Name

gnutls−cli — GNU TLS test client

DESCRIPTION

Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.

OPTIONS

Program control options

−d, −−debug LEVEL

Specify the debug level. Default is 1.

−h, −−help

Prints a short reminder of the command line options.

−l, −−list

Print a list of the supported algorithms and modes.

−r, −−resume

Connect, establish a session. Connect again and resume this session.

−s, −−starttls

Connect, establish a plain session and start TLS when EOF or a SIGALRM is received.

−v, −−version

Prints the program's version number.

−V, −−verbose

More verbose output.

TLS/SSL control options

−−priority PRIORITY STRING

TLS algorithms and protocols to enable. Unless the first keyword is "NONE" the defaults are:

Protocols: TLS1.1, TLS1.0, and SSL3.0.

Compression: NULL.

Certificate types: X.509, OpenPGP.

Signature algorithms: RSA-SHA1, RSA-MD2, RSA-MD5, RSA-SHA256, RSA-SHA512, DSA-SHA1.

You can also use predefined sets of ciphersuites such as:

PERFORMANCE

all the "secure" ciphersuites are enabled, limited to 128 bit ciphers and sorted by terms of speed performance.

NORMAL

option enables all "secure" ciphersuites. The 256-bit ciphers are included as a fallback only. The ciphers are sorted by security margin.

SECURE128

flag enables all "secure" ciphersuites with ciphers up to 128 bits, sorted by security margin.

SECURE256

flag enables all "secure" ciphersuites including the 256 bit ciphers, sorted by security margin.

EXPORT

all the ciphersuites are enabled, including the low-security 40 bit ciphers.

NONE

nothing is enabled. This disables even protocols and compression methods.

Special keywords:

"!" or "-" appended with an algorithm will remove this algorithm.

"+" appended with an algorithm will add this algorithm.

"%COMPAT" will enable compatibility features for a server.

"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client hello. This is to avoid buggy servers from terminating connection.

To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-" and certificate types with "CTYPE-". All other algorithms don't need a prefix.

Examples:

"NORMAL"

"NORMAL:%COMPAT"

"NORMAL:!AES-128-CBC"

"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"

−−crlf

Send CR LF instead of LF.

−f, −−fingerprint

Send the openpgp fingerprint, instead of the key.

−p, −−port integer

The port to connect to.

−−ciphers cipher1 cipher2...

Ciphers to enable (use gnutls−cli −−list to show the supported ciphers).

−−protocols protocol1 protocol2...

Protocols to enable (use gnutls−cli −−list to show the supported protocols).

−−comp comp1 comp2...

Compression methods to enable (use gnutls−cli −−list to show the supported methods).

−−macs mac1 mac2...

MACs to enable (use gnutls−cli −−list to show the supported MACs).

−−kx kx1 kx2...

Key exchange methods to enable (use gnutls−cli −−list to show the supported methods).

−−ctypes certType1 certType2...

Certificate types to enable (use gnutls−cli −−list to show the supported types).

−−recordsize integer

The maximum record size to advertize.

−−disable−extensions

Disable all the TLS extensions.

−−print−cert

Print the certificate in PEM format.

−−insecure

Don't abort program if server certificates can't be validated.

Certificate options

−−pgpcertfile FILE

PGP Public Key (certificate) file to use.

−−pgpkeyfile FILE

PGP Key file to use.

−−pgpkeyring FILE

PGP Key ring file to use.

−−pgptrustdb FILE

PGP trustdb file to use.

−−pgpsubkey HEX|auto2

PGP subkey to use.

−−srppasswd PASSWD

SRP password to use.

−−srpusername NAME

SRP username to use.

−−x509cafile FILE

Certificate file to use.

−−x509certfile FILE

X.509 Certificate file to use.

−−x509fmtder

Use DER format for certificates

−−x509keyfile FILE

X.509 key file to use.

−−x509crlfile FILE

X.509 CRL file to use.

−−pskusername NAME

PSK username to use.

−−pskkey KEY

PSK key (in hex) to use.

−−opaque−prf−input DATA

Use Opaque PRF Input DATA.

SEE ALSO

gnutls-cli-debug(1), gnutls-serv(1)

AUTHOR

Nikos Mavroyanopoulos <[email protected]> and others; see /usr/share/doc/gnutls−bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <[email protected]>, for the Debian GNU/Linux system (but may be used by others).