|
Packit |
549fdc |
@node gnutls-serv Invocation
|
|
Packit |
549fdc |
@section Invoking gnutls-serv
|
|
Packit |
549fdc |
@pindex gnutls-serv
|
|
Packit |
549fdc |
@ignore
|
|
Packit |
549fdc |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# DO NOT EDIT THIS FILE (invoke-gnutls-serv.texi)
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# It has been AutoGen-ed
|
|
Packit |
549fdc |
# From the definitions ../src/serv-args.def
|
|
Packit |
549fdc |
# and the template file agtexi-cmd.tpl
|
|
Packit |
549fdc |
@end ignore
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Server program that listens to incoming TLS connections.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This section was generated by @strong{AutoGen},
|
|
Packit |
549fdc |
using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program.
|
|
Packit |
549fdc |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv usage}
|
|
Packit |
549fdc |
@subheading gnutls-serv help/usage (@option{--help})
|
|
Packit |
549fdc |
@cindex gnutls-serv help
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the automatically generated usage text for gnutls-serv.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The text printed is the same whether selected with the @code{help} option
|
|
Packit |
549fdc |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit |
549fdc |
the usage text by passing it through a pager program.
|
|
Packit |
549fdc |
@code{more-help} is disabled on platforms without a working
|
|
Packit |
549fdc |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit |
549fdc |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit |
549fdc |
with a status code of 0.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@exampleindent 0
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv - GnuTLS server
|
|
Packit |
549fdc |
Usage: gnutls-serv [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
-d, --debug=num Enable debugging
|
|
Packit |
549fdc |
- it must be in the range:
|
|
Packit |
549fdc |
0 to 9999
|
|
Packit |
549fdc |
--sni-hostname=str Server's hostname for server name extension
|
|
Packit |
549fdc |
--sni-hostname-fatal Send fatal alert on sni-hostname mismatch
|
|
Packit |
549fdc |
--alpn=str Specify ALPN protocol to be enabled by the server
|
|
Packit |
549fdc |
- may appear multiple times
|
|
Packit |
549fdc |
--alpn-fatal Send fatal alert on non-matching ALPN name
|
|
Packit |
549fdc |
--noticket Don't accept session tickets
|
|
Packit |
549fdc |
-g, --generate Generate Diffie-Hellman parameters
|
|
Packit |
549fdc |
-q, --quiet Suppress some messages
|
|
Packit |
549fdc |
--nodb Do not use a resumption database
|
|
Packit |
549fdc |
--http Act as an HTTP server
|
|
Packit |
549fdc |
--echo Act as an Echo server
|
|
Packit |
549fdc |
-u, --udp Use DTLS (datagram TLS) over UDP
|
|
Packit |
549fdc |
--mtu=num Set MTU for datagram TLS
|
|
Packit |
549fdc |
- it must be in the range:
|
|
Packit |
549fdc |
0 to 17000
|
|
Packit |
549fdc |
--srtp-profiles=str Offer SRTP profiles
|
|
Packit |
549fdc |
-a, --disable-client-cert Do not request a client certificate
|
|
Packit |
549fdc |
-r, --require-client-cert Require a client certificate
|
|
Packit |
549fdc |
--verify-client-cert If a client certificate is sent then verify it.
|
|
Packit |
549fdc |
-b, --heartbeat Activate heartbeat support
|
|
Packit |
549fdc |
--x509fmtder Use DER format for certificates to read from
|
|
Packit |
549fdc |
--priority=str Priorities string
|
|
Packit |
549fdc |
--dhparams=file DH params file to use
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
--x509cafile=str Certificate file or PKCS #11 URL to use
|
|
Packit |
549fdc |
--x509crlfile=file CRL file to use
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
--x509keyfile=str X.509 key file or PKCS #11 URL to use
|
|
Packit |
549fdc |
- may appear multiple times
|
|
Packit |
549fdc |
--x509certfile=str X.509 Certificate file or PKCS #11 URL to use
|
|
Packit |
549fdc |
- may appear multiple times
|
|
Packit |
549fdc |
--srppasswd=file SRP password file to use
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
--srppasswdconf=file SRP password configuration file to use
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
--pskpasswd=file PSK password file to use
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
--pskhint=str PSK identity hint to use
|
|
Packit |
549fdc |
--ocsp-response=file The OCSP response to send to client
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
-p, --port=num The port to connect to
|
|
Packit |
549fdc |
-l, --list Print a list of the supported algorithms and modes
|
|
Packit |
549fdc |
--provider=file Specify the PKCS #11 provider library
|
|
Packit |
549fdc |
- file must pre-exist
|
|
Packit |
549fdc |
-v, --version[=arg] output version information and exit
|
|
Packit |
549fdc |
-h, --help display extended usage information and exit
|
|
Packit |
549fdc |
-!, --more-help extended usage information passed thru pager
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit |
549fdc |
hyphen and the flag character.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Server program that listens to incoming TLS connections.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
@exampleindent 4
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv debug}
|
|
Packit |
549fdc |
@subheading debug option (-d)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``enable debugging'' option.
