source-git / gnutls

Clone
Source Code
GIT

Blame src/serv-args.def

c8 c8s master
  1.   3335eeead9b1e332c7032fe3107dad3688bc68c8
  2.   src
  3.   serv-args.def
Blob History Raw
Packit aea12f 
AutoGen Definitions options;
Packit aea12f 
prog-name     = gnutls-serv;
Packit aea12f 
prog-title    = "GnuTLS server";
Packit aea12f 
prog-desc     = "Simple server program to act as an HTTPS or TLS echo service.";
Packit aea12f 
short-usage   = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
Packit aea12f 
explain       = "";
Packit aea12f 
detail        = "Server program that listens to incoming TLS connections.";
Packit aea12f
Packit aea12f 
#include args-std.def
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = sni-hostname;
Packit aea12f 
    descrip   = "Server's hostname for server name extension";
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    doc      = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = sni-hostname-fatal;
Packit aea12f 
    descrip   = "Send fatal alert on sni-hostname mismatch";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = alpn;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "Specify ALPN protocol to be enabled by the server";
Packit aea12f 
    doc      = "Specify the (textual) ALPN protocol for the server to use.";
Packit aea12f 
    stack-arg;
Packit aea12f 
    max       = NOLIMIT;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = alpn-fatal;
Packit aea12f 
    descrip   = "Send fatal alert on non-matching ALPN name";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = noticket;
Packit aea12f 
    descrip   = "Don't accept session tickets";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = earlydata;
Packit aea12f 
    descrip   = "Accept early data";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = maxearlydata;
Packit aea12f 
    arg-type  = number;
Packit aea12f 
    arg-range = "1->4294967295";
Packit aea12f 
    descrip   = "The maximum early data size to accept";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = nocookie;
Packit aea12f 
    descrip   = "Don't require cookie on DTLS sessions";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = generate;
Packit aea12f 
    value     = g;
Packit aea12f 
    descrip   = "Generate Diffie-Hellman parameters";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = quiet;
Packit aea12f 
    value     = q;
Packit aea12f 
    descrip   = "Suppress some messages";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = nodb;
Packit aea12f 
    descrip   = "Do not use a resumption database";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = http;
Packit aea12f 
    descrip   = "Act as an HTTP server";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = echo;
Packit aea12f 
    descrip   = "Act as an Echo server";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = udp;
Packit aea12f 
    value     = u;
Packit aea12f 
    descrip   = "Use DTLS (datagram TLS) over UDP";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = mtu;
Packit aea12f 
    arg-type  = number;
Packit aea12f 
    arg-range = "0->17000";
Packit aea12f 
    descrip   = "Set MTU for datagram TLS";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = srtp_profiles;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "Offer SRTP profiles";
Packit aea12f 
    doc       = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = disable-client-cert;
Packit aea12f 
    value     = a;
Packit aea12f 
    descrip   = "Do not request a client certificate";
Packit aea12f 
    doc      = "";
Packit aea12f 
    flags-cant = require-client-cert;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = require-client-cert;
Packit aea12f 
    value     = r;
Packit aea12f 
    descrip   = "Require a client certificate";
Packit aea12f 
    doc      = "This option before 3.6.0 used to imply --verify-client-cert.
Packit aea12f 
Since 3.6.0 it will no longer verify the certificate by default.";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = verify-client-cert;
Packit aea12f 
    disabled;
Packit aea12f 
    descrip   = "If a client certificate is sent then verify it.";
Packit aea12f 
    doc      = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = heartbeat;
Packit aea12f 
    value     = b;
Packit aea12f 
    descrip   = "Activate heartbeat support";
Packit aea12f 
    doc      = "Regularly ping client via heartbeat extension messages";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509fmtder;
Packit aea12f 
    descrip   = "Use DER format for certificates to read from";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = priority;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "Priorities string";
Packit aea12f 
    doc      = "TLS algorithms and protocols to enable. You can
Packit aea12f 
use predefined sets of ciphersuites such as PERFORMANCE,
Packit aea12f 
NORMAL, SECURE128, SECURE256. The default is NORMAL.
