source-git / gnutls

Clone
Source Code
GIT

Blame src/serv-args.def

c8 c8s master
  1.   b97e568fddb0c347c225fc68303960b41a24f19f
  2.   src
  3.   serv-args.def
Blob History Raw
Packit Service 4684c1 
AutoGen Definitions options;
Packit Service 4684c1 
prog-name     = gnutls-serv;
Packit Service 4684c1 
prog-title    = "GnuTLS server";
Packit Service 4684c1 
prog-desc     = "Simple server program to act as an HTTPS or TLS echo service.";
Packit Service 4684c1 
short-usage   = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
Packit Service 4684c1 
explain       = "";
Packit Service 4684c1 
detail        = "Server program that listens to incoming TLS connections.";
Packit Service 4684c1
Packit Service 4684c1 
#include args-std.def
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = sni-hostname;
Packit Service 4684c1 
    descrip   = "Server's hostname for server name extension";
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    doc      = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = sni-hostname-fatal;
Packit Service 4684c1 
    descrip   = "Send fatal alert on sni-hostname mismatch";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = alpn;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Specify ALPN protocol to be enabled by the server";
Packit Service 4684c1 
    doc      = "Specify the (textual) ALPN protocol for the server to use.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = alpn-fatal;
Packit Service 4684c1 
    descrip   = "Send fatal alert on non-matching ALPN name";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = noticket;
Packit Service 4684c1 
    descrip   = "Don't accept session tickets";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = earlydata;
Packit Service 4684c1 
    descrip   = "Accept early data";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = maxearlydata;
Packit Service 4684c1 
    arg-type  = number;
Packit Service 3db226 
    arg-range = "1->";
Packit Service 4684c1 
    descrip   = "The maximum early data size to accept";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = nocookie;
Packit Service 4684c1 
    descrip   = "Don't require cookie on DTLS sessions";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = generate;
Packit Service 4684c1 
    value     = g;
Packit Service 4684c1 
    descrip   = "Generate Diffie-Hellman parameters";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = quiet;
Packit Service 4684c1 
    value     = q;
Packit Service 4684c1 
    descrip   = "Suppress some messages";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = nodb;
Packit Service 4684c1 
    descrip   = "Do not use a resumption database";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = http;
Packit Service 4684c1 
    descrip   = "Act as an HTTP server";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = echo;
Packit Service 4684c1 
    descrip   = "Act as an Echo server";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = udp;
Packit Service 4684c1 
    value     = u;
Packit Service 4684c1 
    descrip   = "Use DTLS (datagram TLS) over UDP";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = mtu;
Packit Service 4684c1 
    arg-type  = number;
Packit Service 4684c1 
    arg-range = "0->17000";
Packit Service 4684c1 
    descrip   = "Set MTU for datagram TLS";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = srtp_profiles;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Offer SRTP profiles";
Packit Service 4684c1 
    doc       = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = disable-client-cert;
Packit Service 4684c1 
    value     = a;
Packit Service 4684c1 
    descrip   = "Do not request a client certificate";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
    flags-cant = require-client-cert;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = require-client-cert;
Packit Service 4684c1 
    value     = r;
Packit Service 4684c1 
    descrip   = "Require a client certificate";
Packit Service 4684c1 
    doc      = "This option before 3.6.0 used to imply --verify-client-cert.
Packit Service 4684c1 
Since 3.6.0 it will no longer verify the certificate by default.";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = verify-client-cert;
Packit Service 4684c1 
    disabled;
Packit Service 4684c1 
    descrip   = "If a client certificate is sent then verify it.";
Packit Service 4684c1 
    doc      = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = heartbeat;
Packit Service 4684c1 
    value     = b;
Packit Service 4684c1 
    descrip   = "Activate heartbeat support";
Packit Service 4684c1 
    doc      = "Regularly ping client via heartbeat extension messages";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509fmtder;
Packit Service 4684c1 
    descrip   = "Use DER format for certificates to read from";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = priority;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Priorities string";
Packit Service 4684c1 
    doc      = "TLS algorithms and protocols to enable. You can
Packit Service 4684c1 
use predefined sets of ciphersuites such as PERFORMANCE,
Packit Service 4684c1 
NORMAL, SECURE128, SECURE256. The default is NORMAL.
