1 AutoGen Definitions options
;
2 prog
-name
= gnutls
-cli
;
3 prog
-title
= "GnuTLS client";
4 prog
-desc
= "Simple client program to set up a TLS connection.";
5 short
-usage
= "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
7 detail
= "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
10 argument
= "[hostname]";
17 descrip
= "Enable trust on first use authentication";
20 doc
= "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
25 descrip
= "Enable OCSP certificate verification";
28 doc
= "This option will enable verification of the peer's certificate using ocsp";
34 descrip
= "Establish a session and resume";
35 doc
= "Connect, establish a session, reconnect and resume.";
41 descrip
= "Activate heartbeat support";
48 descrip
= "Establish a session and rehandshake";
49 doc
= "Connect, establish a session and rehandshake immediately.";
54 descrip
= "Don't accept session tickets";
59 name
= ocsp
-status
-request
;
60 descrip
= "Enable OCSP status request";
63 doc
= "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
69 descrip
= "Connect, establish a plain session and start TLS.";
70 doc
= "The TLS session will be initiated when EOF or a SIGALRM is received.";
76 descrip
= "Use DTLS (datagram TLS) over UDP";
83 arg
-range
= "0->17000";
84 descrip
= "Set MTU for datagram TLS";
90 descrip
= "Send CR LF instead of LF";
96 descrip
= "Use DER format for certificates to read from";
103 descrip
= "Send the openpgp fingerprint, instead of the key";
108 name
= disable
-extensions
;
109 descrip
= "Disable all the TLS extensions";
115 descrip
= "Print peer's certificate in PEM format";
122 arg
-range
= "0->4096";
123 descrip
= "The maximum record size to advertize";
130 descrip
= "The minimum number of bits allowed for DH";
131 doc
= "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
137 descrip
= "Priorities string";
138 doc
= "TLS algorithms and protocols to enable. You can
139 use predefined sets of ciphersuites such as PERFORMANCE,
140 NORMAL, SECURE128, SECURE256.
142 Check the GnuTLS manual on section ``Priority strings'' for more
143 information on allowed keywords";
149 descrip
= "Certificate file or PKCS #11 URL to use";
157 descrip
= "CRL file to use";
165 descrip
= "PGP Key file to use";
173 descrip
= "PGP Key ring file to use";
181 descrip
= "PGP Public Key (certificate) file to use";
188 descrip
= "X.509 key file or PKCS #11 URL to use";
195 descrip
= "X.509 Certificate file or PKCS #11 URL to use";
202 descrip
= "PGP subkey to use (hex or auto)";
209 descrip
= "SRP username to use";
216 descrip
= "SRP password to use";
223 descrip
= "PSK username to use";
230 descrip
= "PSK key (in hex) to use";
238 descrip
= "The port or service to connect to";
244 descrip
= "Don't abort program if server certificate can't be validated";
249 name
= benchmark
-ciphers
;
250 descrip
= "Benchmark individual ciphers";
255 name
= benchmark
-soft
-ciphers
;
256 descrip
= "Benchmark individual software ciphers (no hw acceleration)";
261 name
= benchmark
-tls
-kx
;
262 descrip
= "Benchmark TLS key exchange methods";
267 name
= benchmark
-tls
-ciphers
;
268 descrip
= "Benchmark TLS ciphers";
275 descrip
= "Print a list of the supported algorithms and modes";
276 doc
= "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
282 ds
-type
= 'SEE ALSO'; // or anything else
283 ds
-format
= 'texi'; // or texi or mdoc format
285 gnutls
-cli
-debug(1), gnutls
-serv(1)
290 ds
-type
= 'EXAMPLES';
293 @subheading Connecting using PSK authentication
294 To connect to a server using PSK authentication
, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
296 $ .
/gnutls
-cli
-p
5556 localhost
--pskusername psk_identity \
297 --pskkey
88f3824b3e5659f52d00e959bacab954b6540344 \
298 --priority NORMAL
:-KX
-ALL
:+ECDHE
-PSK
:+DHE
-PSK
:+PSK
299 Resolving
'localhost'...
300 Connecting to
'127.0.0.1:5556'...
301 - PSK authentication.
304 - Cipher
: AES
-128-CBC
307 - Handshake was completed
309 - Simple Client Mode
:
311 By keeping the
--pskusername parameter and removing the
--pskkey parameter
, it will query only for the password during the handshake.
313 @subheading Listing ciphersuites in a priority string
314 To list the ciphersuites in a priority string
:
316 $ .
/gnutls
-cli
--priority SECURE192
-l
317 Cipher suites for SECURE192
318 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24 TLS1.2
319 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2e TLS1.2
320 TLS_ECDHE_RSA_AES_256_GCM_SHA384
0xc0, 0x30 TLS1.2
321 TLS_DHE_RSA_AES_256_CBC_SHA256
0x00, 0x6b TLS1.2
322 TLS_DHE_DSS_AES_256_CBC_SHA256
0x00, 0x6a TLS1.2
323 TLS_RSA_AES_256_CBC_SHA256
0x00, 0x3d TLS1.2
325 Certificate types
: CTYPE
-X
.509
326 Protocols
: VERS
-TLS1.2
, VERS
-TLS1.1
, VERS
-TLS1.0
, VERS
-SSL3.0
, VERS
-DTLS1.0
327 Compression
: COMP
-NULL
328 Elliptic curves
: CURVE
-SECP384R1
, CURVE
-SECP521R1
329 PK
-signatures
: SIGN
-RSA
-SHA384
, SIGN
-ECDSA
-SHA384
, SIGN
-RSA
-SHA512
, SIGN
-ECDSA
-SHA512