1 AutoGen Definitions options;
2 prog-name = gnutls-cli;
3 prog-title = "GnuTLS client";
4 prog-desc = "Simple client program to set up a TLS connection.";
5 short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
7 detail = "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
10 argument = "[hostname]";
17 descrip = "Enable trust on first use authentication";
20 doc = "This option will, in addition to certificate authentication, perform authentication
21 based on previously seen public keys, a model similar to SSH authentication. Note that when tofu
22 is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
28 descrip = "Fail to connect if a known certificate has changed";
31 doc = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed public key, this option will fail in case of public key changes.";
36 descrip = "Enable DANE certificate verification (DNSSEC)";
39 doc = "This option will, in addition to certificate authentication using
40 the trusted CAs, verify the server certificates using on the DANE information
41 available via DNSSEC.";
46 descrip = "Use the local DNS server for DNSSEC resolving";
49 doc = "This option will use the local DNS server for DNSSEC.
50 This is disabled by default due to many servers not allowing DNSSEC.";
54 name = ca-verification;
55 descrip = "Disable CA certificate verification";
58 doc = "This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.";
63 descrip = "Enable OCSP certificate verification";
66 doc = "This option will enable verification of the peer's certificate using ocsp";
72 descrip = "Establish a session and resume";
73 doc = "Connect, establish a session, reconnect and resume.";
79 descrip = "Establish a session and rehandshake";
80 doc = "Connect, establish a session and rehandshake immediately.";
86 descrip = "Connect, establish a plain session and start TLS";
87 doc = "The TLS session will be initiated when EOF or a SIGALRM is received.";
93 descrip = "Use DTLS (datagram TLS) over UDP";
100 arg-range = "0->17000";
101 descrip = "Set MTU for datagram TLS";
107 descrip = "Send CR LF instead of LF";
113 descrip = "Use DER format for certificates to read from";
120 descrip = "Send the openpgp fingerprint, instead of the key";
126 descrip = "Print peer's certificate in PEM format";
133 descrip = "The minimum number of bits allowed for DH";
134 doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
140 descrip = "Priorities string";
141 doc = "TLS algorithms and protocols to enable. You can
142 use predefined sets of ciphersuites such as PERFORMANCE,
143 NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
145 Check the GnuTLS manual on section ``Priority strings'' for more
146 information on the allowed keywords";
152 descrip = "Certificate file or PKCS #11 URL to use";
160 descrip = "CRL file to use";
168 descrip = "PGP Key file to use";
176 descrip = "PGP Key ring file to use";
184 descrip = "PGP Public Key (certificate) file to use";
191 descrip = "X.509 key file or PKCS #11 URL to use";
198 descrip = "X.509 Certificate file or PKCS #11 URL to use";
205 descrip = "PGP subkey to use (hex or auto)";
212 descrip = "SRP username to use";
219 descrip = "SRP password to use";
226 descrip = "PSK username to use";
233 descrip = "PSK key (in hex) to use";
242 descrip = "The port or service to connect to";
248 descrip = "Don't abort program if server certificate can't be validated";
254 descrip = "Use length-hiding padding to prevent traffic analysis";
255 doc = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.";
259 name = benchmark-ciphers;
260 descrip = "Benchmark individual ciphers";
265 name = benchmark-tls-kx;
266 descrip = "Benchmark TLS key exchange methods";
271 name = benchmark-tls-ciphers;
272 descrip = "Benchmark TLS ciphers";
279 descrip = "Print a list of the supported algorithms and modes";
280 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
285 descrip = "Don't allow session tickets";
290 name = srtp_profiles;
292 descrip = "Offer SRTP profiles";
299 descrip = "Application layer protocol";
300 max = NOLIMIT; /* occurrence limit (none) */
301 stack-arg; /* save opt args in a stack */
302 doc = "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.";
308 descrip = "Activate heartbeat support";
315 arg-range = "0->4096";
316 descrip = "The maximum record size to advertize";
322 descrip = "Do not send a Server Name Indication (SNI)";
327 name = disable-extensions;
328 descrip = "Disable all the TLS extensions";
329 doc = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
333 name = inline-commands;
334 descrip = "Inline commands of the form ^<cmd>^";
335 doc = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate.";
339 name = inline-commands-prefix;
341 descrip = "Change the default (^) used as a delimiter for inline commands.
342 \t\t\t\tThe value is a single US-ASCII character (octets 0 - 127).";
343 doc = "Change the default (^) delimiter used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option";
351 descrip = "Specify the PKCS #11 provider library";
352 doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
356 ds-type = 'SEE ALSO'; // or anything else
357 ds-format = 'texi'; // or texi or mdoc format
359 gnutls-cli-debug(1), gnutls-serv(1)
364 ds-type = 'EXAMPLES';
367 @subheading Connecting using PSK authentication
368 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
370 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
371 --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
372 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
373 Resolving 'localhost'...
374 Connecting to '127.0.0.1:5556'...
375 - PSK authentication.
378 - Cipher: AES-128-CBC
381 - Handshake was completed
383 - Simple Client Mode:
385 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
387 @subheading Listing ciphersuites in a priority string
388 To list the ciphersuites in a priority string:
390 $ ./gnutls-cli --priority SECURE192 -l
391 Cipher suites for SECURE192
392 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
393 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
394 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
395 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
396 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
397 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
399 Certificate types: CTYPE-X.509
400 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
401 Compression: COMP-NULL
402 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
403 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
406 @subheading Connecting using a PKCS #11 token
407 To connect to a server using a certificate and a private key present in a PKCS #11 token you
408 need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
410 Those can be found using "p11tool --list-tokens" and then listing all the objects in the
411 needed token, and using the appropriate.
413 $ p11tool --list-tokens
416 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
418 Manufacturer: EnterSafe
422 $ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
425 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert
426 Type: X.509 Certificate
428 ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
430 $ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert"
431 $ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private"
433 $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
435 Notice that the private key only differs from the certificate in the object-type.