1 AutoGen Definitions options;
2 prog-name = gnutls-cli;
3 prog-title = "GnuTLS client";
4 prog-desc = "Simple client program to set up a TLS connection.";
5 short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
7 detail = "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
10 argument = "[hostname]";
17 descrip = "Enable trust on first use authentication";
20 doc = "This option will, in addition to certificate authentication, perform authentication
21 based on previously seen public keys, a model similar to SSH authentication. Note that when tofu
22 is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
28 descrip = "Fail to connect if a known certificate has changed";
31 doc = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed public key, this option will fail in case of public key changes.";
36 descrip = "Enable DANE certificate verification (DNSSEC)";
39 doc = "This option will, in addition to certificate authentication using
40 the trusted CAs, verify the server certificates using on the DANE information
41 available via DNSSEC.";
46 descrip = "Use the local DNS server for DNSSEC resolving";
49 doc = "This option will use the local DNS server for DNSSEC.
50 This is disabled by default due to many servers not allowing DNSSEC.";
54 name = ca-verification;
55 descrip = "Disable CA certificate verification";
58 doc = "This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.";
63 descrip = "Enable OCSP certificate verification";
66 doc = "This option will enable verification of the peer's certificate using ocsp";
72 descrip = "Establish a session and resume";
73 doc = "Connect, establish a session, reconnect and resume.";
79 descrip = "Establish a session and rehandshake";
80 doc = "Connect, establish a session and rehandshake immediately.";
86 descrip = "Connect, establish a plain session and start TLS";
87 doc = "The TLS session will be initiated when EOF or a SIGALRM is received.";
92 aliases = starttls-proto;
96 name = starttls-proto;
97 descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap)";
99 doc = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
100 flags-cant = starttls;
106 descrip = "Use DTLS (datagram TLS) over UDP";
113 arg-range = "0->17000";
114 descrip = "Set MTU for datagram TLS";
120 descrip = "Send CR LF instead of LF";
126 descrip = "Use DER format for certificates to read from";
133 descrip = "Send the openpgp fingerprint, instead of the key";
139 descrip = "Print peer's certificate in PEM format";
146 descrip = "The minimum number of bits allowed for DH";
147 doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
153 descrip = "Priorities string";
154 doc = "TLS algorithms and protocols to enable. You can
155 use predefined sets of ciphersuites such as PERFORMANCE,
156 NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
158 Check the GnuTLS manual on section ``Priority strings'' for more
159 information on the allowed keywords";
165 descrip = "Certificate file or PKCS #11 URL to use";
173 descrip = "CRL file to use";
181 descrip = "PGP Key file to use";
189 descrip = "PGP Key ring file to use";
197 descrip = "PGP Public Key (certificate) file to use";
204 descrip = "X.509 key file or PKCS #11 URL to use";
211 descrip = "X.509 Certificate file or PKCS #11 URL to use";
218 descrip = "PGP subkey to use (hex or auto)";
225 descrip = "SRP username to use";
232 descrip = "SRP password to use";
239 descrip = "PSK username to use";
246 descrip = "PSK key (in hex) to use";
255 descrip = "The port or service to connect to";
261 descrip = "Don't abort program if server certificate can't be validated";
267 descrip = "Use length-hiding padding to prevent traffic analysis";
268 doc = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.";
272 name = benchmark-ciphers;
273 descrip = "Benchmark individual ciphers";
278 name = benchmark-tls-kx;
279 descrip = "Benchmark TLS key exchange methods";
284 name = benchmark-tls-ciphers;
285 descrip = "Benchmark TLS ciphers";
292 descrip = "Print a list of the supported algorithms and modes";
293 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
299 descrip = "Don't allow session tickets";
304 name = srtp_profiles;
306 descrip = "Offer SRTP profiles";
313 descrip = "Application layer protocol";
314 max = NOLIMIT; /* occurrence limit (none) */
315 stack-arg; /* save opt args in a stack */
316 doc = "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.";
322 descrip = "Activate heartbeat support";
329 arg-range = "0->4096";
330 descrip = "The maximum record size to advertize";
336 descrip = "Do not send a Server Name Indication (SNI)";
341 name = disable-extensions;
342 descrip = "Disable all the TLS extensions";
343 doc = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
347 name = inline-commands;
348 descrip = "Inline commands of the form ^<cmd>^";
349 doc = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate.";
353 name = inline-commands-prefix;
355 descrip = "Change the default delimiter for inline commands.";
356 doc = "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option";
363 descrip = "Specify the PKCS #11 provider library";
364 doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
369 descrip = "Reports the status of the FIPS140-2 mode in gnutls library";
374 ds-type = 'SEE ALSO'; // or anything else
375 ds-format = 'texi'; // or texi or mdoc format
377 gnutls-cli-debug(1), gnutls-serv(1)
382 ds-type = 'EXAMPLES';
385 @subheading Connecting using PSK authentication
386 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
388 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
389 --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
390 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
391 Resolving 'localhost'...
392 Connecting to '127.0.0.1:5556'...
393 - PSK authentication.
396 - Cipher: AES-128-CBC
399 - Handshake was completed
401 - Simple Client Mode:
403 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
405 @subheading Listing ciphersuites in a priority string
406 To list the ciphersuites in a priority string:
408 $ ./gnutls-cli --priority SECURE192 -l
409 Cipher suites for SECURE192
410 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
411 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
412 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
413 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
414 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
415 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
417 Certificate types: CTYPE-X.509
418 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
419 Compression: COMP-NULL
420 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
421 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
424 @subheading Connecting using a PKCS #11 token
425 To connect to a server using a certificate and a private key present in a PKCS #11 token you
426 need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
428 Those can be found using "p11tool --list-tokens" and then listing all the objects in the
429 needed token, and using the appropriate.
431 $ p11tool --list-tokens
434 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
436 Manufacturer: EnterSafe
440 $ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
443 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert
444 Type: X.509 Certificate
446 ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
448 $ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert"
449 $ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private"
451 $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
453 Notice that the private key only differs from the certificate in the object-type.