28
28
.SS TLS/SSL control options
29
29
.IP "\-\-priority \fIPRIORITY STRING\fR"
30
30
TLS algorithms and protocols to enable.
31
Unless the first keyword is "NONE" the defaults are:
33
Protocols: TLS1.1, TLS1.0, and SSL3.0.
37
Certificate types: X.509, OpenPGP.
39
Signature algorithms: RSA-SHA1, RSA-MD2, RSA-MD5, RSA-SHA256, RSA-SHA512,
42
You can also use predefined sets of ciphersuites such as:
31
You can use predefined sets of ciphersuites such as:
45
34
all the "secure" ciphersuites are enabled, limited to 128 bit
66
55
nothing is enabled. This disables even protocols and
67
56
compression methods.
72
"!" or "-" appended with an algorithm will remove this algorithm.
74
"+" appended with an algorithm will add this algorithm.
76
"%COMPAT" will enable compatibility features for a server.
78
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
79
hello. This is to avoid buggy servers from terminating connection.
81
"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
83
"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
84
supporting the safe renegotiation extension. (default)
86
"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
87
secure and recommended option for clients. However this will prevent from
88
connecting to legacy servers.
90
To avoid collisions in order to specify a compression algorithm in
91
this string you have to prefix it with "COMP-", protocol versions
92
with "VERS-" and certificate types with "CTYPE-". All other
93
algorithms don't need a prefix.
59
Check the GnuTLS manual on section "Priority strings" for
60
more information on allowed keywords.
101
"NORMAL:!AES-128-CBC"
103
"NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"
66
"NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
68
"NORMAL:-ARCFOUR-128" means normal ciphers except for ARCFOUR-128.
70
"SECURE:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are
71
enabled, SSL3.0 is disabled, and libz compression enabled.
73
"NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1"
75
"NORMAL:%COMPAT" is the most compatible mode
106
78
Send CR LF instead of LF.
151
123
.IP "\-\-srpusername \fINAME\fR"
152
124
SRP username to use.
153
125
.IP "\-\-x509cafile \fIFILE\fR"
154
Certificate file to use.
126
Certificate file to use. This option accepts PKCS #11 URLs such as
155
128
.IP "\-\-x509certfile \fIFILE\fR"
156
X.509 Certificate file to use.
129
X.509 Certificate file to use, or a PKCS #11 URL.
157
130
.IP "\-\-x509fmtder"
158
131
Use DER format for certificates
159
132
.IP "\-\-x509keyfile \fIFILE\fR"
160
X.509 key file to use.
133
X.509 key file or PKCS #11 URL to use.
161
134
.IP "\-\-x509crlfile \fIFILE\fR"
162
135
X.509 CRL file to use.
163
136
.IP "\-\-pskusername \fINAME\fR"
172
145
.BR gnutls\-serv (1)
175
Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see
148
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see
176
149
/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.
178
151
This manual page was written by Ivo Timmermans <ivo@debian.org>, for