|
Packit |
aea12f |
AutoGen Definitions options;
|
|
Packit |
aea12f |
prog-name = gnutls-serv;
|
|
Packit |
aea12f |
prog-title = "GnuTLS server";
|
|
Packit |
aea12f |
prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
|
|
Packit |
aea12f |
short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
|
|
Packit |
aea12f |
explain = "";
|
|
Packit |
aea12f |
detail = "Server program that listens to incoming TLS connections.";
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include args-std.def
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = sni-hostname;
|
|
Packit |
aea12f |
descrip = "Server's hostname for server name extension";
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = sni-hostname-fatal;
|
|
Packit |
aea12f |
descrip = "Send fatal alert on sni-hostname mismatch";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = alpn;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "Specify ALPN protocol to be enabled by the server";
|
|
Packit |
aea12f |
doc = "Specify the (textual) ALPN protocol for the server to use.";
|
|
Packit |
aea12f |
stack-arg;
|
|
Packit |
aea12f |
max = NOLIMIT;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = alpn-fatal;
|
|
Packit |
aea12f |
descrip = "Send fatal alert on non-matching ALPN name";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = noticket;
|
|
Packit |
aea12f |
descrip = "Don't accept session tickets";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = earlydata;
|
|
Packit |
aea12f |
descrip = "Accept early data";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = maxearlydata;
|
|
Packit |
aea12f |
arg-type = number;
|
|
Packit Service |
db11d1 |
arg-range = "1->";
|
|
Packit |
aea12f |
descrip = "The maximum early data size to accept";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = nocookie;
|
|
Packit |
aea12f |
descrip = "Don't require cookie on DTLS sessions";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = generate;
|
|
Packit |
aea12f |
value = g;
|
|
Packit |
aea12f |
descrip = "Generate Diffie-Hellman parameters";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = quiet;
|
|
Packit |
aea12f |
value = q;
|
|
Packit |
aea12f |
descrip = "Suppress some messages";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = nodb;
|
|
Packit |
aea12f |
descrip = "Do not use a resumption database";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = http;
|
|
Packit |
aea12f |
descrip = "Act as an HTTP server";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = echo;
|
|
Packit |
aea12f |
descrip = "Act as an Echo server";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = udp;
|
|
Packit |
aea12f |
value = u;
|
|
Packit |
aea12f |
descrip = "Use DTLS (datagram TLS) over UDP";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = mtu;
|
|
Packit |
aea12f |
arg-type = number;
|
|
Packit |
aea12f |
arg-range = "0->17000";
|
|
Packit |
aea12f |
descrip = "Set MTU for datagram TLS";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = srtp_profiles;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "Offer SRTP profiles";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = disable-client-cert;
|
|
Packit |
aea12f |
value = a;
|
|
Packit |
aea12f |
descrip = "Do not request a client certificate";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
flags-cant = require-client-cert;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = require-client-cert;
|
|
Packit |
aea12f |
value = r;
|
|
Packit |
aea12f |
descrip = "Require a client certificate";
|
|
Packit |
aea12f |
doc = "This option before 3.6.0 used to imply --verify-client-cert.
