1gnutls-cli-debug(1) User Commands gnutls-cli-debug(1)
2
6 gnutls-cli-debug - GnuTLS debug client
7
9 gnutls-cli-debug [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 [hostname]
11 Operands and options may be intermixed. They will be reordered.
13
15 TLS debug client. It sets up multiple TLS connections to a server and
16 queries its capabilities. It was created to assist in debugging GnuTLS,
17 but it might be useful to extract a TLS server's capabilities. It con‐
18 nects to a TLS server, performs tests and print the server's capabili‐
19 ties. If called with the `-V' parameter more checks will be performed.
20 Can be used to check for servers with special needs or bugs.
21
24 -d num, --debug=num
25 Enable debugging. This option takes an integer number as its
26 argument. The value of num is constrained to being:
27 in the range 0 through 9999
28 Specifies the debug level.
30 -V, --verbose
32 More verbose output.
33 -p num, --port=num
36 The port to connect to. This option takes an integer number as
37 its argument. The value of num is constrained to being:
38 in the range 0 through 65536
39 --app-proto
42 This is an alias for the --starttls-proto option.
43 --starttls-proto=str
45 The application protocol to be used to obtain the server's cer‐
46 tificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp,
47 sieve, postgres).
48 Specify the application layer protocol for STARTTLS. If the pro‐
50 tocol is supported, gnutls-cli will proceed to the TLS negotia‐
51 tion.
52 -v arg, --version=arg
54 Output version of program and exit. The default mode is `v', a
55 simple version. The `c' mode will print copyright information
56 and `n' will print the full copyright notice.
57 -h, --help
59 Display usage information and exit.
60 -!, --more-help
62 Pass the extended usage information through a pager.
63
67 $ gnutls-cli-debug localhost
68 GnuTLS debug client 3.5.0
69 Checking localhost:443
70 for SSL 3.0 (RFC6101) support... yes
71 whether we need to disable TLS 1.2... no
72 whether we need to disable TLS 1.1... no
73 whether we need to disable TLS 1.0... no
74 whether %NO_EXTENSIONS is required... no
75 whether %COMPAT is required... no
76 for TLS 1.0 (RFC2246) support... yes
77 for TLS 1.1 (RFC4346) support... yes
78 for TLS 1.2 (RFC5246) support... yes
79 fallback from TLS 1.6 to... TLS1.2
80 for RFC7507 inappropriate fallback... yes
81 for HTTPS server name... Local
82 for certificate chain order... sorted
83 for safe renegotiation (RFC5746) support... yes
84 for Safe renegotiation support (SCSV)... no
85 for encrypt-then-MAC (RFC7366) support... no
86 for ext master secret (RFC7627) support... no
87 for heartbeat (RFC6520) support... no
88 for version rollback bug in RSA PMS... dunno
89 for version rollback bug in Client Hello... no
90 whether the server ignores the RSA PMS version... yes
91 whether small records (512 bytes) are tolerated on handshake... yes
92 whether cipher suites not in SSL 3.0 spec are accepted... yes
93 whether a bogus TLS record version in the client hello is accepted... yes
94 whether the server understands TLS closure alerts... partially
95 whether the server supports session resumption... yes
96 for anonymous authentication support... no
97 for ephemeral Diffie-Hellman support... no
98 for ephemeral EC Diffie-Hellman support... yes
99 ephemeral EC Diffie-Hellman group info... SECP256R1
100 for AES-128-GCM cipher (RFC5288) support... yes
101 for AES-128-CCM cipher (RFC6655) support... no
102 for AES-128-CCM-8 cipher (RFC6655) support... no
103 for AES-128-CBC cipher (RFC3268) support... yes
104 for CAMELLIA-128-GCM cipher (RFC6367) support... no
105 for CAMELLIA-128-CBC cipher (RFC5932) support... no
106 for 3DES-CBC cipher (RFC2246) support... yes
107 for ARCFOUR 128 cipher (RFC2246) support... yes
108 for MD5 MAC support... yes
109 for SHA1 MAC support... yes
110 for SHA256 MAC support... yes
111 for ZLIB compression support... no
112 for max record size (RFC6066) support... no
113 for OCSP status response (RFC6066) support... no
114 for OpenPGP authentication (RFC6091) support... no
115 You could also use the client to debug services with starttls capabil‐
117 ity.
118 $ gnutls-cli-debug --starttls-proto smtp --port 25 localhost
119
121 One of the following exit values will be returned:
122 0 (EXIT_SUCCESS)
124 Successful program execution.
125 1 (EXIT_FAILURE)
127 The operation failed or the command syntax was not valid.
128
130 gnutls-cli(1), gnutls-serv(1)
131
134 Copyright (C) 2020-2021 Free Software Foundation, and others all rights
135 reserved. This program is released under the terms of the GNU General
136 Public License, version 3 or later
137
139 Please send bug reports to: bugs@gnutls.org
1403.7.8 27 Sep 2022 gnutls-cli-debug(1)