|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | SEE ALSO | AUTHORS | COPYRIGHT | BUGS | COLOPHON |
|
|
|
gnutls-cli-debug(1) User Commands gnutls-cli-debug(1)
gnutls-cli-debug - GnuTLS debug client
gnutls-cli-debug [-flags] [-flag [value]] [--option-name[[=|
]value]] [hostname]
Operands and options may be intermixed. They will be reordered.
TLS debug client. It sets up multiple TLS connections to a server
and queries its capabilities. It was created to assist in
debugging GnuTLS, but it might be useful to extract a TLS server's
capabilities. It connects to a TLS server, performs tests and
print the server's capabilities. If called with the `-V' parameter
more checks will be performed. Can be used to check for servers
with special needs or bugs.
-d num, --debug=num Enable debugging. This option takes an
integer number as its argument. The value of num is constrained
to being:
in the range 0 through 9999
Specifies the debug level.
-V, --verbose More verbose output.
-p num, --port=num The port to connect to. This option takes an
integer number as its argument. The value of num is constrained
to being:
in the range 0 through 65536
--app-proto This is an alias for the --starttls-proto option.
--starttls-proto=str The application protocol to be used to obtain
the server's certificate (https, ftp, smtp, imap, ldap, xmpp,
lmtp, pop3, nntp, sieve, postgres).
Specify the application layer protocol for STARTTLS. If the
protocol is supported, gnutls-cli will proceed to the TLS
negotiation.
--attime=timestamp Perform validation at the timestamp instead of
the system time.
timestamp is an instance in time encoded as Unix time or in a
human
readable timestring such as "29 Feb 2004", "2004-02-29". Full
documentation available at
<https://www.gnu.org/software/coreutils/manual/html_node/Date-input-formats.html>
or locally via info '(coreutils) date invocation'.
-v arg, --version=arg Output version of program and exit. The
default mode is `v', a simple version. The `c' mode will print
copyright information and `n' will print the full copyright
notice.
-h, --help Display usage information and exit.
-!, --more-help Pass the extended usage information through a
pager.
$ gnutls-cli-debug localhost
GnuTLS debug client 3.5.0
Checking localhost:443
for SSL 3.0 (RFC6101) support... yes
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
whether %COMPAT is required... no
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... yes
for TLS 1.2 (RFC5246) support... yes
fallback from TLS 1.6 to... TLS1.2
for RFC7507 inappropriate fallback... yes
for HTTPS server name... Local
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for Safe renegotiation support (SCSV)... no
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... dunno
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... yes
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... partially
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... yes
ephemeral EC Diffie-Hellman group info... SECP256R1
for AES-128-GCM cipher (RFC5288) support... yes
for AES-128-CCM cipher (RFC6655) support... no
for AES-128-CCM-8 cipher (RFC6655) support... no
for AES-128-CBC cipher (RFC3268) support... yes
for CAMELLIA-128-GCM cipher (RFC6367) support... no
for CAMELLIA-128-CBC cipher (RFC5932) support... no
for 3DES-CBC cipher (RFC2246) support... yes
for ARCFOUR 128 cipher (RFC2246) support... yes
for MD5 MAC support... yes
for SHA1 MAC support... yes
for SHA256 MAC support... yes
for ZLIB compression support... no
for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
for OpenPGP authentication (RFC6091) support... no
You could also use the client to debug services with
starttls capability.
$ gnutls-cli-debug --starttls-proto smtp --port 25 localhost
One of the following exit values will be returned:
0 (EXIT_SUCCESS) Successful program execution.
1 (EXIT_FAILURE) The operation failed or the command syntax was
not valid.
gnutls-cli(1), gnutls-serv(1)
Copyright (C) 2020-2023 Free Software Foundation, and others all
rights reserved. This program is released under the terms of the
GNU General Public License, version 3 or later
Please send bug reports to: bugs@gnutls.org
This page is part of the GnuTLS (GnuTLS Transport Layer Security
Library) project. Information about the project can be found at
⟨http://www.gnutls.org/⟩. If you have a bug report for this
manual page, send it to bugs@gnutls.org. This page was obtained
from the tarball fetched from
⟨https://www.gnupg.org/ftp/gcrypt/gnutls/⟩ on 2025-08-11. If you
discover any rendering problems in this HTML version of the page,
or you believe there is a better or more up-to-date source for the
page, or you have corrections or improvements to the information
in this COLOPHON (which is not part of the original manual page),
send a mail to man-pages@man7.org
3.8.10 09 Jul 2025 gnutls-cli-debug(1)
Pages that refer to this page: gnutls-cli(1), gnutls-serv(1), psktool(1), srptool(1)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|