1 AutoGen Definitions options
;
2 prog
-name
= gnutls
-cli
;
3 prog
-title
= "GnuTLS client";
4 prog
-desc
= "Simple client program to set up a TLS connection.";
5 short
-usage
= "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
7 detail
= "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
10 argument
= "[hostname]";
17 descrip
= "Enable trust on first use authentication";
20 doc
= "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
25 descrip
= "Enable OCSP certificate verification";
28 doc
= "This option will enable verification of the peer's certificate using ocsp";
34 descrip
= "Establish a session and resume";
35 doc
= "Connect, establish a session, reconnect and resume.";
41 descrip
= "Establish a session and rehandshake";
42 doc
= "Connect, establish a session and rehandshake immediately.";
47 descrip
= "Don't accept session tickets";
54 descrip
= "Connect, establish a plain session and start TLS.";
55 doc
= "The TLS session will be initiated when EOF or a SIGALRM is received.";
61 descrip
= "Use DTLS (datagram TLS) over UDP";
68 arg
-range
= "0->17000";
69 descrip
= "Set MTU for datagram TLS";
75 descrip
= "Send CR LF instead of LF";
81 descrip
= "Use DER format for certificates to read from";
88 descrip
= "Send the openpgp fingerprint, instead of the key";
93 name
= disable
-extensions
;
94 descrip
= "Disable all the TLS extensions";
100 descrip
= "Print peer's certificate in PEM format";
107 arg
-range
= "0->4096";
108 descrip
= "The maximum record size to advertize";
115 descrip
= "Priorities string";
116 doc
= "TLS algorithms and protocols to enable. You can
117 use predefined sets of ciphersuites such as PERFORMANCE,
118 NORMAL, SECURE128, SECURE256.
120 Check the GnuTLS manual on section ``Priority strings'' for more
121 information on allowed keywords";
127 descrip
= "Certificate file or PKCS #11 URL to use";
135 descrip
= "CRL file to use";
143 descrip
= "PGP Key file to use";
151 descrip
= "PGP Key ring file to use";
159 descrip
= "PGP Public Key (certificate) file to use";
166 descrip
= "X.509 key file or PKCS #11 URL to use";
173 descrip
= "X.509 Certificate file or PKCS #11 URL to use";
180 descrip
= "PGP subkey to use (hex or auto)";
187 descrip
= "SRP username to use";
194 descrip
= "SRP password to use";
201 descrip
= "PSK username to use";
208 descrip
= "PSK key (in hex) to use";
216 descrip
= "The port or service to connect to";
222 descrip
= "Don't abort program if server certificate can't be validated";
227 name
= benchmark
-ciphers
;
228 descrip
= "Benchmark individual ciphers";
233 name
= benchmark
-soft
-ciphers
;
234 descrip
= "Benchmark individual software ciphers (no hw acceleration)";
239 name
= benchmark
-tls
;
240 descrip
= "Benchmark ciphers and key exchange methods in TLS";
247 descrip
= "Print a list of the supported algorithms and modes";
248 doc
= "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
254 ds
-type
= 'SEE ALSO'; // or anything else
255 ds
-format
= 'texi'; // or texi or mdoc format
257 gnutls
-cli
-debug(1), gnutls
-serv(1)
262 ds
-type
= 'EXAMPLES';
265 @subheading Connecting using PSK authentication
266 To connect to a server using PSK authentication
, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
268 $ .
/gnutls
-cli
-p
5556 localhost
--pskusername psk_identity \
269 --pskkey
88f3824b3e5659f52d00e959bacab954b6540344 \
270 --priority NORMAL
:-KX
-ALL
:+ECDHE
-PSK
:+DHE
-PSK
:+PSK
271 Resolving
'localhost'...
272 Connecting to
'127.0.0.1:5556'...
273 - PSK authentication.
276 - Cipher
: AES
-128-CBC
279 - Handshake was completed
281 - Simple Client Mode
:
283 By keeping the
--pskusername parameter and removing the
--pskkey parameter
, it will query only for the password during the handshake.
285 @subheading Listing ciphersuites in a priority string
286 To list the ciphersuites in a priority string
:
288 $ .
/gnutls
-cli
--priority SECURE192
-l
289 Cipher suites for SECURE192
290 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24 TLS1.2
291 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2e TLS1.2
292 TLS_ECDHE_RSA_AES_256_GCM_SHA384
0xc0, 0x30 TLS1.2
293 TLS_DHE_RSA_AES_256_CBC_SHA256
0x00, 0x6b TLS1.2
294 TLS_DHE_DSS_AES_256_CBC_SHA256
0x00, 0x6a TLS1.2
295 TLS_RSA_AES_256_CBC_SHA256
0x00, 0x3d TLS1.2
297 Certificate types
: CTYPE
-X
.509
298 Protocols
: VERS
-TLS1.2
, VERS
-TLS1.1
, VERS
-TLS1.0
, VERS
-SSL3.0
, VERS
-DTLS1.0
299 Compression
: COMP
-NULL
300 Elliptic curves
: CURVE
-SECP384R1
, CURVE
-SECP521R1
301 PK
-signatures
: SIGN
-RSA
-SHA384
, SIGN
-ECDSA
-SHA384
, SIGN
-RSA
-SHA512
, SIGN
-ECDSA
-SHA512