gnutls-cli — GnuTLS client
gnutls-cli
[ −flag
[value
] ...] [ −−opt−name
[[=|]value
] ...] [hostname
]
Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.
−d
number
,
−−debug=number
Enable debugging. This option takes an integer number as its argument. The value of number is constrained to being:
in the range 0 through 9999
−−tofu, −−no−tofu
Enable trust on first use (SSH-style)
authentication. The no−tofu
form will
disable the option.
This option will, in addition to certificate authentication, perform authentication based on previously seen public keys.
−−ocsp, −−no−ocsp
Enable OCSP certificate verification. The no−ocsp
form will
disable the option.
This option will enable verification of the peer's certificate using ocsp
−r,
−−resume
Connect, establish a session, reconnect and resume.
−e,
−−rehandshake
Connect, establish a session and rehandshake immediately.
−−noticket
Don't accept session tickets.
−s,
−−starttls
Connect, establish a plain session and start TLS..
The TLS session will be initiated when EOF or a SIGALRM is received.
−u,
−−udp
Use DTLS (datagram TLS) over UDP.
−−mtu=number
Set MTU for datagram TLS. This option takes an integer number as its argument. The value of number is constrained to being:
in the range 0 through 17000
−−crlf
Send CR LF instead of LF.
−−x509fmtder
Use DER format for certificates to read from.
−f,
−−fingerprint
Send the openpgp fingerprint, instead of the key.
−−disable−extensions
Disable all the TLS extensions.
−−print−cert
Print peer's certificate in PEM format.
−−recordsize=number
The maximum record size to advertize. This option takes an integer number as its argument. The value of number is constrained to being:
in the range 0 through 4096
−V,
−−verbose
More verbose output. This option may appear an unlimited number of times.
−−priority=string
Priorities string.
TLS algorithms and protocols to enable. You can use predefined sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128, SECURE256. Check the GnuTLS manual on section ``Priority strings'' for more information on allowed keywords
−−x509cafile=string
Certificate file or PKCS #11 URL to use.
−−x509crlfile=file
CRL file to use.
−−pgpkeyfile=file
PGP Key file to use.
−−pgpkeyring=file
PGP Key ring file to use.
−−pgpcertfile=file
PGP Public Key (certificate) file to use.
−−x509keyfile=string
X.509 key file or PKCS #11 URL to use.
−−x509certfile=string
X.509 Certificate file or PKCS #11 URL to use.
−−pgpsubkey=string
PGP subkey to use (hex or auto).
−−srpusername=string
SRP username to use.
−−srppasswd=string
SRP password to use.
−−pskusername=string
PSK username to use.
−−pskkey=string
PSK key (in hex) to use.
−p
string
,
−−port=string
The port or service to connect to.
−−insecure
Don't abort program if server certificate can't be validated.
−−benchmark−ciphers
Benchmark individual ciphers.
−−benchmark−soft−ciphers
Benchmark individual software ciphers (no hw acceleration).
−−benchmark−tls
Benchmark ciphers and key exchange methods in TLS.
−l,
−−list
Print a list of the supported algorithms and modes.
Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
−h,
−−help
Display usage information and exit.
−!,
−−more−help
Pass the extended usage information through a pager.
−v
[{v|c|n
}],
−−version[={v|c|n}
]
Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice.
Connecting using PSK authentication
To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
$ ./gnutls−cli −p 5556 localhost −−pskusername psk_identity −−pskkey 88f3824b3e5659f52d00e959bacab954b6540344 −−priority NORMAL:−KX−ALL:+ECDHE−PSK:+DHE−PSK:+PSK Resolving 'localhost'... Connecting to '127.0.0.1:5556'... - PSK authentication. - Version: TLS1.1 - Key Exchange: PSK - Cipher: AES−128−CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode:
By keeping the −−pskusername parameter and removing the −−pskkey parameter, it will query only for the password during the handshake.
Listing ciphersuites in a priority string
To list the ciphersuites in a priority string:
$ ./gnutls−cli −−priority SECURE192 −l Cipher suites for SECURE192 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 Certificate types: CTYPE−X.509 Protocols: VERS−TLS1.2, VERS−TLS1.1, VERS−TLS1.0, VERS−SSL3.0, VERS−DTLS1.0 Compression: COMP−NULL Elliptic curves: CURVE−SECP384R1, CURVE−SECP521R1 PK−signatures: SIGN−RSA−SHA384, SIGN−ECDSA−SHA384, SIGN−RSA−SHA512, SIGN−ECDSA−SHA512
One of the following exit values will be returned:
0
Successful program execution.
1
The operation failed or the command syntax was not valid.