1gnutls-cli(1)               General Commands Manual              gnutls-cli(1)
2
3
4

NAME

6       gnutls-cli - GNU TLS test client
7

SYNOPSIS

9       gnutls-cli [options] hostname
10

DESCRIPTION

12       Simple  client  program  to  set up a TLS connection to some other com‐
13       puter.  It sets up a TLS connection and forwards data from the standard
14       input to the secured socket and vice versa.
15

OPTIONS

17   Program control options
18       -d, --debug LEVEL
19              Specify the debug level. Default is 1.
20
21       -h, --help
22              Prints a short reminder of the command line options.
23
24       -l, --list
25              Print a list of the supported algorithms and modes.
26
27       -r, --resume
28              Connect,  establish  a  session.   Connect again and resume this
29              session.
30
31       -s, --starttls
32              Connect, establish a plain session and start TLS when EOF  or  a
33              SIGALRM is received.
34
35       -v, --version
36              Prints the program's version number.
37
38       -V, --verbose
39              More verbose output.
40
41
42   TLS/SSL control options
43       --priority PRIORITY STRING
44              TLS  algorithms  and protocols to enable.  Unless the first key‐
45              word is "NONE" the defaults are:
46
47              Protocols: TLS1.1, TLS1.0, and SSL3.0.
48
49              Compression: NULL.
50
51              Certificate types: X.509, OpenPGP.
52
53              You can also use predefined sets of ciphersuites such as:
54
55              PERFORMANCE all the "secure" ciphersuites are  enabled,  limited
56              to 128 bit ciphers and sorted by terms of speed performance.
57
58              NORMAL  option  enables  all  "secure" ciphersuites. The 256-bit
59              ciphers are included as a fallback only. The ciphers are  sorted
60              by security margin.
61
62              SECURE128 flag enables all "secure" ciphersuites with ciphers up
63              to 128 bits, sorted by security margin.
64
65              SECURE256 flag enables all "secure" ciphersuites  including  the
66              256 bit ciphers, sorted by security margin.
67
68              EXPORT all the ciphersuites are enabled, including the low-secu‐
69              rity 40 bit ciphers.
70
71              NONE nothing is enabled. This disables even protocols  and  com‐
72              pression methods.
73
74              Special keywords:
75
76              "!"  or  "-"  appended  with an algorithm will remove this algo‐
77              rithm.
78
79              "+" appended with an algorithm will add this algorithm.
80
81              "%COMPAT" will enable compatibility features for a server.
82
83              "%SSL3_RECORD_VERSION" force SSL3.0 record version in the  first
84              client  hello.  This  is to avoid buggy servers from terminating
85              connection.
86
87              "%UNSAFE_RENEGOTIATION"  Permits  (re-)handshakes  even   unsafe
88              ones.
89
90              "%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and
91              servers  not  supporting  the  safe   renegotiation   extension.
92              (default)
93
94              "%SAFE_RENEGOTIATION"  will  enable  safe renegotiation. This is
95              the most secure and recommended option for clients. However this
96              will prevent from connecting to legacy servers.
97
98              To  avoid collisions in order to specify a compression algorithm
99              in this string you have to prefix it with "COMP-", protocol ver‐
100              sions  with  "VERS-"  and  certificate  types with "CTYPE-". All
101              other algorithms don't need a prefix.
102
103              Examples:
104
105              "NORMAL"
106
107              "NORMAL:%COMPAT"
108
109              "NORMAL:!AES-128-CBC"
110
111              "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"
112
113
114       --crlf Send CR LF instead of LF.
115
116       -f, --fingerprint
117              Send the openpgp fingerprint, instead of the key.
118
119       -p, --port integer
120              The port to connect to.
121
122       --ciphers cipher1 cipher2...
123              Ciphers to enable (use gnutls-cli --list to show  the  supported
124              ciphers).
125
126       --protocols protocol1 protocol2...
127              Protocols to enable (use gnutls-cli --list to show the supported
128              protocols).
129
130       --comp comp1 comp2...
131              Compression methods to enable (use gnutls-cli --list to show the
132              supported methods).
133
134       --macs mac1 mac2...
135              MACs  to  enable  (use  gnutls-cli  --list to show the supported
136              MACs).
137
138       --kx kx1 kx2...
139              Key exchange methods to enable (use gnutls-cli  --list  to  show
140              the supported methods).
141
142       --ctypes certType1 certType2...
143              Certificate  types  to enable (use gnutls-cli --list to show the
144              supported types).
145
146       --recordsize integer
147              The maximum record size to advertize.
148
149       --disable-extensions
150              Disable all the TLS extensions.
151
152       --print-cert
153              Print the certificate in PEM format.
154
155       --insecure
156              Don't abort program if server certificates can't be validated.
157
158
159   Certificate options
160       --pgpcertfile FILE
161              PGP Public Key (certificate) file to use.
162
163       --pgpkeyfile FILE
164              PGP Key file to use.
165
166       --pgpkeyring FILE
167              PGP Key ring file to use.
168
169       --pgptrustdb FILE
170              PGP trustdb file to use.
171
172       --pgpsubkey HEX|auto2
173              PGP subkey to use.
174
175       --srppasswd PASSWD
176              SRP password to use.
177
178       --srpusername NAME
179              SRP username to use.
180
181       --x509cafile FILE
182              Certificate file to use.
183
184       --x509certfile FILE
185              X.509 Certificate file to use.
186
187       --x509fmtder
188              Use DER format for certificates
189
190       --x509keyfile FILE
191              X.509 key file to use.
192
193       --x509crlfile FILE
194              X.509 CRL file to use.
195
196       --pskusername NAME
197              PSK username to use.
198
199       --pskkey KEY
200              PSK key (in hex) to use.
201
202       --opaque-prf-input DATA
203              Use Opaque PRF Input DATA.
204
205

SEE ALSO

207       gnutls-cli-debug(1), gnutls-serv(1)
208

AUTHOR

210       Nikos    Mavroyanopoulos    <nmav@gnutls.org>    and    others;     see
211       /usr/share/doc/gnutls-bin/AUTHORS for a complete list.
212
213       This  manual  page  was written by Ivo Timmermans <ivo@debian.org>, for
214       the Debian GNU/Linux system (but may be used by others).
215
216
217
218                               December 1st 2003                 gnutls-cli(1)
Impressum