Packit Service 4684c1
Packit Service 4684c1 
Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
Packit Service 4684c1 
information on allowed keywords";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = dhparams;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "DH params file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509cafile;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Certificate file or PKCS #11 URL to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509crlfile;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "CRL file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = pgpkeyfile;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "PGP Key file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
    deprecated;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509keyfile;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "X.509 key file or PKCS #11 URL to use";
Packit Service 4684c1 
    doc      = "Specify the private key file or URI to use; it must correspond to
Packit Service 4684c1 
the certificate specified in --x509certfile. Multiple keys and certificates
Packit Service 4684c1 
can be specified with this option and in that case each occurrence of keyfile
Packit Service 4684c1 
must be followed by the corresponding x509certfile or vice-versa.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509certfile;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "X.509 Certificate file or PKCS #11 URL to use";
Packit Service 4684c1 
    doc      = "Specify the certificate file or URI to use; it must correspond to
Packit Service 4684c1 
the key specified in --x509keyfile. Multiple keys and certificates
Packit Service 4684c1 
can be specified with this option and in that case each occurrence of keyfile
Packit Service 4684c1 
must be followed by the corresponding x509certfile or vice-versa.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509dsakeyfile;
Packit Service 4684c1 
    aliases   = x509keyfile;
Packit Service 4684c1 
    descrip   = "Alternative X.509 key file or PKCS #11 URL to use";
Packit Service 4684c1 
    deprecated;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509dsacertfile;
Packit Service 4684c1 
    aliases   = x509certfile;
Packit Service 4684c1 
    descrip   = "Alternative X.509 Certificate file or PKCS #11 URL to use";
Packit Service 4684c1 
    deprecated;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509ecckeyfile;
Packit Service 4684c1 
    aliases   = x509keyfile;
Packit Service 4684c1 
    descrip   = "Alternative X.509 key file or PKCS #11 URL to use";
Packit Service 4684c1 
    deprecated;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = x509ecccertfile;
Packit Service 4684c1 
    aliases   = x509certfile;
Packit Service 4684c1 
    descrip   = "Alternative X.509 Certificate file or PKCS #11 URL to use";
Packit Service 4684c1 
    deprecated;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = rawpkkeyfile;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use";
Packit Service 4684c1 
    doc       = "Specify the private key file or URI to use; it must correspond to
Packit Service 4684c1 
the raw public-key specified in --rawpkfile. Multiple key pairs
Packit Service 4684c1 
can be specified with this option and in that case each occurrence of keyfile
Packit Service 4684c1 
must be followed by the corresponding rawpkfile or vice-versa.
Packit Service 4684c1
Packit Service 4684c1 
In order to instruct the application to negotiate raw public keys one
Packit Service 4684c1 
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
Packit Service 4684c1 
and CTYPE-SRV-* flags).
Packit Service 4684c1
Packit Service 4684c1 
Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
Packit Service 4684c1 
information on how to set certificate types.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = rawpkfile;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Raw public-key file to use";
Packit Service 4684c1 
    doc       = "Specify the raw public-key file to use; it must correspond to
Packit Service 4684c1 
the private key specified in --rawpkkeyfile. Multiple key pairs
Packit Service 4684c1 
can be specified with this option and in that case each occurrence of keyfile
Packit Service 4684c1 
must be followed by the corresponding rawpkfile or vice-versa.
Packit Service 4684c1
Packit Service 4684c1 
In order to instruct the application to negotiate raw public keys one
Packit Service 4684c1 
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
Packit Service 4684c1 
and CTYPE-SRV-* flags).
Packit Service 4684c1
Packit Service 4684c1 
Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
Packit Service 4684c1 
information on how to set certificate types.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
    flags-must = rawpkkeyfile;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = srppasswd;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "SRP password file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = srppasswdconf;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "SRP password configuration file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = pskpasswd;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "PSK password file to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = pskhint;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "PSK identity hint to use";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = ocsp-response;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "The OCSP response to send to client";
Packit Service 4684c1 
    doc      = "If the client requested an OCSP response, return data from this file to the client.";
Packit Service 4684c1 
    stack-arg;
Packit Service 4684c1 
    max       = NOLIMIT;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = ignore-ocsp-response-errors;
Packit Service 4684c1 
    descrip   = "Ignore any errors when setting the OCSP response";
Packit Service 4684c1 
    doc      = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates.";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = port;
Packit Service 4684c1 
    value     = p;
Packit Service 4684c1 
    arg-type  = number;
Packit Service 4684c1 
    descrip   = "The port to connect to";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = list;
Packit Service 4684c1 
    value     = l;
Packit Service 4684c1 
    descrip   = "Print a list of the supported algorithms and modes";
Packit Service 4684c1 
    doc      = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = provider;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "Specify the PKCS #11 provider library";
Packit Service 4684c1 
    doc      = "This will override the default options in /etc/gnutls/pkcs11.conf";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = keymatexport;
Packit Service 4684c1 
    arg-type  = string;
Packit Service 4684c1 
    descrip   = "Label used for exporting keying material";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = keymatexportsize;
Packit Service 4684c1 
    arg-type  = number;
Packit Service 4684c1 
    descrip   = "Size of the exported keying material";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = recordsize;
Packit Service 4684c1 
    arg-type  = number;
Packit Service 4684c1 
    arg-range = "0->16384";
Packit Service 4684c1 
    descrip   = "The maximum record size to advertise";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
flag = {
Packit Service 4684c1 
    name      = httpdata;
Packit Service 4684c1 
    arg-type  = file;
Packit Service 4684c1 
    file-exists = yes;
Packit Service 4684c1 
    descrip   = "The data used as HTTP response";
Packit Service 4684c1 
    doc      = "";
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
doc-section = {
Packit Service 4684c1 
  ds-type   = 'SEE ALSO'; // or anything else
Packit Service 4684c1 
  ds-format = 'texi';      // or texi or mdoc format
Packit Service 4684c1 
  ds-text   = <<-_EOText_
Packit Service 4684c1 
gnutls-cli-debug(1), gnutls-cli(1)
Packit Service 4684c1 
_EOText_;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
doc-section = {
Packit Service 4684c1 
  ds-type = 'EXAMPLES';
Packit Service 4684c1 
  ds-format = 'texi';
Packit Service 4684c1 
  ds-text   = <<-_EOF_
Packit Service 4684c1 
Running your own TLS server based on GnuTLS can be useful when
Packit Service 4684c1 
debugging clients and/or GnuTLS itself.  This section describes how to
Packit Service 4684c1 
use @code{gnutls-serv} as a simple HTTPS server.
Packit Service 4684c1
Packit Service 4684c1 
The most basic server can be started as:
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
It will only support anonymous ciphersuites, which many TLS clients
Packit Service 4684c1 
refuse to use.
Packit Service 4684c1
Packit Service 4684c1 
The next step is to add support for X.509.  First we generate a CA:
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --generate-privkey > x509-ca-key.pem
Packit Service 4684c1 
$ echo 'cn = GnuTLS test CA' > ca.tmpl
Packit Service 4684c1 
$ echo 'ca' >> ca.tmpl
Packit Service 4684c1 
$ echo 'cert_signing_key' >> ca.tmpl
Packit Service 4684c1 
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
Packit Service 4684c1 
  --template ca.tmpl --outfile x509-ca.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
Then generate a server certificate.  Remember to change the dns_name
Packit Service 4684c1 
value to the name of your server host, or skip that command to avoid
Packit Service 4684c1 
the field.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --generate-privkey > x509-server-key.pem
Packit Service 4684c1 
$ echo 'organization = GnuTLS test server' > server.tmpl
Packit Service 4684c1 
$ echo 'cn = test.gnutls.org' >> server.tmpl
Packit Service 4684c1 
$ echo 'tls_www_server' >> server.tmpl
Packit Service 4684c1 
$ echo 'encryption_key' >> server.tmpl
Packit Service 4684c1 
$ echo 'signing_key' >> server.tmpl
Packit Service 4684c1 
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
Packit Service 4684c1 
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
Packit Service 4684c1 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit Service 4684c1 
  --template server.tmpl --outfile x509-server.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
For use in the client, you may want to generate a client certificate
Packit Service 4684c1 
as well.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --generate-privkey > x509-client-key.pem
Packit Service 4684c1 
$ echo 'cn = GnuTLS test client' > client.tmpl
Packit Service 4684c1 
$ echo 'tls_www_client' >> client.tmpl
Packit Service 4684c1 
$ echo 'encryption_key' >> client.tmpl
Packit Service 4684c1 
$ echo 'signing_key' >> client.tmpl
Packit Service 4684c1 
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
Packit Service 4684c1 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit Service 4684c1 
  --template client.tmpl --outfile x509-client.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
To be able to import the client key/certificate into some
Packit Service 4684c1 
applications, you will need to convert them into a PKCS#12 structure.
