1gnutls-cli(1) User Commands gnutls-cli(1)
2
6 gnutls-cli - GnuTLS client
7
9 gnutls-cli [-flags] [-flag [value]] [--option-name[[=| ]value]] [host‐
10 name]
11 Operands and options may be intermixed. They will be reordered.
13
16 Simple client program to set up a TLS connection to some other com‐
17 puter. It sets up a TLS connection and forwards data from the standard
18 input to the secured socket and vice versa.
19
21 -d number, --debug=number
22 Enable debugging. This option takes an integer number as its
23 argument. The value of number is constrained to being:
24 in the range 0 through 9999
25 Specifies the debug level.
27 -V, --verbose
29 More verbose output. This option may appear an unlimited number
30 of times.
31 --tofu, --no-tofu
34 Enable trust on first use authentication. The no-tofu form will
35 disable the option.
36 This option will, in addition to certificate authentication,
38 perform authentication based on previously seen public keys, a
39 model similar to SSH authentication. Note that when tofu is
40 specified (PKI) and DANE authentication will become advisory to
41 assist the public key acceptance process.
42 --strict-tofu, --no-strict-tofu
44 Fail to connect if a known certificate has changed. The
45 no-strict-tofu form will disable the option.
46 This option will perform authentication as with option --tofu;
48 however, while --tofu asks whether to trust a changed public
49 key, this option will fail in case of public key changes.
50 --dane, --no-dane
52 Enable DANE certificate verification (DNSSEC). The no-dane form
53 will disable the option.
54 This option will, in addition to certificate authentication
56 using the trusted CAs, verify the server certificates using on
57 the DANE information available via DNSSEC.
58 --local-dns, --no-local-dns
60 Use the local DNS server for DNSSEC resolving. The no-local-dns
61 form will disable the option.
62 This option will use the local DNS server for DNSSEC. This is
64 disabled by default due to many servers not allowing DNSSEC.
65 --ca-verification, --no-ca-verification
67 Disable CA certificate verification. The no-ca-verification
68 form will disable the option. This option is enabled by
69 default.
70 This option will disable CA certificate verification. It is to
72 be used with the --dane or --tofu options.
73 --ocsp, --no-ocsp
75 Enable OCSP certificate verification. The no-ocsp form will
76 disable the option.
77 This option will enable verification of the peer's certificate
79 using ocsp
80 -r, --resume
82 Establish a session and resume.
83 Connect, establish a session, reconnect and resume.
85 -e, --rehandshake
87 Establish a session and rehandshake.
88 Connect, establish a session and rehandshake immediately.
90 -s, --starttls
92 Connect, establish a plain session and start TLS.
93 The TLS session will be initiated when EOF or a SIGALRM is
95 received.
96 --app-proto
98 This is an alias for the --starttls-proto option.
99 --starttls-proto=string
101 The application protocol to be used to obtain the server's cer‐
102 tificate (https, ftp, smtp, imap). This option must not appear
103 in combination with any of the following options: starttls.
104 Specify the application layer protocol for STARTTLS. If the pro‐
106 tocol is supported, gnutls-cli will proceed to the TLS negotia‐
107 tion.
108 -u, --udp
110 Use DTLS (datagram TLS) over UDP.
111 --mtu=number
114 Set MTU for datagram TLS. This option takes an integer number
115 as its argument. The value of number is constrained to being:
116 in the range 0 through 17000
117 --crlf Send CR LF instead of LF.
120 --x509fmtder
123 Use DER format for certificates to read from.
124 -f, --fingerprint
127 Send the openpgp fingerprint, instead of the key.
128 --print-cert
131 Print peer's certificate in PEM format.
132 --dh-bits=number
135 The minimum number of bits allowed for DH. This option takes an
136 integer number as its argument.
137 This option sets the minimum number of bits allowed for a
139 Diffie-Hellman key exchange. You may want to lower the default
140 value if the peer sends a weak prime and you get an connection
141 error with unacceptable prime.
142 --priority=string
144 Priorities string.
145 TLS algorithms and protocols to enable. You can use predefined
147 sets of ciphersuites such as PERFORMANCE, NORMAL, PFS,
148 SECURE128, SECURE256. The default is NORMAL.
149 Check the GnuTLS manual on section “Priority strings” for
151 more information on the allowed keywords
152 --x509cafile=string
154 Certificate file or PKCS #11 URL to use.
155 --x509crlfile=file
158 CRL file to use.
159 --pgpkeyfile=file
162 PGP Key file to use.
163 --pgpkeyring=file
166 PGP Key ring file to use.
167 --pgpcertfile=file
170 PGP Public Key (certificate) file to use.
171 --x509keyfile=string
174 X.509 key file or PKCS #11 URL to use.
175 --x509certfile=string
178 X.509 Certificate file or PKCS #11 URL to use.
179 --pgpsubkey=string
182 PGP subkey to use (hex or auto).
183 --srpusername=string
186 SRP username to use.
187 --srppasswd=string
190 SRP password to use.
191 --pskusername=string
194 PSK username to use.
195 --pskkey=string
198 PSK key (in hex) to use.
199 -p string, --port=string
202 The port or service to connect to.
203 --insecure
206 Don't abort program if server certificate can't be validated.
207 --ranges
210 Use length-hiding padding to prevent traffic analysis.
211 When possible (e.g., when using CBC ciphersuites), use length-
213 hiding padding to prevent traffic analysis.
