Name

gnutls-cli — GnuTLS client

Synopsis

gnutls-cli [ −flag [value] ...] [ −−opt−name [[=|]value] ...] [hostname]

DESCRIPTION

Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.

OPTIONS

−d number, −−debug=number

Enable debugging. This option takes an integer number as its argument. The value of number is constrained to being:

in the range  0 through 9999
−−tofu, −−no−tofu

Enable trust on first use (SSH-style) authentication. The no−tofu form will disable the option.

This option will, in addition to certificate authentication, perform authentication based on previously seen public keys.

−−ocsp, −−no−ocsp

Enable OCSP certificate verification. The no−ocsp form will disable the option.

This option will enable verification of the peer's certificate using ocsp

−r, −−resume

Connect, establish a session, reconnect and resume.

−e, −−rehandshake

Connect, establish a session and rehandshake immediately.

−−noticket

Don't accept session tickets.

−s, −−starttls

Connect, establish a plain session and start TLS..

The TLS session will be initiated when EOF or a SIGALRM is received.

−u, −−udp

Use DTLS (datagram TLS) over UDP.

−−mtu=number

Set MTU for datagram TLS. This option takes an integer number as its argument. The value of number is constrained to being:

in the range  0 through 17000
−−crlf

Send CR LF instead of LF.

−−x509fmtder

Use DER format for certificates to read from.

−f, −−fingerprint

Send the openpgp fingerprint, instead of the key.

−−disable−extensions

Disable all the TLS extensions.

−−print−cert

Print peer's certificate in PEM format.

−−recordsize=number

The maximum record size to advertize. This option takes an integer number as its argument. The value of number is constrained to being:

in the range  0 through 4096
−V, −−verbose

More verbose output. This option may appear an unlimited number of times.

−−priority=string

Priorities string.

TLS algorithms and protocols to enable. You can use predefined sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128, SECURE256. Check the GnuTLS manual on section ``Priority strings'' for more information on allowed keywords

−−x509cafile=string

Certificate file or PKCS #11 URL to use.

−−x509crlfile=file

CRL file to use.

−−pgpkeyfile=file

PGP Key file to use.

−−pgpkeyring=file

PGP Key ring file to use.

−−pgpcertfile=file

PGP Public Key (certificate) file to use.

−−x509keyfile=string

X.509 key file or PKCS #11 URL to use.

−−x509certfile=string

X.509 Certificate file or PKCS #11 URL to use.

−−pgpsubkey=string

PGP subkey to use (hex or auto).

−−srpusername=string

SRP username to use.

−−srppasswd=string

SRP password to use.

−−pskusername=string

PSK username to use.

−−pskkey=string

PSK key (in hex) to use.

−p string, −−port=string

The port or service to connect to.

−−insecure

Don't abort program if server certificate can't be validated.

−−benchmark−ciphers

Benchmark individual ciphers.

−−benchmark−soft−ciphers

Benchmark individual software ciphers (no hw acceleration).

−−benchmark−tls

Benchmark ciphers and key exchange methods in TLS.

−l, −−list

Print a list of the supported algorithms and modes.

Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.

−h, −−help

Display usage information and exit.

−!, −−more−help

Pass the extended usage information through a pager.

−v [{v|c|n}], −−version[={v|c|n}]

Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice.

EXAMPLES

Connecting using PSK authentication

To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.

$ ./gnutls−cli −p 5556 localhost −−pskusername psk_identity     −−pskkey 88f3824b3e5659f52d00e959bacab954b6540344     −−priority NORMAL:−KX−ALL:+ECDHE−PSK:+DHE−PSK:+PSK
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
- PSK authentication.
- Version: TLS1.1
- Key Exchange: PSK
- Cipher: AES−128−CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:

By keeping the −−pskusername parameter and removing the −−pskkey parameter, it will query only for the password during the handshake.

Listing ciphersuites in a priority string

To list the ciphersuites in a priority string:

$ ./gnutls−cli −−priority SECURE192 −l
Cipher suites for SECURE192
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24   TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e   TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30   TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b   TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a   TLS1.2
TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d   TLS1.2

Certificate types: CTYPE−X.509
Protocols: VERS−TLS1.2, VERS−TLS1.1, VERS−TLS1.0, VERS−SSL3.0, VERS−DTLS1.0
Compression: COMP−NULL
Elliptic curves: CURVE−SECP384R1, CURVE−SECP521R1
PK−signatures: SIGN−RSA−SHA384, SIGN−ECDSA−SHA384, SIGN−RSA−SHA512, SIGN−ECDSA−SHA512

EXIT STATUS

One of the following exit values will be returned:

0

Successful program execution.

1

The operation failed or the command syntax was not valid.

SEE ALSO

gnutls−cli− debug(1), gnutls− serv(1)

AUTHORS

Nikos Mavrogiannopoulos, Simon Josefsson and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.

BUGS

Please send bug reports to: bug-gnutls@gnu.org

NOTES

This manual page was AutoGen-erated from the gnutls-cli option definitions.

COPYRIGHT

Copyright (C) 2000-2012 Free Software Foundation all rights reserved. This program is released under the terms of the GNU General Public License, version 3 or later.