Unix/Linux Go Back    


CentOS 7.0 - man page for gnutls-cli (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


gnutls-cli(1)				  User Commands 			    gnutls-cli(1)

NAME
       gnutls-cli - GnuTLS client

SYNOPSIS
       gnutls-cli [-flag [value]]... [--opt-name[[=| ]value]]... [hostname]

       Operands and options may be intermixed.	They will be reordered.

DESCRIPTION
       Simple client program to set up a TLS connection to some other computer.  It sets up a TLS
       connection and forwards data from the standard input to the secured socket and vice versa.

OPTIONS
       -d number, --debug=number
	      Enable debugging..  This option takes an integer number as its argument.	The value
	      of number is constrained to being:
		  in the range	0 through 9999

	      Specifies the debug level.

       -V, --verbose
	      More verbose output.  This option may appear an unlimited number of times.

       --tofu, --no-tofu
	      Enable trust on first use authentication.  The no-tofu form will disable the
	      option.

	      This option will, in addition to certificate authentication, perform authentication
	      based on previously seen public keys, a model similar to SSH authentication.

       --dane, --no-dane
	      Enable DANE certificate verification (DNSSEC).  The no-dane form will disable the
	      option.

	      This option will, in addition to certificate authentication using the trusted CAs,
	      verify the server certificates using on the DANE information available via DNSSEC.

       --local-dns, --no-local-dns
	      Use the local DNS server for DNSSEC resolving..  The no-local-dns form will disable
	      the option.

	      This option will use the local DNS server for DNSSEC.  This is disabled by default
	      due to many servers not allowing DNSSEC.

       --ca-verification, --no-ca-verification
	      Disable CA certificate verification.  The no-ca-verification form will disable the
	      option.  This option is enabled by default.

	      This option will disable CA certificate verification. It is to be used with the
	      --dane or --tofu options.

       --ocsp, --no-ocsp
	      Enable OCSP certificate verification.  The no-ocsp form will disable the option.

	      This option will enable verification of the peer's certificate using ocsp

       -r, --resume
	      Establish a session and resume.

	      Connect, establish a session, reconnect and resume.

       -b, --heartbeat
	      Activate heartbeat support.

       -e, --rehandshake
	      Establish a session and rehandshake.

	      Connect, establish a session and rehandshake immediately.

       --noticket
	      Don't accept session tickets.

       -s, --starttls
	      Connect, establish a plain session and start TLS..

	      The TLS session will be initiated when EOF or a SIGALRM is received.

       -u, --udp
	      Use DTLS (datagram TLS) over UDP.

       --mtu=number
	      Set MTU for datagram TLS.  This option takes an integer number as its argument.
	      The value of number is constrained to being:
		  in the range	0 through 17000

       --srtp-profiles=string
	      Offer SRTP profiles.

       --crlf Send CR LF instead of LF.

       --x509fmtder
	      Use DER format for certificates to read from.

       -f, --fingerprint
	      Send the openpgp fingerprint, instead of the key.

       --disable-extensions
	      Disable all the TLS extensions.

	      This option disables all TLS extensions. Deprecated option. Use the priority
	      string.

       --print-cert
	      Print peer's certificate in PEM format.

       --recordsize=number
	      The maximum record size to advertize.  This option takes an integer number as its
	      argument.  The value of number is constrained to being:
		  in the range	0 through 4096

       --dh-bits=number
	      The minimum number of bits allowed for DH.  This option takes an integer number as
	      its argument.

	      This option sets the minimum number of bits allowed for a Diffie-Hellman key
	      exchange. You may want to lower the default value if the peer sends a weak prime
	      and you get an connection error with unacceptable prime.

       --priority=string
	      Priorities string.

	      TLS algorithms and protocols to enable. You can use predefined sets of ciphersuites
	      such as PERFORMANCE, NORMAL, SECURE128, SECURE256.

	      Check  the  GnuTLS  manual  on  section  "Priority strings" for more information on
	      allowed keywords

       --x509cafile=string
	      Certificate file or PKCS #11 URL to use.

       --x509crlfile=file
	      CRL file to use.

       --pgpkeyfile=file
	      PGP Key file to use.

       --pgpkeyring=file
	      PGP Key ring file to use.

       --pgpcertfile=file
	      PGP Public Key (certificate) file to use.

       --x509keyfile=string
	      X.509 key file or PKCS #11 URL to use.