214 --benchmark-ciphers
216 Benchmark individual ciphers.
217 --benchmark-tls-kx
220 Benchmark TLS key exchange methods.
221 --benchmark-tls-ciphers
224 Benchmark TLS ciphers.
225 -l, --list
228 Print a list of the supported algorithms and modes. This option
229 must not appear in combination with any of the following
230 options: port.
231 Print a list of the supported algorithms and modes. If a prior‐
233 ity string is given then only the enabled ciphersuites are
234 shown.
235 --noticket
237 Don't allow session tickets.
238 --srtp-profiles=string
241 Offer SRTP profiles.
242 --alpn=string
245 Application layer protocol. This option may appear an unlimited
246 number of times.
247 This option will set and enable the Application Layer Protocol
249 Negotiation (ALPN) in the TLS protocol.
250 -b, --heartbeat
252 Activate heartbeat support.
253 --recordsize=number
256 The maximum record size to advertize. This option takes an
257 integer number as its argument. The value of number is con‐
258 strained to being:
259 in the range 0 through 4096
260 --disable-sni
263 Do not send a Server Name Indication (SNI).
264 --disable-extensions
267 Disable all the TLS extensions.
268 This option disables all TLS extensions. Deprecated option. Use
270 the priority string.
271 --inline-commands
273 Inline commands of the form ^<cmd>^.
274 Enable inline commands of the form ^<cmd>^. The inline commands
276 are expected to be in a line by themselves. The available com‐
277 mands are: resume and renegotiate.
278 --inline-commands-prefix=string
280 Change the default delimiter for inline commands..
281 Change the default delimiter (^) used for inline commands. The
283 delimiter is expected to be a single US-ASCII character (octets
284 0 - 127). This option is only relevant if inline commands are
285 enabled via the inline-commands option
286 --provider=file
288 Specify the PKCS #11 provider library.
289 This will override the default options in
291 /etc/gnutls/pkcs11.conf
292 --fips140-mode
294 Reports the status of the FIPS140-2 mode in gnutls library.
295 -h, --help
298 Display usage information and exit.
299 -!, --more-help
301 Pass the extended usage information through a pager.
302 -v [{v|c|n --version [{v|c|n}]}]
304 Output version of program and exit. The default mode is `v', a
305 simple version. The `c' mode will print copyright information
306 and `n' will print the full copyright notice.
307
309 Connecting using PSK authentication
310 To connect to a server using PSK authentication, you need to enable the
311 choice of PSK by using a cipher priority parameter such as in the exam‐
312 ple below.
313 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
314 Resolving 'localhost'...
315 Connecting to '127.0.0.1:5556'...
316 - PSK authentication.
317 - Version: TLS1.1
318 - Key Exchange: PSK
319 - Cipher: AES-128-CBC
320 - MAC: SHA1
321 - Compression: NULL
322 - Handshake was completed
323 - Simple Client Mode:
324 By keeping the --pskusername parameter and removing the --pskkey param‐
325 eter, it will query only for the password during the handshake.
326 Listing ciphersuites in a priority string
328 To list the ciphersuites in a priority string:
329 $ ./gnutls-cli --priority SECURE192 -l
330 Cipher suites for SECURE192
331 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
332 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
333 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
334 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
335 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
336 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
337 Certificate types: CTYPE-X.509
339 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
340 Compression: COMP-NULL
341 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
342 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
343 Connecting using a PKCS #11 token
345 To connect to a server using a certificate and a private key present in
346 a PKCS #11 token you need to substitute the PKCS 11 URLs in the
347 x509certfile and x509keyfile parameters.
348 Those can be found using "p11tool --list-tokens" and then listing all
350 the objects in the needed token, and using the appropriate.
351 $ p11tool --list-tokens
352 Token 0:
354 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
355 Label: Test
356 Manufacturer: EnterSafe
357 Model: PKCS15
358 Serial: 1234
359 $ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
361 Object 0:
363 URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert
364 Type: X.509 Certificate
365 Label: client
366 ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
367 $ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert"
369 $ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private"
370 $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
372 Notice that the private key only differs from the certificate in the
373 object-type.
374
376 One of the following exit values will be returned:
377 0 (EXIT_SUCCESS)
379 Successful program execution.
380 1 (EXIT_FAILURE)
382 The operation failed or the command syntax was not valid.
383 70 (EX_SOFTWARE)
385 libopts had an internal operational error. Please report it to
386 autogen-users@lists.sourceforge.net. Thank you.
387
389 gnutls-cli-debug(1), gnutls-serv(1)
390
392 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
393 /usr/share/doc/gnutls/AUTHORS for a complete list.
394
396 Copyright (C) 2000-2018 Free Software Foundation, and others all rights
397 reserved. This program is released under the terms of the GNU General
398 Public License, version 3 or later.
399
401 Please send bug reports to: bugs@gnutls.org
402
404 This manual page was AutoGen-erated from the gnutls-cli option defini‐
405 tions.
4063.3.29 16 Feb 2018 gnutls-cli(1)