1gnutls-cli-debug(1) User Commands gnutls-cli-debug(1)
2
6 gnutls-cli-debug - GnuTLS debug client
7
9 gnutls-cli-debug [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 [hostname]
11 Operands and options may be intermixed. They will be reordered.
13
15 TLS debug client. It sets up multiple TLS connections to a server and
16 queries its capabilities. It was created to assist in debugging GnuTLS,
17 but it might be useful to extract a TLS server's capabilities. It con‐
18 nects to a TLS server, performs tests and print the server's capabili‐
19 ties. If called with the `-V' parameter more checks will be performed.
20 Can be used to check for servers with special needs or bugs.
21
24 -d num, --debug=num
25 Enable debugging. This option takes an integer number as its
26 argument. The value of num is constrained to being:
27 in the range 0 through 9999
28 Specifies the debug level.
30 -V, --verbose
32 More verbose output.
33 -p num, --port=num
36 The port to connect to. This option takes an integer number as
37 its argument. The value of num is constrained to being:
38 in the range 0 through 65536
39 --app-proto
42 This is an alias for the --starttls-proto option.
43 --starttls-proto=str
45 The application protocol to be used to obtain the server's cer‐
46 tificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp,
47 sieve, postgres).
48 Specify the application layer protocol for STARTTLS. If the pro‐
50 tocol is supported, gnutls-cli will proceed to the TLS negotia‐
51 tion.
52 --attime=timestamp
54 Perform validation at the timestamp instead of the system time.
55 timestamp is an instance in time encoded as Unix time or in a
57 human
58 readable timestring such as "29 Feb 2004", "2004-02-29". Full
59 documentation available at <https://www.gnu.org/software/core‐
60 utils/manual/html_node/Date-input-formats.html> or locally via
61 info '(coreutils) date invocation'.
62 -v arg, --version=arg
64 Output version of program and exit. The default mode is `v', a
65 simple version. The `c' mode will print copyright information
66 and `n' will print the full copyright notice.
67 -h, --help
69 Display usage information and exit.
70 -!, --more-help
72 Pass the extended usage information through a pager.
73
77 $ gnutls-cli-debug localhost
78 GnuTLS debug client 3.5.0
79 Checking localhost:443
80 for SSL 3.0 (RFC6101) support... yes
81 whether we need to disable TLS 1.2... no
82 whether we need to disable TLS 1.1... no
83 whether we need to disable TLS 1.0... no
84 whether %NO_EXTENSIONS is required... no
85 whether %COMPAT is required... no
86 for TLS 1.0 (RFC2246) support... yes
87 for TLS 1.1 (RFC4346) support... yes
88 for TLS 1.2 (RFC5246) support... yes
89 fallback from TLS 1.6 to... TLS1.2
90 for RFC7507 inappropriate fallback... yes
91 for HTTPS server name... Local
92 for certificate chain order... sorted
93 for safe renegotiation (RFC5746) support... yes
94 for Safe renegotiation support (SCSV)... no
95 for encrypt-then-MAC (RFC7366) support... no
96 for ext master secret (RFC7627) support... no
97 for heartbeat (RFC6520) support... no
98 for version rollback bug in RSA PMS... dunno
99 for version rollback bug in Client Hello... no
100 whether the server ignores the RSA PMS version... yes
101 whether small records (512 bytes) are tolerated on handshake... yes
102 whether cipher suites not in SSL 3.0 spec are accepted... yes
103 whether a bogus TLS record version in the client hello is accepted... yes
104 whether the server understands TLS closure alerts... partially
105 whether the server supports session resumption... yes
106 for anonymous authentication support... no
107 for ephemeral Diffie-Hellman support... no
108 for ephemeral EC Diffie-Hellman support... yes
109 ephemeral EC Diffie-Hellman group info... SECP256R1
110 for AES-128-GCM cipher (RFC5288) support... yes
111 for AES-128-CCM cipher (RFC6655) support... no
112 for AES-128-CCM-8 cipher (RFC6655) support... no
113 for AES-128-CBC cipher (RFC3268) support... yes
114 for CAMELLIA-128-GCM cipher (RFC6367) support... no
115 for CAMELLIA-128-CBC cipher (RFC5932) support... no
116 for 3DES-CBC cipher (RFC2246) support... yes
117 for ARCFOUR 128 cipher (RFC2246) support... yes
118 for MD5 MAC support... yes
119 for SHA1 MAC support... yes
120 for SHA256 MAC support... yes
121 for ZLIB compression support... no
122 for max record size (RFC6066) support... no
123 for OCSP status response (RFC6066) support... no
124 for OpenPGP authentication (RFC6091) support... no
125 You could also use the client to debug services with starttls capabil‐
127 ity.
128 $ gnutls-cli-debug --starttls-proto smtp --port 25 localhost
129
131 One of the following exit values will be returned:
132 0 (EXIT_SUCCESS)
134 Successful program execution.
135 1 (EXIT_FAILURE)
137 The operation failed or the command syntax was not valid.
138
140 gnutls-cli(1), gnutls-serv(1)
141
144 Copyright (C) 2020-2023 Free Software Foundation, and others all rights
145 reserved. This program is released under the terms of the GNU General
146 Public License, version 3 or later
147
149 Please send bug reports to: bugs@gnutls.org
1503.8.2 15 Nov 2023 gnutls-cli-debug(1)