TLS1.2
Packit 549fdc 
TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a	TLS1.2
Packit 549fdc 
TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d	TLS1.2
Packit 549fdc
Packit 549fdc 
Certificate types: CTYPE-X.509
Packit 549fdc 
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
Packit 549fdc 
Compression: COMP-NULL
Packit 549fdc 
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
Packit 549fdc 
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
Packit 549fdc 
@end example
Packit 549fdc
Packit 549fdc 
@subheading Connecting using a PKCS #11 token
Packit 549fdc 
To connect to a server using a certificate and a private key present in a PKCS #11 token you
Packit 549fdc 
need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
Packit 549fdc
Packit 549fdc 
Those can be found using "p11tool --list-tokens" and then listing all the objects in the
Packit 549fdc 
needed token, and using the appropriate.
Packit 549fdc 
@example
Packit 549fdc 
$ p11tool --list-tokens
Packit 549fdc
Packit 549fdc 
Token 0:
Packit 549fdc 
	URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
Packit 549fdc 
	Label: Test
Packit 549fdc 
	Manufacturer: EnterSafe
Packit 549fdc 
	Model: PKCS15
Packit 549fdc 
	Serial: 1234
Packit 549fdc
Packit 549fdc 
$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
Packit 549fdc
Packit 549fdc 
Object 0:
Packit 549fdc 
	URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert
Packit 549fdc 
	Type: X.509 Certificate
Packit 549fdc 
	Label: client
Packit 549fdc 
	ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
Packit 549fdc
Packit 549fdc 
$ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert"
Packit 549fdc 
$ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private"
Packit 549fdc 
$ export MYCERT MYKEY
Packit 549fdc
Packit 549fdc 
$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT
Packit 549fdc 
@end example
Packit 549fdc 
Notice that the private key only differs from the certificate in the type.
Packit 549fdc 
_EOF_;
Packit 549fdc 
};

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation