-d number, --debug=number
Enable debugging. This option takes an integer number as
its argument. The value of number is constrained to
being:
in the range 0 through 9999
Specifies the debug level.
-V, --verbose
More verbose output. This option may appear an unlimited
number of times.
--tofu, --no-tofu
Enable trust on first use authentication. The no-tofu
form will disable the option.
This option will, in addition to certificate
authentication, perform authentication based on previously
seen public keys, a model similar to SSH authentication.
Note that when tofu is specified (PKI) and DANE
authentication will become advisory to assist the public
key acceptance process.
--strict-tofu, --no-strict-tofu
Fail to connect if a certificate is unknown or a known
certificate has changed. The no-strict-tofu form will
disable the option.
This option will perform authentication as with option
--tofu; however, no questions shall be asked whatsoever,
neither to accept an unknown certificate nor a changed
one.
--dane, --no-dane
Enable DANE certificate verification (DNSSEC). The
no-dane form will disable the option.
This option will, in addition to certificate
authentication using the trusted CAs, verify the server
certificates using on the DANE information available via
DNSSEC.
--local-dns, --no-local-dns
Use the local DNS server for DNSSEC resolving. The
no-local-dns form will disable the option.
This option will use the local DNS server for DNSSEC.
This is disabled by default due to many servers not
allowing DNSSEC.
--ca-verification, --no-ca-verification
Enable CA certificate verification. The
no-ca-verification form will disable the option. This
option is enabled by default.
This option can be used to enable or disable CA
certificate verification. It is to be used with the --dane
or --tofu options.
--ocsp, --no-ocsp
Enable OCSP certificate verification. The no-ocsp form
will disable the option.
This option will enable verification of the peer's
certificate using ocsp
-r, --resume
Establish a session and resume.
Connect, establish a session, reconnect and resume.
--earlydata=string
Send early data on resumption from the specified file.
-e, --rehandshake
Establish a session and rehandshake.
Connect, establish a session and rehandshake immediately.
--sni-hostname=string
Server's hostname for server name indication extension.
Set explicitly the server name used in the TLS server name
indication extension. That is useful when testing with
servers setup on different DNS name than the intended. If
not specified, the provided hostname is used. Even with
this option server certificate verification still uses the
hostname passed on the main commandline. Use --verify-
hostname to change this.
--verify-hostname=string
Server's hostname to use for validation.
Set explicitly the server name to be used when validating
the server's certificate.
-s, --starttls
Connect, establish a plain session and start TLS.
The TLS session will be initiated when EOF or a SIGALRM is
received.
--app-proto
This is an alias for the --starttls-proto option.
--starttls-proto=string
The application protocol to be used to obtain the server's
certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp,
pop3, nntp, sieve, postgres). This option must not appear
in combination with any of the following options:
starttls.
Specify the application layer protocol for STARTTLS. If
the protocol is supported, gnutls-cli will proceed to the
TLS negotiation.
-u, --udp
Use DTLS (datagram TLS) over UDP.
--mtu=number
Set MTU for datagram TLS. This option takes an integer
number as its argument. The value of number is
constrained to being:
in the range 0 through 17000
--crlf Send CR LF instead of LF.
--fastopen
Enable TCP Fast Open.
--x509fmtder
Use DER format for certificates to read from.
--print-cert
Print peer's certificate in PEM format.
--save-cert=string
Save the peer's certificate chain in the specified file in
PEM format.
--save-ocsp=string
Save the peer's OCSP status response in the provided file.
This option must not appear in combination with any of the
following options: save-ocsp-multi.
--save-ocsp-multi=string
Save all OCSP responses provided by the peer in this file.
This option must not appear in combination with any of the
following options: save-ocsp.
The file will contain a list of PEM encoded OCSP status
responses if any were provided by the peer, starting with
the one for the peer's server certificate.
--save-server-trace=string
Save the server-side TLS message trace in the provided
file.
--save-client-trace=string
Save the client-side TLS message trace in the provided
file.
--dh-bits=number
The minimum number of bits allowed for DH. This option
takes an integer number as its argument.
This option sets the minimum number of bits allowed for a
Diffie-Hellman key exchange. You may want to lower the
default value if the peer sends a weak prime and you get
an connection error with unacceptable prime.
--priority=string
Priorities string.
TLS algorithms and protocols to enable. You can use
predefined sets of ciphersuites such as PERFORMANCE,
NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.
Check the GnuTLS manual on section 'Priority
strings' for more information on the allowed keywords
--x509cafile=string
Certificate file or PKCS #11 URL to use.
--x509crlfile=file
CRL file to use.
--x509keyfile=string
X.509 key file or PKCS #11 URL to use.
--x509certfile=string
X.509 Certificate file or PKCS #11 URL to use. This
option must appear in combination with the following
options: x509keyfile.
--rawpkkeyfile=string
Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to
use.
In order to instruct the application to negotiate raw
public keys one must enable the respective certificate
types via the priority strings (i.e. CTYPE-CLI-* and
CTYPE-SRV-* flags).
Check the GnuTLS manual on section 'Priority
strings' for more information on how to set certificate
types.
--rawpkfile=string
Raw public-key file to use. This option must appear in
combination with the following options: rawpkkeyfile.
In order to instruct the application to negotiate raw
public keys one must enable the respective certificate
types via the priority strings (i.e. CTYPE-CLI-* and
CTYPE-SRV-* flags).
Check the GnuTLS manual on section 'Priority
strings' for more information on how to set certificate
types.
--srpusername=string
SRP username to use.
--srppasswd=string
SRP password to use.
--pskusername=string
PSK username to use.
--pskkey=string
PSK key (in hex) to use.
-p string, --port=string
The port or service to connect to.
--insecure
Don't abort program if server certificate can't be
validated.
--verify-allow-broken
Allow broken algorithms, such as MD5 for certificate
verification.
--ranges
Use length-hiding padding to prevent traffic analysis.
When possible (e.g., when using CBC ciphersuites), use
length-hiding padding to prevent traffic analysis.
NOTE: THIS OPTION IS DEPRECATED
--benchmark-ciphers
Benchmark individual ciphers.
By default the benchmarked ciphers will utilize any
capabilities of the local CPU to improve performance. To
test against the raw software implementation set the
environment variable GNUTLS_CPUID_OVERRIDE to 0x1.
--benchmark-tls-kx
Benchmark TLS key exchange methods.
--benchmark-tls-ciphers
Benchmark TLS ciphers.
By default the benchmarked ciphers will utilize any
capabilities of the local CPU to improve performance. To
test against the raw software implementation set the
environment variable GNUTLS_CPUID_OVERRIDE to 0x1.
-l, --list
Print a list of the supported algorithms and modes. This
option must not appear in combination with any of the
following options: port.
Print a list of the supported algorithms and modes. If a
priority string is given then only the enabled
ciphersuites are shown.
--priority-list
Print a list of the supported priority strings.
Print a list of the supported priority strings. The
ciphersuites corresponding to each priority string can be
examined using -l -p.
--noticket
Don't allow session tickets.
Disable the request of receiving of session tickets under
TLS1.2 or earlier
--srtp-profiles=string
Offer SRTP profiles.
--alpn=string
Application layer protocol. This option may appear an
unlimited number of times.
This option will set and enable the Application Layer
Protocol Negotiation (ALPN) in the TLS protocol.
-b, --heartbeat
Activate heartbeat support.
--recordsize=number
The maximum record size to advertise. This option takes
an integer number as its argument. The value of number is
constrained to being:
in the range 0 through 4096
--disable-sni
Do not send a Server Name Indication (SNI).
--disable-extensions
Disable all the TLS extensions.
This option disables all TLS extensions. Deprecated
option. Use the priority string.
NOTE: THIS OPTION IS DEPRECATED
--single-key-share
Send a single key share under TLS1.3.
This option switches the default mode of sending multiple
key shares, to send a single one (the top one).
--post-handshake-auth
Enable post-handshake authentication under TLS1.3.
This option enables post-handshake authentication when
under TLS1.3.
--inline-commands
Inline commands of the form ^<cmd>^.
Enable inline commands of the form ^<cmd>^. The inline
commands are expected to be in a line by themselves. The
available commands are: resume, rekey1 (local rekey),
rekey (rekey on both peers) and renegotiate.
--inline-commands-prefix=string
Change the default delimiter for inline commands..
Change the default delimiter (^) used for inline commands.
The delimiter is expected to be a single US-ASCII
character (octets 0 - 127). This option is only relevant
if inline commands are enabled via the inline-commands
option
--provider=file
Specify the PKCS #11 provider library.
This will override the default options in
/etc/gnutls/pkcs11.conf
--fips140-mode
Reports the status of the FIPS140-2 mode in gnutls
library.
--logfile=string
Redirect informational messages to a specific file..
Redirect informational messages to a specific file. The
file may be /dev/null also to make the gnutls client quiet
to use it in piped server connections where only the
server communication may appear on stdout.
--keymatexport=string
Label used for exporting keying material.
--keymatexportsize=number
Size of the exported keying material. This option takes
an integer number as its argument.
--waitresumption
Block waiting for the resumption data under TLS1.3.
This option makes the client to block waiting for the
resumption data under TLS1.3. The option has effect only
when --resume is provided.
--ca-auto-retrieve, --no-ca-auto-retrieve
Enable automatic retrieval of missing CA certificates.
The no-ca-auto-retrieve form will disable the option.
This option enables the client to automatically retrieve
the missing intermediate CA certificates in the
certificate chain, based on the Authority Information
Access (AIA) extension.
-h, --help
Display usage information and exit.
-!, --more-help
Pass the extended usage information through a pager.
-v [{v|c|n --version [{v|c|n}]}]
Output version of program and exit. The default mode is
`v', a simple version. The `c' mode will print copyright
information and `n' will print the full copyright notice.