Packit Service 4684c1 
This also encrypts the security sensitive key with a password.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
Packit Service 4684c1 
  --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
Packit Service 4684c1 
  --outder --outfile x509-client.p12
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
For icing, we'll create a proxy certificate for the client too.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --generate-privkey > x509-proxy-key.pem
Packit Service 4684c1 
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
Packit Service 4684c1 
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
Packit Service 4684c1 
  --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
Packit Service 4684c1 
  --load-certificate x509-client.pem --template proxy.tmpl \
Packit Service 4684c1 
  --outfile x509-proxy.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
Then start the server again:
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ gnutls-serv --http \
Packit Service 4684c1 
            --x509cafile x509-ca.pem \
Packit Service 4684c1 
            --x509keyfile x509-server-key.pem \
Packit Service 4684c1 
            --x509certfile x509-server.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
Try connecting to the server using your web browser.  Note that the
Packit Service 4684c1 
server listens to port 5556 by default.
Packit Service 4684c1
Packit Service 4684c1 
While you are at it, to allow connections using ECDSA, you can also
Packit Service 4684c1 
create a ECDSA key and certificate for the server.  These credentials
Packit Service 4684c1 
will be used in the final example below.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
Packit Service 4684c1 
$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
Packit Service 4684c1 
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
Packit Service 4684c1 
  --template server.tmpl --outfile x509-server-ecc.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
The next step is to add support for SRP authentication. This requires
Packit Service 4684c1 
an SRP password file created with @code{srptool}.
Packit Service 4684c1 
To start the server with SRP support:
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
Packit Service 4684c1 
            --srppasswdconf srp-tpasswd.conf \
Packit Service 4684c1 
            --srppasswd srp-passwd.txt
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
Let's also start a server with support for PSK. This would require
Packit Service 4684c1 
a password file created with @code{psktool}.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
Packit Service 4684c1 
            --pskpasswd psk-passwd.txt
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1 
If you want a server with support for raw public-keys we can also add these
Packit Service 4684c1 
credentials. Note however that there is no identity information linked to these
Packit Service 4684c1 
keys as is the case with regular x509 certificates. Authentication must be done
Packit Service 4684c1 
via different means. Also we need to explicitly enable raw public-key certificates
Packit Service 4684c1 
via the priority strings.
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
Packit Service 4684c1 
            --rawpkfile srv.rawpk.pem \
Packit Service 4684c1 
            --rawpkkeyfile srv.key.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
Finally, we start the server with all the earlier parameters and you
Packit Service 4684c1 
get this command:
Packit Service 4684c1
Packit Service 4684c1 
@example
Packit Service 4684c1 
gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
Packit Service 4684c1 
            --x509cafile x509-ca.pem \
Packit Service 4684c1 
            --x509keyfile x509-server-key.pem \
Packit Service 4684c1 
            --x509certfile x509-server.pem \
Packit Service 4684c1 
            --x509keyfile x509-server-key-ecc.pem \
Packit Service 4684c1 
            --x509certfile x509-server-ecc.pem \
Packit Service 4684c1 
            --srppasswdconf srp-tpasswd.conf \
Packit Service 4684c1 
            --srppasswd srp-passwd.txt \
Packit Service 4684c1 
            --pskpasswd psk-passwd.txt \
Packit Service 4684c1 
            --rawpkfile srv.rawpk.pem \
Packit Service 4684c1 
            --rawpkkeyfile srv.key.pem
Packit Service 4684c1 
@end example
Packit Service 4684c1 
_EOF_;
Packit Service 4684c1 
};
Packit Service 4684c1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation