src/cli-args.def

   1 AutoGen Definitions options;
   2 prog-name     = gnutls-cli;
   3 prog-title    = "GnuTLS client";
   4 prog-desc     = "Simple client program to set up a TLS connection.";
   5 short-usage   = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
   6 explain       = "";
   7 detail        = "Simple client program to set up a TLS connection to some other computer.
   8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
   9 reorder-args;
  10 argument = "[hostname]";
  11
  12 #define  VERBOSE_OPT 1
  13 #include args-std.def
  14
  15 flag = {
  16     name      = tofu;
  17     descrip   = "Enable trust on first use authentication";
  18     disabled;
  19     disable   = "no";
  20     doc       = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
  21 };
  22
  23 flag = {
  24     name      = ocsp;
  25     descrip   = "Enable OCSP certificate verification";
  26     disabled;
  27     disable   = "no";
  28     doc       = "This option will enable verification of the peer's certificate using ocsp";
  29 };
  30
  31 flag = {
  32     name      = resume;
  33     value     = r;
  34     descrip   = "Establish a session and resume";
  35     doc       = "Connect, establish a session, reconnect and resume.";
  36 };
  37
  38 flag = {
  39     name      = heartbeat;
  40     value     = b;
  41     descrip   = "Activate heartbeat support";
  42     doc      = "";
  43 };
  44
  45 flag = {
  46     name      = rehandshake;
  47     value     = e;
  48     descrip   = "Establish a session and rehandshake";
  49     doc       = "Connect, establish a session and rehandshake immediately.";
  50 };
  51
  52 flag = {
  53     name      = noticket;
  54     descrip   = "Don't accept session tickets";
  55     doc      = "";
  56 };
  57
  58 flag = {
  59     name      = ocsp-status-request;
  60     descrip   = "Enable OCSP status request";
  61     enabled;
  62     disable   = "no";
  63     doc       = "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
  64 };
  65
  66 flag = {
  67     name      = starttls;
  68     value     = s;
  69     descrip   = "Connect, establish a plain session and start TLS.";
  70     doc       = "The TLS session will be initiated when EOF or a SIGALRM is received.";
  71 };
  72
  73 flag = {
  74     name      = udp;
  75     value     = u;
  76     descrip   = "Use DTLS (datagram TLS) over UDP";
  77     doc      = "";
  78 };
  79
  80 flag = {
  81     name      = mtu;
  82     arg-type  = number;
  83     arg-range = "0->17000";
  84     descrip   = "Set MTU for datagram TLS";
  85     doc      = "";
  86 };
  87
  88 flag = {
  89     name      = crlf;
  90     descrip   = "Send CR LF instead of LF";
  91     doc      = "";
  92 };
  93
  94 flag = {
  95     name      = x509fmtder;
  96     descrip   = "Use DER format for certificates to read from";
  97     doc      = "";
  98 };
  99
 100 flag = {
 101     name      = fingerprint;
 102     value     = f;
 103     descrip   = "Send the openpgp fingerprint, instead of the key";
 104     doc      = "";
 105 };
 106
 107 flag = {
 108     name      = disable-extensions;
 109     descrip   = "Disable all the TLS extensions";
 110     doc      = "";
 111 };
 112
 113 flag = {
 114     name      = print-cert;
 115     descrip   = "Print peer's certificate in PEM format";
 116     doc      = "";
 117 };
 118
 119 flag = {
 120     name      = recordsize;
 121     arg-type  = number;
 122     arg-range = "0->4096";
 123     descrip   = "The maximum record size to advertize";
 124     doc      = "";
 125 };
 126
 127 flag = {
 128     name      = dh-bits;
 129     arg-type  = number;
 130     descrip   = "The minimum number of bits allowed for DH";
 131     doc      = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
 132 };
 133
 134 flag = {
 135     name      = priority;
 136     arg-type  = string;
 137     descrip   = "Priorities string";
 138     doc      = "TLS algorithms and protocols to enable. You can
 139 use predefined sets of ciphersuites such as PERFORMANCE,
 140 NORMAL, SECURE128, SECURE256.
 141
 142 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 143 information on allowed keywords";
 144 };
 145
 146 flag = {
 147     name      = x509cafile;
 148     arg-type  = string;
 149     descrip   = "Certificate file or PKCS #11 URL to use";
 150     doc      = "";
 151 };
 152
 153 flag = {
 154     name      = x509crlfile;
 155     arg-type  = file;
 156     file-exists = yes;
 157     descrip   = "CRL file to use";
 158     doc      = "";
 159 };
 160
 161 flag = {
 162     name      = pgpkeyfile;
 163     arg-type  = file;
 164     file-exists = yes;
 165     descrip   = "PGP Key file to use";
 166     doc      = "";
 167 };
 168
 169 flag = {
 170     name      = pgpkeyring;
 171     arg-type  = file;
 172     file-exists = yes;
 173     descrip   = "PGP Key ring file to use";
 174     doc      = "";
 175 };
 176
 177 flag = {
 178     name      = pgpcertfile;
 179     arg-type  = file;
 180     file-exists = yes;
 181     descrip   = "PGP Public Key (certificate) file to use";
 182     doc      = "";
 183 };
 184
 185 flag = {
 186     name      = x509keyfile;
 187     arg-type  = string;
 188     descrip   = "X.509 key file or PKCS #11 URL to use";
 189     doc      = "";
 190 };
 191
 192 flag = {
 193     name      = x509certfile;
 194     arg-type  = string;
 195     descrip   = "X.509 Certificate file or PKCS #11 URL to use";
 196     doc      = "";
 197 };
 198
 199 flag = {
 200     name      = pgpsubkey;
 201     arg-type  = string;
 202     descrip   = "PGP subkey to use (hex or auto)";
 203     doc      = "";
 204 };
 205
 206 flag = {
 207     name      = srpusername;
 208     arg-type  = string;
 209     descrip   = "SRP username to use";
 210     doc      = "";
 211 };
 212
 213 flag = {
 214     name      = srppasswd;
 215     arg-type  = string;
 216     descrip   = "SRP password to use";
 217     doc      = "";
 218 };
 219
 220 flag = {
 221     name      = pskusername;
 222     arg-type  = string;
 223     descrip   = "PSK username to use";
 224     doc      = "";
 225 };
 226
 227 flag = {
 228     name      = pskkey;
 229     arg-type  = string;
 230     descrip   = "PSK key (in hex) to use";
 231     doc      = "";
 232 };
 233
 234 flag = {
 235     name      = port;
 236     value     = p;
 237     arg-type  = string;
 238     descrip   = "The port or service to connect to";
 239     doc      = "";
 240 };
 241
 242 flag = {
 243     name      = insecure;
 244     descrip   = "Don't abort program if server certificate can't be validated";
 245     doc      = "";
 246 };
 247
 248 flag = {
 249     name      = benchmark-ciphers;
 250     descrip   = "Benchmark individual ciphers";
 251     doc      = "";
 252 };
 253
 254 flag = {
 255     name      = benchmark-soft-ciphers;
 256     descrip   = "Benchmark individual software ciphers (no hw acceleration)";
 257     doc      = "";
 258 };
 259
 260 flag = {
 261     name      = benchmark-tls-kx;
 262     descrip   = "Benchmark TLS key exchange methods";
 263     doc      = "";
 264 };
 265
 266 flag = {
 267     name      = benchmark-tls-ciphers;
 268     descrip   = "Benchmark TLS ciphers";
 269     doc      = "";
 270 };
 271
 272 flag = {
 273     name      = list;
 274     value     = l;
 275     descrip   = "Print a list of the supported algorithms and modes";
 276     doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
 277 };
 278
 279
 280
 281 doc-section = {
 282   ds-type   = 'SEE ALSO'; // or anything else
 283   ds-format = 'texi';      // or texi or mdoc format
 284   ds-text   = <<-_EOF_
 285 gnutls-cli-debug(1), gnutls-serv(1)
 286 _EOF_;
 287 };
 288
 289 doc-section = {
 290   ds-type = 'EXAMPLES';
 291   ds-format = 'texi';
 292   ds-text   = <<-_EOF_
 293 @subheading Connecting using PSK authentication
 294 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
 295 @example
 296 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
 297     --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
 298     --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
 299 Resolving 'localhost'...
 300 Connecting to '127.0.0.1:5556'...
 301 - PSK authentication.
 302 - Version: TLS1.1
 303 - Key Exchange: PSK
 304 - Cipher: AES-128-CBC
 305 - MAC: SHA1
 306 - Compression: NULL
 307 - Handshake was completed
 308
 309 - Simple Client Mode:
 310 @end example
 311 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
 312
 313 @subheading Listing ciphersuites in a priority string
 314 To list the ciphersuites in a priority string:
 315 @example
 316 $ ./gnutls-cli --priority SECURE192 -l
 317 Cipher suites for SECURE192
 318 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24   TLS1.2
 319 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e   TLS1.2
 320 TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30   TLS1.2
 321 TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b   TLS1.2
 322 TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a   TLS1.2
 323 TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d   TLS1.2
 324
 325 Certificate types: CTYPE-X.509
 326 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
 327 Compression: COMP-NULL
 328 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
 329 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
 330 @end example
 331 _EOF_;
 332 };
 333