|
|
Packit |
aea12f |
Since 3.6.0 it will no longer verify the certificate by default.";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = verify-client-cert;
|
|
Packit |
aea12f |
disabled;
|
|
Packit |
aea12f |
descrip = "If a client certificate is sent then verify it.";
|
|
Packit |
aea12f |
doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = heartbeat;
|
|
Packit |
aea12f |
value = b;
|
|
Packit |
aea12f |
descrip = "Activate heartbeat support";
|
|
Packit |
aea12f |
doc = "Regularly ping client via heartbeat extension messages";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509fmtder;
|
|
Packit |
aea12f |
descrip = "Use DER format for certificates to read from";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = priority;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "Priorities string";
|
|
Packit |
aea12f |
doc = "TLS algorithms and protocols to enable. You can
|
|
Packit |
aea12f |
use predefined sets of ciphersuites such as PERFORMANCE,
|
|
Packit |
aea12f |
NORMAL, SECURE128, SECURE256. The default is NORMAL.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit |
aea12f |
information on allowed keywords";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = dhparams;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "DH params file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509cafile;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "Certificate file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509crlfile;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "CRL file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = pgpkeyfile;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "PGP Key file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
deprecated;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509keyfile;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "X.509 key file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
doc = "Specify the private key file or URI to use; it must correspond to
|
|
Packit |
aea12f |
the certificate specified in --x509certfile. Multiple keys and certificates
|
|
Packit |
aea12f |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
aea12f |
must be followed by the corresponding x509certfile or vice-versa.";
|
|
Packit |
aea12f |
stack-arg;
|
|
Packit |
aea12f |
max = NOLIMIT;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509certfile;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
doc = "Specify the certificate file or URI to use; it must correspond to
|
|
Packit |
aea12f |
the key specified in --x509keyfile. Multiple keys and certificates
|
|
Packit |
aea12f |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
aea12f |
must be followed by the corresponding x509certfile or vice-versa.";
|
|
Packit |
aea12f |
stack-arg;
|
|
Packit |
aea12f |
max = NOLIMIT;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509dsakeyfile;
|
|
Packit |
aea12f |
aliases = x509keyfile;
|
|
Packit |
aea12f |
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
deprecated;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509dsacertfile;
|
|
Packit |
aea12f |
aliases = x509certfile;
|
|
Packit |
aea12f |
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
deprecated;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509ecckeyfile;
|
|
Packit |
aea12f |
aliases = x509keyfile;
|
|
Packit |
aea12f |
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
deprecated;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = x509ecccertfile;
|
|
Packit |
aea12f |
aliases = x509certfile;
|
|
Packit |
aea12f |
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
aea12f |
deprecated;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit Service |
991b93 |
name = rawpkkeyfile;
|
|
Packit Service |
991b93 |
arg-type = string;
|
|
Packit Service |
991b93 |
descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use";
|
|
Packit Service |
991b93 |
doc = "Specify the private key file or URI to use; it must correspond to
|
|
Packit Service |
991b93 |
the raw public-key specified in --rawpkfile. Multiple key pairs
|
|
Packit Service |
991b93 |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit Service |
991b93 |
must be followed by the corresponding rawpkfile or vice-versa.
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
991b93 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
991b93 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
991b93 |
information on how to set certificate types.";
|
|
Packit Service |
991b93 |
stack-arg;
|
|
Packit Service |
991b93 |
max = NOLIMIT;
|
|
Packit Service |
991b93 |
};
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
flag = {
|
|
Packit Service |
991b93 |
name = rawpkfile;
|
|
Packit Service |
991b93 |
arg-type = string;
|
|
Packit Service |
991b93 |
descrip = "Raw public-key file to use";
|
|
Packit Service |
991b93 |
doc = "Specify the raw public-key file to use; it must correspond to
|
|
Packit Service |
991b93 |
the private key specified in --rawpkkeyfile. Multiple key pairs
|
|
Packit Service |
991b93 |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit Service |
991b93 |
must be followed by the corresponding rawpkfile or vice-versa.
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
In order to instruct the application to negotiate raw public keys one
|
|
Packit Service |
991b93 |
must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
|
|
Packit Service |
991b93 |
and CTYPE-SRV-* flags).
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit Service |
991b93 |
information on how to set certificate types.";
|
|
Packit Service |
991b93 |
stack-arg;
|
|
Packit Service |
991b93 |
max = NOLIMIT;
|
|
Packit Service |
991b93 |
flags-must = rawpkkeyfile;
|
|
Packit Service |
991b93 |
};
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
flag = {
|
|
Packit |
aea12f |