       --x509certfile=string
	      X.509 Certificate file or PKCS #11 URL to use.

       --pgpsubkey=string
	      PGP subkey to use (hex or auto).

       --srpusername=string
	      SRP username to use.

       --srppasswd=string
	      SRP password to use.

       --pskusername=string
	      PSK username to use.

       --pskkey=string
	      PSK key (in hex) to use.

       -p string, --port=string
	      The port or service to connect to.

       --insecure
	      Don't abort program if server certificate can't be validated.

       --ranges
	      Use length-hiding padding to prevent traffic analysis.

	      When possible (e.g., when %NEW_PADDING is specified), use length-hiding padding to
	      prevent traffic analysis.

       --benchmark-ciphers
	      Benchmark individual ciphers.

       --benchmark-soft-ciphers
	      Benchmark individual software ciphers (no hw acceleration).

       --benchmark-tls-kx
	      Benchmark TLS key exchange methods.

       --benchmark-tls-ciphers
	      Benchmark TLS ciphers.

       -l, --list
	      Print a list of the supported algorithms and modes.

	      Print a list of the supported algorithms and modes. If a priority string is given
	      then only the enabled ciphersuites are shown.

       --disable-sni
	      Do not send a Server Name Indication (SNI).

       -h, --help
	      Display usage information and exit.

       -!, --more-help
	      Pass the extended usage information through a pager.

       -v [{v|c|n}], --version[={v|c|n}]
	      Output version of program and exit.  The default mode is `v', a simple version.
	      The `c' mode will print copyright information and `n' will print the full copyright
	      notice.

EXAMPLES
       Connecting using PSK authentication
       To connect to a server using PSK authentication, you need to enable the choice of PSK by
       using a cipher priority parameter such as in the example below.
	   $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity	   --pskkey 88f3824b3e5659f52d00e959bacab954b6540344	 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
	   Resolving 'localhost'...
	   Connecting to '127.0.0.1:5556'...
	   - PSK authentication.
	   - Version: TLS1.1
	   - Key Exchange: PSK
	   - Cipher: AES-128-CBC
	   - MAC: SHA1
	   - Compression: NULL
	   - Handshake was completed
	   - Simple Client Mode:
       By keeping the --pskusername parameter and removing the --pskkey parameter, it will query
       only for the password during the handshake.

       Listing ciphersuites in a priority string
       To list the ciphersuites in a priority string:
	   $ ./gnutls-cli --priority SECURE192 -l
	   Cipher suites for SECURE192
	   TLS_ECDHE_ECDSA_AES_256_CBC_SHA384	      0xc0, 0x24  TLS1.2
	   TLS_ECDHE_ECDSA_AES_256_GCM_SHA384	      0xc0, 0x2e  TLS1.2
	   TLS_ECDHE_RSA_AES_256_GCM_SHA384	      0xc0, 0x30  TLS1.2
	   TLS_DHE_RSA_AES_256_CBC_SHA256	      0x00, 0x6b  TLS1.2
	   TLS_DHE_DSS_AES_256_CBC_SHA256	      0x00, 0x6a  TLS1.2
	   TLS_RSA_AES_256_CBC_SHA256		      0x00, 0x3d  TLS1.2

	   Certificate types: CTYPE-X.509
	   Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
	   Compression: COMP-NULL
	   Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
	   PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512

EXIT STATUS
       One of the following exit values will be returned:

       0 (EXIT_SUCCESS)
	      Successful program execution.

       1 (EXIT_FAILURE)
	      The operation failed or the command syntax was not valid.

       70 (EX_SOFTWARE)
	      libopts had an internal operational error.  Please report it to autogen-
	      users@lists.sourceforge.net.  Thank you.

SEE ALSO
       gnutls-cli-debug(1), gnutls-serv(1)

AUTHORS
       Nikos Mavrogiannopoulos, Simon Josefsson and others; see /usr/share/doc/gnutls-bin/AUTHORS
       for a complete list.

COPYRIGHT
       Copyright (C) 2000-2012 Free Software Foundation all rights reserved.  This program is
       released under the terms of the GNU General Public License, version 3 or later.

BUGS
       Please send bug reports to: bugs@gnutls.org

NOTES
       This manual page was AutoGen-erated from the gnutls-cli option definitions.

3.1.18					   20 Dec 2013				    gnutls-cli(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 04:38 AM.