1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
.TH gnutls\-cli 1 "December 1st 2003"
.SH NAME
gnutls\-cli \- GNU TLS test client
.SH SYNOPSIS
gnutls\-cli [\fIoptions\fR] \fIhostname\fI
.SH DESCRIPTION
Simple client program to set up a TLS connection to some other
computer. It sets up a TLS connection and forwards data from the
standard input to the secured socket and vice versa.
.SH OPTIONS
.SS Program control options
.IP "\-d, \-\-debug LEVEL"
Specify the debug level. Default is 1.
.IP "\-h, \-\-help"
Prints a short reminder of the command line options.
.IP "\-l, \-\-list"
Print a list of the supported algorithms and modes.
.IP "\-r, \-\-resume"
Connect, establish a session. Connect again and resume this session.
.IP "\-s, \-\-starttls"
Connect, establish a plain session and start TLS when EOF or a SIGALRM
is received.
.IP "\-v, \-\-version"
Prints the program's version number.
.IP "\-V, \-\-verbose"
More verbose output.
.SS TLS/SSL control options
.IP "\-\-priority \fIPRIORITY STRING\fR"
TLS algorithms and protocols to enable.
Unless the first keyword is "NONE" the defaults are:
.IP
Protocols: TLS1.1, TLS1.0, and SSL3.0.
.IP
Compression: NULL.
.IP
Certificate types: X.509, OpenPGP.
.IP
Signature algorithms: RSA-SHA1, RSA-MD2, RSA-MD5, RSA-SHA256, RSA-SHA512,
DSA-SHA1.
.IP
You can also use predefined sets of ciphersuites such as:
.IP
.B "PERFORMANCE"
all the "secure" ciphersuites are enabled, limited to 128 bit
ciphers and sorted by terms of speed performance.
.IP
.B "NORMAL"
option enables all "secure" ciphersuites. The 256-bit ciphers
are included as a fallback only. The ciphers are sorted by security
margin.
.IP
.B "SECURE128"
flag enables all "secure" ciphersuites with ciphers up to
128 bits, sorted by security margin.
.IP
.B "SECURE256"
flag enables all "secure" ciphersuites including the 256 bit
ciphers, sorted by security margin.
.IP
.B "EXPORT"
all the ciphersuites are enabled, including the
low-security 40 bit ciphers.
.IP
.B "NONE"
nothing is enabled. This disables even protocols and
compression methods.
.IP
.IP
Special keywords:
.IP
"!" or "-" appended with an algorithm will remove this algorithm.
.IP
"+" appended with an algorithm will add this algorithm.
.IP
"%COMPAT" will enable compatibility features for a server.
.IP
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
hello. This is to avoid buggy servers from terminating connection.
.IP
"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default)
.IP
"%SAFE_RENEGOTIATION" will enable safe renegotiation.
.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
with "VERS-" and certificate types with "CTYPE-". All other
algorithms don't need a prefix.
.IP
.B Examples:
.IP
"NORMAL"
.IP
"NORMAL:%COMPAT"
.IP
"NORMAL:!AES-128-CBC"
.IP
"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"
.IP "\-\-crlf"
Send CR LF instead of LF.
.IP "\-f, \-\-fingerprint"
Send the openpgp fingerprint, instead of the key.
.IP "\-p, \-\-port \fIinteger\fR"
The port to connect to.
.IP "\-\-ciphers \fIcipher1 cipher2...\fR"
Ciphers to enable (use \fBgnutls\-cli \-\-list\fR to show the
supported ciphers).
.IP "\-\-protocols \fIprotocol1 protocol2...\fR"
Protocols to enable (use \fBgnutls\-cli \-\-list\fR to show the
supported protocols).
.IP "\-\-comp \fIcomp1 comp2...\fR"
Compression methods to enable (use \fBgnutls\-cli \-\-list\fR to
show the supported methods).
.IP "\-\-macs \fImac1 mac2...\fR"
MACs to enable (use \fBgnutls\-cli \-\-list\fR to show the
supported MACs).
.IP "\-\-kx \fIkx1 kx2...\fR"
Key exchange methods to enable (use \fBgnutls\-cli \-\-list\fR to
show the supported methods).
.IP "\-\-ctypes \fIcertType1 certType2...\fR"
Certificate types to enable (use \fBgnutls\-cli \-\-list\fR to show
the supported types).
.IP "\-\-recordsize \fIinteger\fR"
The maximum record size to advertize.
.IP "\-\-disable-extensions"
Disable all the TLS extensions.
.IP "\-\-print-cert"
Print the certificate in PEM format.
.IP "\-\-insecure"
Don't abort program if server certificates can't be validated.
.SS Certificate options
.IP "\-\-pgpcertfile \fIFILE\fR"
PGP Public Key (certificate) file to use.
.IP "\-\-pgpkeyfile \fIFILE\fR"
PGP Key file to use.
.IP "\-\-pgpkeyring \fIFILE\fR"
PGP Key ring file to use.
.IP "\-\-pgptrustdb \fIFILE\fR"
PGP trustdb file to use.
.IP "\-\-pgpsubkey \fIHEX|auto\fR2
PGP subkey to use.
.IP "\-\-srppasswd \fIPASSWD\fR"
SRP password to use.
.IP "\-\-srpusername \fINAME\fR"
SRP username to use.
.IP "\-\-x509cafile \fIFILE\fR"
Certificate file to use. This option accepts PKCS \#11 URLs such as
pkcs11:token=Root%20CA%20Certificates;serial=1%3AROOTS%3ADEFAULT;model=1%2E0;manufacturer=Gnome%20Keyring
.IP "\-\-x509certfile \fIFILE\fR"
X.509 Certificate file to use, or a PKCS \#11 URL.
.IP "\-\-x509fmtder"
Use DER format for certificates
.IP "\-\-x509keyfile \fIFILE\fR"
X.509 key file or PKCS \#11 URL to use.
.IP "\-\-x509crlfile \fIFILE\fR"
X.509 CRL file to use.
.IP "\-\-pskusername \fINAME\fR"
PSK username to use.
.IP "\-\-pskkey \fIKEY\fR"
PSK key (in hex) to use.
.IP "\-\-opaque-prf-input \fIDATA\fR"
Use Opaque PRF Input DATA.
.SH "SEE ALSO"
.BR gnutls\-cli\-debug (1),
.BR gnutls\-serv (1)
.SH AUTHOR
.PP
Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see
/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.
.PP
This manual page was written by Ivo Timmermans <ivo@debian.org>, for
the Debian GNU/Linux system (but may be used by others).
|
