1 files changed, 9 insertions, 7 deletions

diff --git a/Completion/Unix/Command/_gnutls b/Completion/Unix/Command/_gnutls
index 2cd559843..1c14de791 100644
--- a/Completion/Unix/Command/_gnutls
+++ b/Completion/Unix/Command/_gnutls
@@ -54,13 +54,14 @@ case "$service" in
   gnutls-cli)
     args+=(
       '--tofu[enable trust on first use authentication]' '!--no-tofu'
-      '--strict-tofu[fail to connect if a known certificate has changed]' '!--no-strict-tofu'
+      '--strict-tofu[fail to connect if a certificate is unknown or has changed]' '!--no-strict-tofu'
       '--dane[enable DANE certificate verification (DNSSEC)]' '!--no-dane'
       '--local-dns[use the local DNS server for DNSSEC resolving]' '!--no-local-dna'
       '--no-ca-verification[disable CA certificate verification]' '!--ca-verification'
       '--ocsp[enable OCSP certificate verification]' '!--no-oscp'
       '(-r --resume)'{-r,--resume}'[establish a session and resume]'
       '(-e --rehandshake)'{-e,--rehandshake}'[connect, establish a session and rehandshake immediately]'
+      "--verify-hostname-str=[specify server's hostname to use for validation]:hostname"
       '(-s --starttls)'{-s,--starttls}'[start TLS on EOF or SIGALRM]'
       '--crlf[send CR LF instead of LF]'
       '--fastopen[enable TCP Fast Open]'
@@ -75,7 +76,6 @@ case "$service" in
       '--pskusername[specify PSK username to use]:username'
       '--pskkey[specify PSK key to use]:key'
       "--insecure[don't require server cert validation]"
-      '--ranges[use length-hiding padding to prevent traffic analysis]'
       '--benchmark-ciphers[benchmark individual ciphers]'
       '--benchmark-soft-ciphers[benchmark individual software ciphers]'
       '--benchmark-tls-kx[benchmark TLS key exchange methods]'
@@ -84,7 +84,8 @@ case "$service" in
       '*--alpn=[enable application layer protocol]:string'
       '--recordsize=[specify maximum record size to advertize]:record size'
       "--disable-sni[don't send a Server Name]"
-      '--disable-extensions[disable all the TLS extensions]'
+      '--single-key-share[send a single key share under TLS1.3]'
+      '--post-handshake-auth[enable post-handshake authentication under TLS1.3]'
       '--inline-commands[inline commands of the form ^<cmd>^]'
       '--inline-commands-prefix=[change delimiter used for inline commands]:delimiter [^]'
       '--fips140-mode[report status of FIPS140-2 mode in gnutls library]'
@@ -96,20 +97,22 @@ case "$service" in
       '--sni-hostname-fatal[send fatal alert on sni-hostname mismatch]'
       '*--alpn=[specify ALPN protocol to be enabled by the server]:protocol'
       '--alpn-fatal[send fatal alert on non-matching ALPN name]'
+      "--nocookie[don't require cookie on DTLS sessions]"
       '(-g --generate)'{-g,--generate}'[generate Diffie-Hellman parameters]'
       '(-q --quiet)'{-q,--quiet}'[suppress some messages]'
       "--nodb[don't use a resumption database]"
       '--http[act as an HTTP server]'
       '--echo[act as an Echo server]'
-      '(-a --disable-client-cert)'{-a,--disable-client-cert}"[don't request a client certificate]"
-      '(-r --require-client-cert)'{-r,--require-client-cert}'[require a client certificate]'
+      '(-a --disable-client-cert -r --require-client-cert)'{-a,--disable-client-cert}"[don't request a client certificate]"
+      '(-a --disable-client-cert -r --require-client-cert)'{-r,--require-client-cert}'[require a client certificate]'
       '--verify-client-cert[if a client certificate is sent then verify it]'
       '--dhparams=[specify DH params file to use]:file:_files'
       '--srppasswd=[specify SRP password file to use]:file:_files'
       '--srppasswdconf=[specify SRP password configuration file to use]:file:_files'
       '--pskpasswd=[specify PSK password file to use]:file:_files'
       '--pskhint=[specify PSK identity hint to use]:string'
-      '--ocsp-response=[specify OCSP response to send to client]:file:_files'
+      '*--ocsp-response=[specify OCSP response to send to client]:string:_files'
+      '--ignore-ocsp-response-errors[ignore any errors when setting the OCSP response]'
     )
   ;;
 
@@ -158,7 +161,6 @@ case "$service" in
       '--empty-password[enforce an empty password]'
       '--key-type=[specify the key type to use on key generation]:key type'
       '(-i --certificate-info)'{-i,--certificate-info}'[print information on a certificate]'
-      '--certificate-pubkey[print certificate public key]'
       '(-l --crl-info)'{-l,--crl-info}'[print information on a CRL]'
       '--crq-info[print information on a certificate request]'
       "--no-crq-extensions[don't use extensions in certificate requests]"