src/cli-args.def

   1 AutoGen Definitions options;
   2 prog-name     = gnutls-cli;
   3 prog-title    = "GnuTLS client";
   4 prog-desc     = "Simple client program to set up a TLS connection.";
   5 short-usage   = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n";
   6 explain       = "";
   7 detail        = "Simple client program to set up a TLS connection to some other computer.
   8 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.";
   9 reorder-args;
  10 argument = "[hostname]";
  11
  12 #define  VERBOSE_OPT 1
  13 #include args-std.def
  14
  15 flag = {
  16     name      = tofu;
  17     descrip   = "Enable trust on first use authentication";
  18     disabled;
  19     disable   = "no";
  20     doc       = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.";
  21 };
  22
  23 flag = {
  24     name      = ocsp;
  25     descrip   = "Enable OCSP certificate verification";
  26     disabled;
  27     disable   = "no";
  28     doc       = "This option will enable verification of the peer's certificate using ocsp";
  29 };
  30
  31 flag = {
  32     name      = resume;
  33     value     = r;
  34     descrip   = "Establish a session and resume";
  35     doc       = "Connect, establish a session, reconnect and resume.";
  36 };
  37
  38 flag = {
  39     name      = heartbeat;
  40     value     = b;
  41     descrip   = "Activate heartbeat support";
  42     doc      = "";
  43 };
  44
  45 flag = {
  46     name      = rehandshake;
  47     value     = e;
  48     descrip   = "Establish a session and rehandshake";
  49     doc       = "Connect, establish a session and rehandshake immediately.";
  50 };
  51
  52 flag = {
  53     name      = noticket;
  54     descrip   = "Don't accept session tickets";
  55     doc      = "";
  56 };
  57
  58 flag = {
  59     name      = starttls;
  60     value     = s;
  61     descrip   = "Connect, establish a plain session and start TLS.";
  62     doc       = "The TLS session will be initiated when EOF or a SIGALRM is received.";
  63 };
  64
  65 flag = {
  66     name      = udp;
  67     value     = u;
  68     descrip   = "Use DTLS (datagram TLS) over UDP";
  69     doc      = "";
  70 };
  71
  72 flag = {
  73     name      = mtu;
  74     arg-type  = number;
  75     arg-range = "0->17000";
  76     descrip   = "Set MTU for datagram TLS";
  77     doc      = "";
  78 };
  79
  80 flag = {
  81     name      = crlf;
  82     descrip   = "Send CR LF instead of LF";
  83     doc      = "";
  84 };
  85
  86 flag = {
  87     name      = x509fmtder;
  88     descrip   = "Use DER format for certificates to read from";
  89     doc      = "";
  90 };
  91
  92 flag = {
  93     name      = fingerprint;
  94     value     = f;
  95     descrip   = "Send the openpgp fingerprint, instead of the key";
  96     doc      = "";
  97 };
  98
  99 flag = {
 100     name      = disable-extensions;
 101     descrip   = "Disable all the TLS extensions";
 102     doc      = "";
 103 };
 104
 105 flag = {
 106     name      = print-cert;
 107     descrip   = "Print peer's certificate in PEM format";
 108     doc      = "";
 109 };
 110
 111 flag = {
 112     name      = recordsize;
 113     arg-type  = number;
 114     arg-range = "0->4096";
 115     descrip   = "The maximum record size to advertize";
 116     doc      = "";
 117 };
 118
 119 flag = {
 120     name      = dh-bits;
 121     arg-type  = number;
 122     descrip   = "The minimum number of bits allowed for DH";
 123     doc      = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.";
 124 };
 125
 126 flag = {
 127     name      = priority;
 128     arg-type  = string;
 129     descrip   = "Priorities string";
