src/cli-args.def

   1 AutoGen Definitions options;
   2 prog-name     = gnutls-cli;
   3 prog-title    = "GnuTLS client";
   4 prog-desc     = "Simple client program to set up a TLS connection.";
   5 short-usage   = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
   6 explain       = "";
   7 detail        = "Simple client program to set up a TLS connection to some other computer.
   8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
   9 reorder-args;
  10 argument = "[hostname]";
  11
  12 #define  VERBOSE_OPT 1
  13 #include args-std.def
  14
  15 flag = {
  16     name      = tofu;
  17     descrip   = "Enable trust on first use authentication";
  18     disabled;
  19     disable   = "no";
  20     doc       = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
  21 };
  22
  23 flag = {
  24     name      = ocsp;
  25     descrip   = "Enable OCSP certificate verification";
  26     disabled;
  27     disable   = "no";
  28     doc       = "This option will enable verification of the peer's certificate using ocsp";
  29 };
  30
  31 flag = {
  32     name      = resume;
  33     value     = r;
  34     descrip   = "Establish a session and resume";
  35     doc       = "Connect, establish a session, reconnect and resume.";
  36 };
  37
  38 flag = {
  39     name      = rehandshake;
  40     value     = e;
  41     descrip   = "Establish a session and rehandshake";
  42     doc       = "Connect, establish a session and rehandshake immediately.";
  43 };
  44
  45 flag = {
  46     name      = noticket;
  47     descrip   = "Don't accept session tickets";
  48     doc      = "";
  49 };
  50
  51 flag = {
  52     name      = starttls;
  53     value     = s;
  54     descrip   = "Connect, establish a plain session and start TLS.";
  55     doc       = "The TLS session will be initiated when EOF or a SIGALRM is received.";
  56 };
  57
  58 flag = {
  59     name      = udp;
  60     value     = u;
  61     descrip   = "Use DTLS (datagram TLS) over UDP";
  62     doc      = "";
  63 };
  64
  65 flag = {
  66     name      = mtu;
  67     arg-type  = number;
  68     arg-range = "0->17000";
  69     descrip   = "Set MTU for datagram TLS";
  70     doc      = "";
  71 };
  72
  73 flag = {
  74     name      = crlf;
  75     descrip   = "Send CR LF instead of LF";
  76     doc      = "";
  77 };
  78
  79 flag = {
  80     name      = x509fmtder;
  81     descrip   = "Use DER format for certificates to read from";
  82     doc      = "";
  83 };
  84
  85 flag = {
  86     name      = fingerprint;
  87     value     = f;
  88     descrip   = "Send the openpgp fingerprint, instead of the key";
  89     doc      = "";
  90 };
  91
  92 flag = {
  93     name      = disable-extensions;
  94     descrip   = "Disable all the TLS extensions";
  95     doc      = "";
  96 };
  97
  98 flag = {
  99     name      = print-cert;
 100     descrip   = "Print peer's certificate in PEM format";
 101     doc      = "";
 102 };
 103
 104 flag = {
 105     name      = recordsize;
 106     arg-type  = number;
 107     arg-range = "0->4096";
 108     descrip   = "The maximum record size to advertize";
 109     doc      = "";
 110 };
 111
 112 flag = {
 113     name      = dh-bits;
 114     arg-type  = number;
 115     descrip   = "The minimum number of bits allowed for DH";
 116     doc      = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
 117 };
 118
 119 flag = {
 120     name      = priority;
 121     arg-type  = string;
 122     descrip   = "Priorities string";