name = srppasswd;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "SRP password file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = srppasswdconf;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "SRP password configuration file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = pskpasswd;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "PSK password file to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = pskhint;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "PSK identity hint to use";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = ocsp-response;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "The OCSP response to send to client";
|
|
Packit |
aea12f |
doc = "If the client requested an OCSP response, return data from this file to the client.";
|
|
Packit |
aea12f |
stack-arg;
|
|
Packit |
aea12f |
max = NOLIMIT;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = ignore-ocsp-response-errors;
|
|
Packit |
aea12f |
descrip = "Ignore any errors when setting the OCSP response";
|
|
Packit |
aea12f |
doc = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates.";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = port;
|
|
Packit |
aea12f |
value = p;
|
|
Packit |
aea12f |
arg-type = number;
|
|
Packit |
aea12f |
descrip = "The port to connect to";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = list;
|
|
Packit |
aea12f |
value = l;
|
|
Packit |
aea12f |
descrip = "Print a list of the supported algorithms and modes";
|
|
Packit |
aea12f |
doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = provider;
|
|
Packit |
aea12f |
arg-type = file;
|
|
Packit |
aea12f |
file-exists = yes;
|
|
Packit |
aea12f |
descrip = "Specify the PKCS #11 provider library";
|
|
Packit |
aea12f |
doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = keymatexport;
|
|
Packit |
aea12f |
arg-type = string;
|
|
Packit |
aea12f |
descrip = "Label used for exporting keying material";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
flag = {
|
|
Packit |
aea12f |
name = keymatexportsize;
|
|
Packit |
aea12f |
arg-type = number;
|
|
Packit |
aea12f |
descrip = "Size of the exported keying material";
|
|
Packit |
aea12f |
doc = "";
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit Service |
991b93 |
flag = {
|
|
Packit Service |
991b93 |
name = recordsize;
|
|
Packit Service |
991b93 |
arg-type = number;
|
|
Packit Service |
991b93 |
arg-range = "0->16384";
|
|
Packit Service |
991b93 |
descrip = "The maximum record size to advertise";
|
|
Packit Service |
991b93 |
doc = "";
|
|
Packit Service |
991b93 |
};
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
flag = {
|
|
Packit Service |
991b93 |
name = httpdata;
|
|
Packit Service |
991b93 |
arg-type = file;
|
|
Packit Service |
991b93 |
file-exists = yes;
|
|
Packit Service |
991b93 |
descrip = "The data used as HTTP response";
|
|
Packit Service |
991b93 |
doc = "";
|
|
Packit Service |
991b93 |
};
|
|
Packit Service |
991b93 |
|
|
Packit |
aea12f |
doc-section = {
|
|
Packit |
aea12f |
ds-type = 'SEE ALSO'; // or anything else
|
|
Packit |
aea12f |
ds-format = 'texi'; // or texi or mdoc format
|
|
Packit |
aea12f |
ds-text = <<-_EOText_
|
|
Packit |
aea12f |
gnutls-cli-debug(1), gnutls-cli(1)
|
|
Packit |
aea12f |
_EOText_;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
doc-section = {
|
|
Packit |
aea12f |
ds-type = 'EXAMPLES';
|
|
Packit |
aea12f |
ds-format = 'texi';
|
|
Packit |
aea12f |
ds-text = <<-_EOF_
|
|
Packit |
aea12f |
Running your own TLS server based on GnuTLS can be useful when
|
|
Packit |
aea12f |
debugging clients and/or GnuTLS itself. This section describes how to
|
|
Packit |
aea12f |
use @code{gnutls-serv} as a simple HTTPS server.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The most basic server can be started as:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
It will only support anonymous ciphersuites, which many TLS clients
|
|
Packit |
aea12f |
refuse to use.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The next step is to add support for X.509. First we generate a CA:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --generate-privkey > x509-ca-key.pem
|
|
Packit |
aea12f |
$ echo 'cn = GnuTLS test CA' > ca.tmpl
|
|
Packit |
aea12f |
$ echo 'ca' >> ca.tmpl
|
|
Packit |
aea12f |
$ echo 'cert_signing_key' >> ca.tmpl
|
|
Packit |
aea12f |
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
|
|
Packit |
aea12f |
--template ca.tmpl --outfile x509-ca.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Then generate a server certificate. Remember to change the dns_name
|
|
Packit |
aea12f |
value to the name of your server host, or skip that command to avoid
|
|
Packit |
aea12f |
the field.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --generate-privkey > x509-server-key.pem
|
|
Packit |
aea12f |
$ echo 'organization = GnuTLS test server' > server.tmpl
|
|
Packit |
aea12f |
$ echo 'cn = test.gnutls.org' >> server.tmpl
|
|
Packit |
aea12f |
$ echo 'tls_www_server' >> server.tmpl
|
|
Packit |
aea12f |
$ echo 'encryption_key' >> server.tmpl
|
|
Packit |
aea12f |
$ echo 'signing_key' >> server.tmpl
|
|
Packit |
aea12f |
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
|
|
Packit |
aea12f |
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
|
|
Packit |
aea12f |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
aea12f |
--template server.tmpl --outfile x509-server.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
For use in the client, you may want to generate a client certificate
|
|
Packit |
aea12f |
as well.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --generate-privkey > x509-client-key.pem
|
|
Packit |
aea12f |
$ echo 'cn = GnuTLS test client' > client.tmpl
|
|
Packit |
aea12f |
$ echo 'tls_www_client' >> client.tmpl
|
|
Packit |
aea12f |
$ echo 'encryption_key' >> client.tmpl
|
|
Packit |
aea12f |
$ echo 'signing_key' >> client.tmpl
|
|
Packit |
aea12f |
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
|
|
Packit |
aea12f |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
aea12f |
--template client.tmpl --outfile x509-client.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To be able to import the client key/certificate into some
|
|
Packit |
aea12f |
applications, you will need to convert them into a PKCS#12 structure.