Packit aea12f
Packit aea12f 
Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
Packit aea12f 
information on allowed keywords";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = dhparams;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "DH params file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509cafile;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "Certificate file or PKCS #11 URL to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509crlfile;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "CRL file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = pgpkeyfile;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "PGP Key file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
    deprecated;
Packit aea12f 
};
Packit aea12f
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509keyfile;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "X.509 key file or PKCS #11 URL to use";
Packit aea12f 
    doc      = "Specify the private key file or URI to use; it must correspond to
Packit aea12f 
the certificate specified in --x509certfile. Multiple keys and certificates
Packit aea12f 
can be specified with this option and in that case each occurrence of keyfile
Packit aea12f 
must be followed by the corresponding x509certfile or vice-versa.";
Packit aea12f 
    stack-arg;
Packit aea12f 
    max       = NOLIMIT;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509certfile;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "X.509 Certificate file or PKCS #11 URL to use";
Packit aea12f 
    doc      = "Specify the certificate file or URI to use; it must correspond to
Packit aea12f 
the key specified in --x509keyfile. Multiple keys and certificates
Packit aea12f 
can be specified with this option and in that case each occurrence of keyfile
Packit aea12f 
must be followed by the corresponding x509certfile or vice-versa.";
Packit aea12f 
    stack-arg;
Packit aea12f 
    max       = NOLIMIT;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509dsakeyfile;
Packit aea12f 
    aliases   = x509keyfile;
Packit aea12f 
    descrip   = "Alternative X.509 key file or PKCS #11 URL to use";
Packit aea12f 
    deprecated;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509dsacertfile;
Packit aea12f 
    aliases   = x509certfile;
Packit aea12f 
    descrip   = "Alternative X.509 Certificate file or PKCS #11 URL to use";
Packit aea12f 
    deprecated;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509ecckeyfile;
Packit aea12f 
    aliases   = x509keyfile;
Packit aea12f 
    descrip   = "Alternative X.509 key file or PKCS #11 URL to use";
Packit aea12f 
    deprecated;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = x509ecccertfile;
Packit aea12f 
    aliases   = x509certfile;
Packit aea12f 
    descrip   = "Alternative X.509 Certificate file or PKCS #11 URL to use";
Packit aea12f 
    deprecated;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = srppasswd;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "SRP password file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = srppasswdconf;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "SRP password configuration file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = pskpasswd;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "PSK password file to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = pskhint;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "PSK identity hint to use";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = ocsp-response;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "The OCSP response to send to client";
Packit aea12f 
    doc      = "If the client requested an OCSP response, return data from this file to the client.";
Packit aea12f 
    stack-arg;
Packit aea12f 
    max       = NOLIMIT;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = ignore-ocsp-response-errors;
Packit aea12f 
    descrip   = "Ignore any errors when setting the OCSP response";
Packit aea12f 
    doc      = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates.";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = port;
Packit aea12f 
    value     = p;
Packit aea12f 
    arg-type  = number;
Packit aea12f 
    descrip   = "The port to connect to";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = list;
Packit aea12f 
    value     = l;
Packit aea12f 
    descrip   = "Print a list of the supported algorithms and modes";
Packit aea12f 
    doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = provider;
Packit aea12f 
    arg-type  = file;
Packit aea12f 
    file-exists = yes;
Packit aea12f 
    descrip   = "Specify the PKCS #11 provider library";
Packit aea12f 
    doc      = "This will override the default options in /etc/gnutls/pkcs11.conf";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = keymatexport;
Packit aea12f 
    arg-type  = string;
Packit aea12f 
    descrip   = "Label used for exporting keying material";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
flag = {
Packit aea12f 
    name      = keymatexportsize;
Packit aea12f 
    arg-type  = number;
Packit aea12f 
    descrip   = "Size of the exported keying material";
Packit aea12f 
    doc      = "";
Packit aea12f 
};
Packit aea12f
Packit aea12f 
doc-section = {
Packit aea12f 
  ds-type   = 'SEE ALSO'; // or anything else
Packit aea12f 
  ds-format = 'texi';      // or texi or mdoc format
Packit aea12f 
  ds-text   = <<-_EOText_
Packit aea12f 
gnutls-cli-debug(1), gnutls-cli(1)
Packit aea12f 
_EOText_;
Packit aea12f 
};
Packit aea12f
Packit aea12f 
doc-section = {
Packit aea12f 
  ds-type = 'EXAMPLES';
Packit aea12f 
  ds-format = 'texi';
Packit aea12f 
  ds-text   = <<-_EOF_
Packit aea12f 
Running your own TLS server based on GnuTLS can be useful when
Packit aea12f 
debugging clients and/or GnuTLS itself.  This section describes how to
Packit aea12f 
use @code{gnutls-serv} as a simple HTTPS server.
Packit aea12f
Packit aea12f 
The most basic server can be started as:
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
It will only support anonymous ciphersuites, which many TLS clients
Packit aea12f 
refuse to use.