 123     doc      = "TLS algorithms and protocols to enable. You can
 124 use predefined sets of ciphersuites such as PERFORMANCE,
 125 NORMAL, SECURE128, SECURE256.
 126
 127 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 128 information on allowed keywords";
 129 };
 130
 131 flag = {
 132     name      = x509cafile;
 133     arg-type  = string;
 134     descrip   = "Certificate file or PKCS #11 URL to use";
 135     doc      = "";
 136 };
 137
 138 flag = {
 139     name      = x509crlfile;
 140     arg-type  = file;
 141     file-exists = yes;
 142     descrip   = "CRL file to use";
 143     doc      = "";
 144 };
 145
 146 flag = {
 147     name      = pgpkeyfile;
 148     arg-type  = file;
 149     file-exists = yes;
 150     descrip   = "PGP Key file to use";
 151     doc      = "";
 152 };
 153
 154 flag = {
 155     name      = pgpkeyring;
 156     arg-type  = file;
 157     file-exists = yes;
 158     descrip   = "PGP Key ring file to use";
 159     doc      = "";
 160 };
 161
 162 flag = {
 163     name      = pgpcertfile;
 164     arg-type  = file;
 165     file-exists = yes;
 166     descrip   = "PGP Public Key (certificate) file to use";
 167     doc      = "";
 168 };
 169
 170 flag = {
 171     name      = x509keyfile;
 172     arg-type  = string;
 173     descrip   = "X.509 key file or PKCS #11 URL to use";
 174     doc      = "";
 175 };
 176
 177 flag = {
 178     name      = x509certfile;
 179     arg-type  = string;
 180     descrip   = "X.509 Certificate file or PKCS #11 URL to use";
 181     doc      = "";
 182 };
 183
 184 flag = {
 185     name      = pgpsubkey;
 186     arg-type  = string;
 187     descrip   = "PGP subkey to use (hex or auto)";
 188     doc      = "";
 189 };
 190
 191 flag = {
 192     name      = srpusername;
 193     arg-type  = string;
 194     descrip   = "SRP username to use";
 195     doc      = "";
 196 };
 197
 198 flag = {
 199     name      = srppasswd;
 200     arg-type  = string;
 201     descrip   = "SRP password to use";
 202     doc      = "";
 203 };
 204
 205 flag = {
 206     name      = pskusername;
 207     arg-type  = string;
 208     descrip   = "PSK username to use";
 209     doc      = "";
 210 };
 211
 212 flag = {
 213     name      = pskkey;
 214     arg-type  = string;
 215     descrip   = "PSK key (in hex) to use";
 216     doc      = "";
 217 };
 218
 219 flag = {
 220     name      = port;
 221     value     = p;
 222     arg-type  = string;
 223     descrip   = "The port or service to connect to";
 224     doc      = "";
 225 };
 226
 227 flag = {
 228     name      = insecure;
 229     descrip   = "Don't abort program if server certificate can't be validated";
 230     doc      = "";
 231 };
 232
 233 flag = {
 234     name      = benchmark-ciphers;
 235     descrip   = "Benchmark individual ciphers";
 236     doc      = "";
 237 };
 238
 239 flag = {
 240     name      = benchmark-soft-ciphers;
 241     descrip   = "Benchmark individual software ciphers (no hw acceleration)";
 242     doc      = "";
 243 };
 244
 245 flag = {
 246     name      = benchmark-tls-kx;
 247     descrip   = "Benchmark TLS key exchange methods";
 248     doc      = "";
 249 };
 250
 251 flag = {
 252     name      = benchmark-tls-ciphers;
 253     descrip   = "Benchmark TLS ciphers";
 254     doc      = "";
 255 };
 256
 257 flag = {
 258     name      = list;
 259     value     = l;
 260     descrip   = "Print a list of the supported algorithms and modes";
 261     doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
 262 };
 263
 264
 265
 266 doc-section = {
 267   ds-type   = 'SEE ALSO'; // or anything else
 268   ds-format = 'texi';      // or texi or mdoc format
 269   ds-text   = <<-_EOF_
 270 gnutls-cli-debug(1), gnutls-serv(1)
 271 _EOF_;
 272 };
 273
 274 doc-section = {
 275   ds-type = 'EXAMPLES';
 276   ds-format = 'texi';
 277   ds-text   = <<-_EOF_
 278 @subheading Connecting using PSK authentication
 279 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
 280 @example
 281 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
 282     --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
 283     --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
 284 Resolving 'localhost'...
 285 Connecting to '127.0.0.1:5556'...
 286 - PSK authentication.
 287 - Version: TLS1.1
 288 - Key Exchange: PSK
 289 - Cipher: AES-128-CBC
 290 - MAC: SHA1
 291 - Compression: NULL
 292 - Handshake was completed
 293
 294 - Simple Client Mode:
 295 @end example
 296 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
 297
 298 @subheading Listing ciphersuites in a priority string
 299 To list the ciphersuites in a priority string:
 300 @example
 301 $ ./gnutls-cli --priority SECURE192 -l
 302 Cipher suites for SECURE192
 303 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24   TLS1.2
 304 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e   TLS1.2
 305 TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30   TLS1.2
 306 TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b   TLS1.2
 307 TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a   TLS1.2
 308 TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d   TLS1.2
 309
 310 Certificate types: CTYPE-X.509
 311 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
 312 Compression: COMP-NULL
 313 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
 314 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
 315 @end example
 316 _EOF_;
 317 };
 318