flag = {
name = app-proto;
- aliases = starttls-proto;
-};
-
-flag = {
- name = starttls-proto;
arg-type = string;
- descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp)";
- doc = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
+ descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap)";
+ doc = "";
};
-
doc-section = {
ds-type = 'SEE ALSO'; // or anything else
ds-format = 'texi'; // or texi or mdoc format
ds-text = <<-_EOF_
@example
$ ../src/gnutls-cli-debug localhost
-GnuTLS debug client 3.5.0
-Checking localhost:443
- for SSL 3.0 (RFC6101) support... yes
- whether we need to disable TLS 1.2... no
- whether we need to disable TLS 1.1... no
- whether we need to disable TLS 1.0... no
- whether %NO_EXTENSIONS is required... no
- whether %COMPAT is required... no
- for TLS 1.0 (RFC2246) support... yes
- for TLS 1.1 (RFC4346) support... yes
- for TLS 1.2 (RFC5246) support... yes
- fallback from TLS 1.6 to... TLS1.2
- for RFC7507 inappropriate fallback... yes
- for HTTPS server name... Local
- for certificate chain order... sorted
- for safe renegotiation (RFC5746) support... yes
- for Safe renegotiation support (SCSV)... no
- for encrypt-then-MAC (RFC7366) support... no
- for ext master secret (RFC7627) support... no
- for heartbeat (RFC6520) support... no
- for version rollback bug in RSA PMS... dunno
- for version rollback bug in Client Hello... no
- whether the server ignores the RSA PMS version... yes
-whether small records (512 bytes) are tolerated on handshake... yes
- whether cipher suites not in SSL 3.0 spec are accepted... yes
-whether a bogus TLS record version in the client hello is accepted... yes
- whether the server understands TLS closure alerts... partially
- whether the server supports session resumption... yes
- for anonymous authentication support... no
- for ephemeral Diffie-Hellman support... no
- for ephemeral EC Diffie-Hellman support... yes
- ephemeral EC Diffie-Hellman group info... SECP256R1
- for AES-128-GCM cipher (RFC5288) support... yes
- for AES-128-CCM cipher (RFC6655) support... no
- for AES-128-CCM-8 cipher (RFC6655) support... no
- for AES-128-CBC cipher (RFC3268) support... yes
- for CAMELLIA-128-GCM cipher (RFC6367) support... no
- for CAMELLIA-128-CBC cipher (RFC5932) support... no
- for 3DES-CBC cipher (RFC2246) support... yes
- for ARCFOUR 128 cipher (RFC2246) support... yes
- for MD5 MAC support... yes
- for SHA1 MAC support... yes
- for SHA256 MAC support... yes
- for ZLIB compression support... no
- for max record size (RFC6066) support... no
- for OCSP status response (RFC6066) support... no
- for OpenPGP authentication (RFC6091) support... no
+Resolving 'localhost'...
+Connecting to '127.0.0.1:443'...
+Checking for SSL 3.0 support... yes
+Checking whether %COMPAT is required... no
+Checking for TLS 1.0 support... yes
+Checking for TLS 1.1 support... no
+Checking fallback from TLS 1.1 to... TLS 1.0
+Checking for TLS 1.2 support... no
+Checking whether we need to disable TLS 1.0... N/A
+Checking for Safe renegotiation support... yes
+Checking for Safe renegotiation support (SCSV)... yes
+Checking for HTTPS server name... not checked
+Checking for version rollback bug in RSA PMS... no
+Checking for version rollback bug in Client Hello... no
+Checking whether the server ignores the RSA PMS version... no
+Checking whether the server can accept Hello Extensions... yes
+Checking whether the server can accept small records (512 bytes)... yes
+Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
+Checking whether the server can accept a bogus TLS record version in the client hello... yes
+Checking for certificate information... N/A
+Checking for trusted CAs... N/A
+Checking whether the server understands TLS closure alerts... partially
+Checking whether the server supports session resumption... yes
+Checking for export-grade ciphersuite support... no
+Checking RSA-export ciphersuite info... N/A
+Checking for anonymous authentication support... no
+Checking anonymous Diffie-Hellman group info... N/A
+Checking for ephemeral Diffie-Hellman support... no
+Checking ephemeral Diffie-Hellman group info... N/A
+Checking for ephemeral EC Diffie-Hellman support... yes
+Checking ephemeral EC Diffie-Hellman group info...
+ Curve SECP256R1
+Checking for AES-GCM cipher support... no
+Checking for AES-CBC cipher support... yes
+Checking for CAMELLIA cipher support... no
+Checking for 3DES-CBC cipher support... yes
+Checking for ARCFOUR 128 cipher support... yes
+Checking for ARCFOUR 40 cipher support... no
+Checking for MD5 MAC support... yes
+Checking for SHA1 MAC support... yes
+Checking for SHA256 MAC support... no
+Checking for ZLIB compression support... no
+Checking for max record size... no
+Checking for OpenPGP authentication support... no
@end example
_EOF_;
};