gnutls−cli — GnuTLS test client
Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.
−d,
            −−debug LEVELSpecify the debug level. Default is 1.
−h,
            −−helpPrints a short reminder of the command line options.
−l,
            −−listPrint a list of the supported algorithms and modes.
−r,
            −−resumeConnect, establish a session. Connect again and resume this session.
−s,
            −−starttlsConnect, establish a plain session and start TLS when EOF or a SIGALRM is received.
−v,
            −−versionPrints the program's version number.
−V,
            −−verboseMore verbose output.
−−priority PRIORITY
            STRINGTLS algorithms and protocols to enable. Unless the first keyword is "NONE" the defaults are:
Protocols: TLS1.1, TLS1.0, and SSL3.0.
Compression: NULL.
Certificate types: X.509, OpenPGP.
Signature algorithms: RSA-SHA1, RSA-MD2, RSA-MD5, RSA-SHA256, RSA-SHA512, DSA-SHA1.
You can also use predefined sets of ciphersuites such as:
PERFORMANCEall the "secure" ciphersuites are enabled, limited to 128 bit ciphers and sorted by terms of speed performance.
NORMALoption enables all "secure" ciphersuites. The 256-bit ciphers are included as a fallback only. The ciphers are sorted by security margin.
SECURE128flag enables all "secure" ciphersuites with ciphers up to 128 bits, sorted by security margin.
SECURE256flag enables all "secure" ciphersuites including the 256 bit ciphers, sorted by security margin.
EXPORTall the ciphersuites are enabled, including the low-security 40 bit ciphers.
NONEnothing is enabled. This disables even protocols and compression methods.
Special keywords:
"!" or "-" appended with an algorithm will remove this algorithm.
"+" appended with an algorithm will add this algorithm.
"%COMPAT" will enable compatibility features for a server.
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client hello. This is to avoid buggy servers from terminating connection.
"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not supporting the safe renegotiation extension. (default)
"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most secure and recommended option for clients. However this will prevent from connecting to legacy servers.
To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-" and certificate types with "CTYPE-". All other algorithms don't need a prefix.
Examples:
"NORMAL"
"NORMAL:%COMPAT"
"NORMAL:!AES-128-CBC"
"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"
−−crlfSend CR LF instead of LF.
−f,
            −−fingerprintSend the openpgp fingerprint, instead of the key.
−p,
            −−port integerThe port to connect to.
−−ciphers cipher1
            cipher2...Ciphers to enable (use gnutls−cli −−list to show the supported ciphers).
−−protocols protocol1
            protocol2...Protocols to enable (use gnutls−cli −−list to show the supported protocols).
−−comp comp1
            comp2...Compression methods to enable (use gnutls−cli −−list to show the supported methods).
−−macs mac1
            mac2...MACs to enable (use gnutls−cli −−list to show the supported MACs).
−−kx kx1
            kx2...Key exchange methods to enable (use gnutls−cli −−list to show the supported methods).
−−ctypes certType1
            certType2...Certificate types to enable (use gnutls−cli −−list to show the supported types).
−−recordsize
            integerThe maximum record size to advertize.
−−disable−extensionsDisable all the TLS extensions.
−−print−certPrint the certificate in PEM format.
−−insecureDon't abort program if server certificates can't be validated.
−−pgpcertfile FILEPGP Public Key (certificate) file to use.
−−pgpkeyfile FILEPGP Key file to use.
−−pgpkeyring FILEPGP Key ring file to use.
−−pgptrustdb FILEPGP trustdb file to use.
−−pgpsubkey HEX|auto2PGP subkey to use.
−−srppasswd PASSWDSRP password to use.
−−srpusername NAMESRP username to use.
−−x509cafile FILECertificate file to use. This option accepts PKCS #11 URLs such as pkcs11:token=Root%20CA%20Certificates;serial=1%3AROOTS%3ADEFAULT;model=1%2E0;manufacturer=Gnome%20Keyring
−−x509certfile FILEX.509 Certificate file to use, or a PKCS #11 URL.
−−x509fmtderUse DER format for certificates
−−x509keyfile FILEX.509 key file or PKCS #11 URL to use.
−−x509crlfile FILEX.509 CRL file to use.
−−pskusername NAMEPSK username to use.
−−pskkey KEYPSK key (in hex) to use.
−−opaque−prf−input
            DATAUse Opaque PRF Input DATA.