1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
@node gnutls-cli-debug Invocation
@heading Invoking gnutls-cli-debug
@pindex gnutls-cli-debug
TLS debug client. It sets up multiple TLS connections to
a server and queries its capabilities. It was created to assist in debugging
GnuTLS, but it might be useful to extract a TLS server's capabilities.
It connects to a TLS server, performs tests and print the server's
capabilities. If called with the `-V' parameter more checks will be performed.
Can be used to check for servers with special needs or bugs.
@anchor{gnutls-cli-debug usage}
@subheading gnutls-cli-debug help/usage (@option{-?})
@cindex gnutls-cli-debug help
The text printed is the same whether selected with the @code{help} option
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
the usage text by passing it through a pager program.
@code{more-help} is disabled on platforms without a working
@code{fork(2)} function. The @code{PAGER} environment variable is
used to select the program, defaulting to @file{more}. Both will exit
with a status code of 0.
@exampleindent 0
@example
gnutls-cli-debug - GnuTLS debug client
Usage: gnutls-cli-debug [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
None:
-d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
-V, --verbose More verbose output
-p, --port=num The port to connect to
- it must be in the range:
0 to 65536
--app-proto an alias for the 'starttls-proto' option
--starttls-proto=str The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)
--attime=str Perform validation at the timestamp instead of the system time
Version, usage and configuration options:
-v, --version[=arg] output version information and exit
-h, --help display extended usage information and exit
-!, --more-help extended usage information passed thru pager
Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
Operands and options may be intermixed. They will be reordered.
TLS debug client. It sets up multiple TLS connections to
a server and queries its capabilities. It was created to assist in debugging
GnuTLS, but it might be useful to extract a TLS server's capabilities.
It connects to a TLS server, performs tests and print the server's
capabilities. If called with the `-V' parameter more checks will be performed.
Can be used to check for servers with special needs or bugs.
Please send bug reports to: <bugs@@gnutls.org>
@end example
@exampleindent 4
@subheading debug option (-d).
@anchor{gnutls-cli-debug debug}
This is the ``enable debugging'' option.
This option takes a ArgumentType.NUMBER argument.
Specifies the debug level.
@subheading app-proto option.
@anchor{gnutls-cli-debug app-proto}
This is an alias for the @code{starttls-proto} option,
@pxref{gnutls-cli-debug starttls-proto, the starttls-proto option documentation}.
@subheading starttls-proto option.
@anchor{gnutls-cli-debug starttls-proto}
This is the ``the application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)'' option.
This option takes a ArgumentType.STRING argument.
Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.
@subheading attime option.
@anchor{gnutls-cli-debug attime}
This is the ``perform validation at the timestamp instead of the system time'' option.
This option takes a ArgumentType.STRING argument @file{timestamp}.
timestamp is an instance in time encoded as Unix time or in a human
readable timestring such as "29 Feb 2004", "2004-02-29".
Full documentation available at
<https://www.gnu.org/software/coreutils/manual/html_node/Date-input-formats.html>
or locally via info '(coreutils) date invocation'.
@subheading version option (-v).
@anchor{gnutls-cli-debug version}
This is the ``output version information and exit'' option.
This option takes a ArgumentType.KEYWORD argument.
Output version of program and exit. The default mode is `v', a simple
version. The `c' mode will print copyright information and `n' will
print the full copyright notice.
@subheading help option (-h).
@anchor{gnutls-cli-debug help}
This is the ``display extended usage information and exit'' option.
Display usage information and exit.
@subheading more-help option (-!).
@anchor{gnutls-cli-debug more-help}
This is the ``extended usage information passed thru pager'' option.
Pass the extended usage information through a pager.
@anchor{gnutls-cli-debug exit status}
@subheading gnutls-cli-debug exit status
One of the following exit values will be returned:
@table @samp
@item 0 (EXIT_SUCCESS)
Successful program execution.
@item 1 (EXIT_FAILURE)
The operation failed or the command syntax was not valid.
@end table
@anchor{gnutls-cli-debug See Also}
@subsubheading gnutls-cli-debug See Also
gnutls-cli(1), gnutls-serv(1)
@anchor{gnutls-cli-debug Examples}
@subsubheading gnutls-cli-debug Examples
@example
$ gnutls-cli-debug localhost
GnuTLS debug client 3.5.0
Checking localhost:443
for SSL 3.0 (RFC6101) support... yes
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
whether %COMPAT is required... no
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... yes
for TLS 1.2 (RFC5246) support... yes
fallback from TLS 1.6 to... TLS1.2
for RFC7507 inappropriate fallback... yes
for HTTPS server name... Local
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for Safe renegotiation support (SCSV)... no
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... dunno
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... yes
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... partially
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... yes
ephemeral EC Diffie-Hellman group info... SECP256R1
for AES-128-GCM cipher (RFC5288) support... yes
for AES-128-CCM cipher (RFC6655) support... no
for AES-128-CCM-8 cipher (RFC6655) support... no
for AES-128-CBC cipher (RFC3268) support... yes
for CAMELLIA-128-GCM cipher (RFC6367) support... no
for CAMELLIA-128-CBC cipher (RFC5932) support... no
for 3DES-CBC cipher (RFC2246) support... yes
for ARCFOUR 128 cipher (RFC2246) support... yes
for MD5 MAC support... yes
for SHA1 MAC support... yes
for SHA256 MAC support... yes
for ZLIB compression support... no
for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
for OpenPGP authentication (RFC6091) support... no
@end example
You could also use the client to debug services with starttls capability.
@example
$ gnutls-cli-debug --starttls-proto smtp --port 25 localhost
@end example
|