|
|
Packit |
aea12f |
This also encrypts the security sensitive key with a password.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
|
|
Packit |
aea12f |
--load-privkey x509-client-key.pem --load-certificate x509-client.pem \
|
|
Packit |
aea12f |
--outder --outfile x509-client.p12
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
For icing, we'll create a proxy certificate for the client too.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --generate-privkey > x509-proxy-key.pem
|
|
Packit |
aea12f |
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
|
|
Packit |
aea12f |
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
|
|
Packit |
aea12f |
--load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
|
|
Packit |
aea12f |
--load-certificate x509-client.pem --template proxy.tmpl \
|
|
Packit |
aea12f |
--outfile x509-proxy.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Then start the server again:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ gnutls-serv --http \
|
|
Packit |
aea12f |
--x509cafile x509-ca.pem \
|
|
Packit |
aea12f |
--x509keyfile x509-server-key.pem \
|
|
Packit |
aea12f |
--x509certfile x509-server.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Try connecting to the server using your web browser. Note that the
|
|
Packit |
aea12f |
server listens to port 5556 by default.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
While you are at it, to allow connections using ECDSA, you can also
|
|
Packit |
aea12f |
create a ECDSA key and certificate for the server. These credentials
|
|
Packit |
aea12f |
will be used in the final example below.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
|
|
Packit |
aea12f |
$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
|
|
Packit |
aea12f |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
aea12f |
--template server.tmpl --outfile x509-server-ecc.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The next step is to add support for SRP authentication. This requires
|
|
Packit |
aea12f |
an SRP password file created with @code{srptool}.
|
|
Packit |
aea12f |
To start the server with SRP support:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
|
|
Packit |
aea12f |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
aea12f |
--srppasswd srp-passwd.txt
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Let's also start a server with support for PSK. This would require
|
|
Packit |
aea12f |
a password file created with @code{psktool}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
|
|
Packit |
aea12f |
--pskpasswd psk-passwd.txt
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit Service |
991b93 |
If you want a server with support for raw public-keys we can also add these
|
|
Packit Service |
991b93 |
credentials. Note however that there is no identity information linked to these
|
|
Packit Service |
991b93 |
keys as is the case with regular x509 certificates. Authentication must be done
|
|
Packit Service |
991b93 |
via different means. Also we need to explicitly enable raw public-key certificates
|
|
Packit Service |
991b93 |
via the priority strings.
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
@example
|
|
Packit Service |
991b93 |
gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
|
|
Packit Service |
991b93 |
--rawpkfile srv.rawpk.pem \
|
|
Packit Service |
991b93 |
--rawpkkeyfile srv.key.pem
|
|
Packit Service |
991b93 |
@end example
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
|
|
Packit |
aea12f |
Finally, we start the server with all the earlier parameters and you
|
|
Packit |
aea12f |
get this command:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@example
|
|
Packit Service |
991b93 |
gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
|
|
Packit |
aea12f |
--x509cafile x509-ca.pem \
|
|
Packit |
aea12f |
--x509keyfile x509-server-key.pem \
|
|
Packit |
aea12f |
--x509certfile x509-server.pem \
|
|
Packit |
aea12f |
--x509keyfile x509-server-key-ecc.pem \
|
|
Packit |
aea12f |
--x509certfile x509-server-ecc.pem \
|
|
Packit |
aea12f |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
aea12f |
--srppasswd srp-passwd.txt \
|
|
Packit Service |
991b93 |
--pskpasswd psk-passwd.txt \
|
|
Packit Service |
991b93 |
--rawpkfile srv.rawpk.pem \
|
|
Packit Service |
991b93 |
--rawpkkeyfile srv.key.pem
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
_EOF_;
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|