search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Support SRTP profile negotiation in the client and server tools
[gnutls.git] / src / cli-args.def
blob8fafbf4f6419bd5bcafc832f289b602e9921aef4
1 AutoGen Definitions options;
2 prog-name = gnutls-cli;
3 prog-title = "GnuTLS client";
4 prog-desc = "Simple client program to set up a TLS connection.";
5 short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
6 explain = "";
7 detail = "Simple client program to set up a TLS connection to some other computer.
8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
9 reorder-args;
10 argument = "[hostname]";
11
12 #define VERBOSE_OPT 1
13 #include args-std.def
14
15 flag = {
16 name = tofu;
17 descrip = "Enable trust on first use authentication";
18 disabled;
19 disable = "no";
20 doc = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
21 };
22
23 flag = {
24 name = dane;
25 descrip = "Enable DANE certificate verification (DNSSEC)";
26 disabled;
27 disable = "no";
28 doc = "This option will, in addition to certificate authentication using
29 the trusted CAs, verify the server certificates using on the DANE information
30 available via DNSSEC.";
31 };
32
33 flag = {
34 name = local-dns;
35 descrip = "Use the local DNS server for DNSSEC resolving.";
36 disabled;
37 disable = "no";
38 doc = "This option will use the local DNS server for DNSSEC.
39 This is disabled by default due to many servers not allowing DNSSEC.";
40 };
41
42 flag = {
43 name = ca-verification;
44 descrip = "Disable CA certificate verification";
45 enabled;
46 disable = "no";
47 doc = "This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.";
48 };
49
50 flag = {
51 name = ocsp;
52 descrip = "Enable OCSP certificate verification";
53 disabled;
54 disable = "no";
55 doc = "This option will enable verification of the peer's certificate using ocsp";
56 };
57
58 flag = {
59 name = resume;
60 value = r;
61 descrip = "Establish a session and resume";
62 doc = "Connect, establish a session, reconnect and resume.";
63 };
64
65 flag = {
66 name = heartbeat;
67 value = b;
68 descrip = "Activate heartbeat support";
69 doc = "";
70 };
71
72 flag = {
73 name = rehandshake;
74 value = e;
75 descrip = "Establish a session and rehandshake";
76 doc = "Connect, establish a session and rehandshake immediately.";
77 };
78
79 flag = {
80 name = noticket;
81 descrip = "Don't accept session tickets";
82 doc = "";
83 };
84
85 flag = {
86 name = ocsp-status-request;
87 descrip = "Enable OCSP status request";
88 enabled;
89 disable = "no";
90 doc = "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
91 };
92
93 flag = {
94 name = starttls;
95 value = s;
96 descrip = "Connect, establish a plain session and start TLS.";
97 doc = "The TLS session will be initiated when EOF or a SIGALRM is received.";
98 };
99
100 flag = {
101 name = udp;
102 value = u;
103 descrip = "Use DTLS (datagram TLS) over UDP";
104 doc = "";
105 };
106
107 flag = {
108 name = mtu;
109 arg-type = number;
110 arg-range = "0->17000";
111 descrip = "Set MTU for datagram TLS";
112 doc = "";
113 };
114
115 flag = {
116 name = srtp_profiles;
117 arg-type = string;
118 descrip = "Offer SRTP profiles";
119 doc = "";
120 };
121
122 flag = {
123 name = crlf;
124 descrip = "Send CR LF instead of LF";
125 doc = "";
126 };
127
128 flag = {
129 name = x509fmtder;
130 descrip = "Use DER format for certificates to read from";
131 doc = "";
132 };
133
134 flag = {
135 name = fingerprint;
136 value = f;
137 descrip = "Send the openpgp fingerprint, instead of the key";
138 doc = "";
139 };
140
141 flag = {
142 name = disable-extensions;
143 descrip = "Disable all the TLS extensions";
144 doc = "This option disables all TLS extensions. Deprecated option. Use the priority string.";
145 };
146
147 flag = {
148 name = print-cert;
149 descrip = "Print peer's certificate in PEM format";
150 doc = "";
151 };
152
153 flag = {
154 name = recordsize;
155 arg-type = number;
156 arg-range = "0->4096";
157 descrip = "The maximum record size to advertize";
158 doc = "";
159 };
160
161 flag = {
162 name = dh-bits;
163 arg-type = number;
164 descrip = "The minimum number of bits allowed for DH";
165 doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
166 };
167
168 flag = {
169 name = priority;
170 arg-type = string;
171 descrip = "Priorities string";
172 doc = "TLS algorithms and protocols to enable. You can
173 use predefined sets of ciphersuites such as PERFORMANCE,
174 NORMAL, SECURE128, SECURE256.
175
176 Check the GnuTLS manual on section ``Priority strings'' for more
177 information on allowed keywords";
178 };
179
180 flag = {
181 name = x509cafile;
182 arg-type = string;
183 descrip = "Certificate file or PKCS #11 URL to use";
184 doc = "";
185 };
186
187 flag = {
188 name = x509crlfile;
189 arg-type = file;
190 file-exists = yes;
191 descrip = "CRL file to use";
192 doc = "";
193 };
194
195 flag = {
196 name = pgpkeyfile;
197 arg-type = file;
198 file-exists = yes;
199 descrip = "PGP Key file to use";
200 doc = "";
201 };
202
203 flag = {
204 name = pgpkeyring;
205 arg-type = file;
206 file-exists = yes;
207 descrip = "PGP Key ring file to use";
208 doc = "";
209 };
210
211 flag = {
212 name = pgpcertfile;
213 arg-type = file;
214 file-exists = yes;
215 descrip = "PGP Public Key (certificate) file to use";
216 doc = "";
217 };
218
219 flag = {
220 name = x509keyfile;
221 arg-type = string;
222 descrip = "X.509 key file or PKCS #11 URL to use";
223 doc = "";
224 };
225
226 flag = {
227 name = x509certfile;
228 arg-type = string;
229 descrip = "X.509 Certificate file or PKCS #11 URL to use";
230 doc = "";
231 };
232
233 flag = {
234 name = pgpsubkey;
235 arg-type = string;
236 descrip = "PGP subkey to use (hex or auto)";
237 doc = "";
238 };
239
240 flag = {
241 name = srpusername;
242 arg-type = string;
243 descrip = "SRP username to use";
244 doc = "";
245 };
246
247 flag = {
248 name = srppasswd;
249 arg-type = string;
250 descrip = "SRP password to use";
251 doc = "";
252 };
253
254 flag = {
255 name = pskusername;
256 arg-type = string;
257 descrip = "PSK username to use";
258 doc = "";
259 };
260
261 flag = {
262 name = pskkey;
263 arg-type = string;
264 descrip = "PSK key (in hex) to use";
265 doc = "";
266 };
267
268 flag = {
269 name = port;
270 value = p;
271 arg-type = string;
272 descrip = "The port or service to connect to";
273 doc = "";
274 };
275
276 flag = {
277 name = insecure;
278 descrip = "Don't abort program if server certificate can't be validated";
279 doc = "";
280 };
281
282 flag = {
283 name = benchmark-ciphers;
284 descrip = "Benchmark individual ciphers";
285 doc = "";
286 };
287
288 flag = {
289 name = benchmark-soft-ciphers;
290 descrip = "Benchmark individual software ciphers (no hw acceleration)";
291 doc = "";
292 };
293
294 flag = {
295 name = benchmark-tls-kx;
296 descrip = "Benchmark TLS key exchange methods";
297 doc = "";
298 };
299
300 flag = {
301 name = benchmark-tls-ciphers;
302 descrip = "Benchmark TLS ciphers";
303 doc = "";
304 };
305
306 flag = {
307 name = list;
308 value = l;
309 descrip = "Print a list of the supported algorithms and modes";
310 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
311 };
312
313
314
315 doc-section = {
316 ds-type = 'SEE ALSO'; // or anything else
317 ds-format = 'texi'; // or texi or mdoc format
318 ds-text = <<-_EOF_
319 gnutls-cli-debug(1), gnutls-serv(1)
320 _EOF_;
321 };
322
323 doc-section = {
324 ds-type = 'EXAMPLES';
325 ds-format = 'texi';
326 ds-text = <<-_EOF_
327 @subheading Connecting using PSK authentication
328 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
329 @example
330 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
331 --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
332 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
333 Resolving 'localhost'...
334 Connecting to '127.0.0.1:5556'...
335 - PSK authentication.
336 - Version: TLS1.1
337 - Key Exchange: PSK
338 - Cipher: AES-128-CBC
339 - MAC: SHA1
340 - Compression: NULL
341 - Handshake was completed
342
343 - Simple Client Mode:
344 @end example
345 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
346
347 @subheading Listing ciphersuites in a priority string
348 To list the ciphersuites in a priority string:
349 @example
350 $ ./gnutls-cli --priority SECURE192 -l
351 Cipher suites for SECURE192
352 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
353 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
354 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
355 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
356 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
357 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
358
359 Certificate types: CTYPE-X.509
360 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
361 Compression: COMP-NULL
362 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
363 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
364 @end example
365 _EOF_;
366 };
367
Implementation of the SSL/TLS protocol