 130     doc      = "TLS algorithms and protocols to enable. You can
 131 use predefined sets of ciphersuites such as PERFORMANCE,
 132 NORMAL, SECURE128, SECURE256.
 133
 134 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 135 information on allowed keywords";
 136 };
 137
 138 flag = {
 139     name      = x509cafile;
 140     arg-type  = string;
 141     descrip   = "Certificate file or PKCS #11 URL to use";
 142     doc      = "";
 143 };
 144
 145 flag = {
 146     name      = x509crlfile;
 147     arg-type  = file;
 148     file-exists = yes;
 149     descrip   = "CRL file to use";
 150     doc      = "";
 151 };
 152
 153 flag = {
 154     name      = pgpkeyfile;
 155     arg-type  = file;
 156     file-exists = yes;
 157     descrip   = "PGP Key file to use";
 158     doc      = "";
 159 };
 160
 161 flag = {
 162     name      = pgpkeyring;
 163     arg-type  = file;
 164     file-exists = yes;
 165     descrip   = "PGP Key ring file to use";
 166     doc      = "";
 167 };
 168
 169 flag = {
 170     name      = pgpcertfile;
 171     arg-type  = file;
 172     file-exists = yes;
 173     descrip   = "PGP Public Key (certificate) file to use";
 174     doc      = "";
 175 };
 176
 177 flag = {
 178     name      = x509keyfile;
 179     arg-type  = string;
 180     descrip   = "X.509 key file or PKCS #11 URL to use";
 181     doc      = "";
 182 };
 183
 184 flag = {
 185     name      = x509certfile;
 186     arg-type  = string;
 187     descrip   = "X.509 Certificate file or PKCS #11 URL to use";
 188     doc      = "";
 189 };
 190
 191 flag = {
 192     name      = pgpsubkey;
 193     arg-type  = string;
 194     descrip   = "PGP subkey to use (hex or auto)";
 195     doc      = "";
 196 };
 197
 198 flag = {
 199     name      = srpusername;
 200     arg-type  = string;
 201     descrip   = "SRP username to use";
 202     doc      = "";
 203 };
 204
 205 flag = {
 206     name      = srppasswd;
 207     arg-type  = string;
 208     descrip   = "SRP password to use";
 209     doc      = "";
 210 };
 211
 212 flag = {
 213     name      = pskusername;
 214     arg-type  = string;
 215     descrip   = "PSK username to use";
 216     doc      = "";
 217 };
 218
 219 flag = {
 220     name      = pskkey;
 221     arg-type  = string;
 222     descrip   = "PSK key (in hex) to use";
 223     doc      = "";
 224 };
 225
 226 flag = {
 227     name      = port;
 228     value     = p;
 229     arg-type  = string;
 230     descrip   = "The port or service to connect to";
 231     doc      = "";
 232 };
 233
 234 flag = {
 235     name      = insecure;
 236     descrip   = "Don't abort program if server certificate can't be validated";
 237     doc      = "";
 238 };
 239
 240 flag = {
 241     name      = benchmark-ciphers;
 242     descrip   = "Benchmark individual ciphers";
 243     doc      = "";
 244 };
 245
 246 flag = {
 247     name      = benchmark-soft-ciphers;
 248     descrip   = "Benchmark individual software ciphers (no hw acceleration)";
 249     doc      = "";
 250 };
 251
 252 flag = {
 253     name      = benchmark-tls-kx;
 254     descrip   = "Benchmark TLS key exchange methods";
 255     doc      = "";
 256 };
 257
 258 flag = {
 259     name      = benchmark-tls-ciphers;
 260     descrip   = "Benchmark TLS ciphers";
 261     doc      = "";
 262 };
 263
 264 flag = {
 265     name      = list;
 266     value     = l;
 267     descrip   = "Print a list of the supported algorithms and modes";
 268     doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
 269 };
 270
 271
 272
 273 doc-section = {
 274   ds-type   = 'SEE ALSO'; // or anything else
 275   ds-format = 'texi';      // or texi or mdoc format
 276   ds-text   = <<-_EOF_
 277 gnutls-cli-debug(1), gnutls-serv(1)
 278 _EOF_;
 279 };
 280
 281 doc-section = {
 282   ds-type = 'EXAMPLES';
 283   ds-format = 'texi';
 284   ds-text   = <<-_EOF_
 285 @subheading Connecting using PSK authentication
 286 To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
 287 @example
 288 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
 289     --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
 290     --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
 291 Resolving 'localhost'...
 292 Connecting to '127.0.0.1:5556'...
 293 - PSK authentication.
 294 - Version: TLS1.1
 295 - Key Exchange: PSK
 296 - Cipher: AES-128-CBC
 297 - MAC: SHA1
 298 - Compression: NULL
 299 - Handshake was completed
 300
 301 - Simple Client Mode:
 302 @end example
 303 By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
 304
 305 @subheading Listing ciphersuites in a priority string
 306 To list the ciphersuites in a priority string:
 307 @example
 308 $ ./gnutls-cli --priority SECURE192 -l
 309 Cipher suites for SECURE192
 310 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24   TLS1.2
 311 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e   TLS1.2
 312 TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30   TLS1.2
 313 TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b   TLS1.2
 314 TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a   TLS1.2
 315 TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d   TLS1.2
 316
 317 Certificate types: CTYPE-X.509
 318 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
 319 Compression: COMP-NULL
 320 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
 321 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
 322 @end example
 323 _EOF_;
 324 };
 325