Packit aea12f
Packit aea12f 
The next step is to add support for X.509.  First we generate a CA:
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --generate-privkey > x509-ca-key.pem
Packit aea12f 
$ echo 'cn = GnuTLS test CA' > ca.tmpl
Packit aea12f 
$ echo 'ca' >> ca.tmpl
Packit aea12f 
$ echo 'cert_signing_key' >> ca.tmpl
Packit aea12f 
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
Packit aea12f 
  --template ca.tmpl --outfile x509-ca.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
Then generate a server certificate.  Remember to change the dns_name
Packit aea12f 
value to the name of your server host, or skip that command to avoid
Packit aea12f 
the field.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --generate-privkey > x509-server-key.pem
Packit aea12f 
$ echo 'organization = GnuTLS test server' > server.tmpl
Packit aea12f 
$ echo 'cn = test.gnutls.org' >> server.tmpl
Packit aea12f 
$ echo 'tls_www_server' >> server.tmpl
Packit aea12f 
$ echo 'encryption_key' >> server.tmpl
Packit aea12f 
$ echo 'signing_key' >> server.tmpl
Packit aea12f 
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
Packit aea12f 
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
Packit aea12f 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit aea12f 
  --template server.tmpl --outfile x509-server.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
For use in the client, you may want to generate a client certificate
Packit aea12f 
as well.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --generate-privkey > x509-client-key.pem
Packit aea12f 
$ echo 'cn = GnuTLS test client' > client.tmpl
Packit aea12f 
$ echo 'tls_www_client' >> client.tmpl
Packit aea12f 
$ echo 'encryption_key' >> client.tmpl
Packit aea12f 
$ echo 'signing_key' >> client.tmpl
Packit aea12f 
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
Packit aea12f 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit aea12f 
  --template client.tmpl --outfile x509-client.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
To be able to import the client key/certificate into some
Packit aea12f 
applications, you will need to convert them into a PKCS#12 structure.
Packit aea12f 
This also encrypts the security sensitive key with a password.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
Packit aea12f 
  --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
Packit aea12f 
  --outder --outfile x509-client.p12
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
For icing, we'll create a proxy certificate for the client too.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --generate-privkey > x509-proxy-key.pem
Packit aea12f 
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
Packit aea12f 
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
Packit aea12f 
  --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
Packit aea12f 
  --load-certificate x509-client.pem --template proxy.tmpl \
Packit aea12f 
  --outfile x509-proxy.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
Then start the server again:
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ gnutls-serv --http \
Packit aea12f 
            --x509cafile x509-ca.pem \
Packit aea12f 
            --x509keyfile x509-server-key.pem \
Packit aea12f 
            --x509certfile x509-server.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
Try connecting to the server using your web browser.  Note that the
Packit aea12f 
server listens to port 5556 by default.
Packit aea12f
Packit aea12f 
While you are at it, to allow connections using ECDSA, you can also
Packit aea12f 
create a ECDSA key and certificate for the server.  These credentials
Packit aea12f 
will be used in the final example below.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
Packit aea12f 
$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
Packit aea12f 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit aea12f 
  --template server.tmpl --outfile x509-server-ecc.pem
Packit aea12f 
@end example
Packit aea12f
Packit aea12f
Packit aea12f 
The next step is to add support for SRP authentication. This requires
Packit aea12f 
an SRP password file created with @code{srptool}.
Packit aea12f 
To start the server with SRP support:
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
Packit aea12f 
            --srppasswdconf srp-tpasswd.conf \
Packit aea12f 
            --srppasswd srp-passwd.txt
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
Let's also start a server with support for PSK. This would require
Packit aea12f 
a password file created with @code{psktool}.
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
Packit aea12f 
            --pskpasswd psk-passwd.txt
Packit aea12f 
@end example
Packit aea12f
Packit aea12f 
Finally, we start the server with all the earlier parameters and you
Packit aea12f 
get this command:
Packit aea12f
Packit aea12f 
@example
Packit aea12f 
gnutls-serv --http --priority NORMAL:+PSK:+SRP \
Packit aea12f 
            --x509cafile x509-ca.pem \
Packit aea12f 
            --x509keyfile x509-server-key.pem \
Packit aea12f 
            --x509certfile x509-server.pem \
Packit aea12f 
            --x509keyfile x509-server-key-ecc.pem \
Packit aea12f 
            --x509certfile x509-server-ecc.pem \
Packit aea12f 
            --srppasswdconf srp-tpasswd.conf \
Packit aea12f 
            --srppasswd srp-passwd.txt \
Packit aea12f 
            --pskpasswd psk-passwd.txt
Packit aea12f 
@end example
Packit aea12f 
_EOF_;
Packit aea12f 
};
Packit aea12f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation