NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Program control options

-d, --debug LEVEL

Specify the debug level. Default is 1.

-h, --help

prints this help

-l, --list

Print a list of the supported algorithms and modes.

-q, --quiet

Suppress some messages.

-v, --version

prints the program's version number

Server options

-p, --port integer

The port to listen on.

--nodb

Does not use the resume database.

--http

Act as an HTTP Server.

--echo

Act as an Echo Server.

TLS/SSL control options

--priority PRIORITY STRING

TLS algorithms and protocols to enable. Unless the first keyword is "NONE" the defaults are:

Protocols: TLS1.1, TLS1.0, and SSL3.0.

Compression: NULL.

Certificate types: X.509, OpenPGP.

You can also use predefined sets of ciphersuites such as:

PERFORMANCE all the "secure" ciphersuites are enabled, limited to 128 bit ciphers and sorted by terms of speed performance.

NORMAL option enables all "secure" ciphersuites. The 256-bit ciphers are included as a fallback only. The ciphers are sorted by security margin.

SECURE128 flag enables all "secure" ciphersuites with ciphers up to 128 bits, sorted by security margin.

SECURE256 flag enables all "secure" ciphersuites including the 256 bit ciphers, sorted by security margin.

EXPORT all the ciphersuites are enabled, including the low-security 40 bit ciphers.

NONE nothing is enabled. This disables even protocols and compression methods.

Special keywords:

"!" or "-" appended with an algorithm will remove this algorithm.

"+" appended with an algorithm will add this algorithm.

"%COMPAT" will enable compatibility features for a server.

"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.

"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not supporting the safe renegotiation extension. (default)

"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most secure and recommended option for clients. However this will prevent from connecting to legacy servers.

To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-" and certificate types with "CTYPE-". All other algorithms don't need a prefix.

Examples:

"NORMAL"

"NORMAL:%COMPAT"

"NORMAL:!AES-128-CBC"

"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"

-g, --generate

Generate Diffie-Hellman Parameters.

--kx kx1 kx2...

Key exchange methods to enable (use gnutls-cli --list to show the supported key exchange methods).

-p, --port integer

The port to connect to.

Certificate options

--pgpcertfile FILE

PGP Public Key (certificate) file to use.

--pgpkeyfile FILE

PGP Key file to use.

--pgpkeyring FILE

PGP Key ring file to use.

--pgptrustdb FILE

PGP trustdb file to use.

--srppasswd FILE

SRP password file to use.

--srppasswdconf FILE

SRP password configuration file to use.

--x509cafile FILE

Certificate file to use.

--x509certfile FILE

X.509 Certificate file to use.

--x509fmtder

Use DER format for certificates

--x509keyfile FILE

X.509 key file to use.

SEE ALSO

AUTHOR

Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <ivo@debian.org>, for the Debian GNU/Linux system (but may be used by others).

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Program control options

Server options

TLS/SSL control options

Certificate options

SEE ALSO

AUTHOR