|
|
Packit |
549fdc |
This option takes a number argument.
|
|
Packit |
549fdc |
Specifies the debug level.
|
|
Packit |
549fdc |
@anchor{gnutls-serv sni-hostname}
|
|
Packit |
549fdc |
@subheading sni-hostname option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``server's hostname for server name extension'' option.
|
|
Packit |
549fdc |
This option takes a string argument.
|
|
Packit |
549fdc |
Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.
|
|
Packit |
549fdc |
@anchor{gnutls-serv alpn}
|
|
Packit |
549fdc |
@subheading alpn option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``specify alpn protocol to be enabled by the server'' option.
|
|
Packit |
549fdc |
This option takes a string argument.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
may appear an unlimited number of times.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Specify the (textual) ALPN protocol for the server to use.
|
|
Packit |
549fdc |
@anchor{gnutls-serv require-client-cert}
|
|
Packit |
549fdc |
@subheading require-client-cert option (-r)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``require a client certificate'' option.
|
|
Packit |
549fdc |
This option before 3.6.0 used to imply --verify-client-cert.
|
|
Packit |
549fdc |
Since 3.6.0 it will no longer verify the certificate by default.
|
|
Packit |
549fdc |
@anchor{gnutls-serv verify-client-cert}
|
|
Packit |
549fdc |
@subheading verify-client-cert option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``if a client certificate is sent then verify it.'' option.
|
|
Packit |
549fdc |
Do not require, but if a client certificate is sent then verify it and close the connection if invalid.
|
|
Packit |
549fdc |
@anchor{gnutls-serv heartbeat}
|
|
Packit |
549fdc |
@subheading heartbeat option (-b)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``activate heartbeat support'' option.
|
|
Packit |
549fdc |
Regularly ping client via heartbeat extension messages
|
|
Packit |
549fdc |
@anchor{gnutls-serv priority}
|
|
Packit |
549fdc |
@subheading priority option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``priorities string'' option.
|
|
Packit |
549fdc |
This option takes a string argument.
|
|
Packit |
549fdc |
TLS algorithms and protocols to enable. You can
|
|
Packit |
549fdc |
use predefined sets of ciphersuites such as PERFORMANCE,
|
|
Packit |
549fdc |
NORMAL, SECURE128, SECURE256. The default is NORMAL.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit |
549fdc |
information on allowed keywords
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509keyfile}
|
|
Packit |
549fdc |
@subheading x509keyfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``x.509 key file or pkcs #11 url to use'' option.
|
|
Packit |
549fdc |
This option takes a string argument.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
may appear an unlimited number of times.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Specify the private key file or URI to use; it must correspond to
|
|
Packit |
549fdc |
the certificate specified in --x509certfile. Multiple keys and certificates
|
|
Packit |
549fdc |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
549fdc |
must be followed by the corresponding x509certfile or vice-versa.
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509certfile}
|
|
Packit |
549fdc |
@subheading x509certfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``x.509 certificate file or pkcs #11 url to use'' option.
|
|
Packit |
549fdc |
This option takes a string argument.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@noindent
|
|
Packit |
549fdc |
This option has some usage constraints. It:
|
|
Packit |
549fdc |
@itemize @bullet
|
|
Packit |
549fdc |
@item
|
|
Packit |
549fdc |
may appear an unlimited number of times.
|
|
Packit |
549fdc |
@end itemize
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Specify the certificate file or URI to use; it must correspond to
|
|
Packit |
549fdc |
the key specified in --x509keyfile. Multiple keys and certificates
|
|
Packit |
549fdc |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
549fdc |
must be followed by the corresponding x509certfile or vice-versa.
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509dsakeyfile}
|
|
Packit |
549fdc |
@subheading x509dsakeyfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is an alias for the @code{x509keyfile} option,
|
|
Packit |
549fdc |
@pxref{gnutls-serv x509keyfile, the x509keyfile option documentation}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509dsacertfile}
|
|
Packit |
549fdc |
@subheading x509dsacertfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is an alias for the @code{x509certfile} option,
|
|
Packit |
549fdc |
@pxref{gnutls-serv x509certfile, the x509certfile option documentation}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509ecckeyfile}
|
|
Packit |
549fdc |
@subheading x509ecckeyfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is an alias for the @code{x509keyfile} option,
|
|
Packit |
549fdc |
@pxref{gnutls-serv x509keyfile, the x509keyfile option documentation}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv x509ecccertfile}
|
|
Packit |
549fdc |
@subheading x509ecccertfile option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is an alias for the @code{x509certfile} option,
|
|
Packit |
549fdc |
@pxref{gnutls-serv x509certfile, the x509certfile option documentation}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@anchor{gnutls-serv ocsp-response}
|
|
Packit |
549fdc |
@subheading ocsp-response option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``the ocsp response to send to client'' option.
|
|
Packit |
549fdc |
This option takes a file argument.
|
|
Packit |
549fdc |
If the client requested an OCSP response, return data from this file to the client.
|
|
Packit |
549fdc |
@anchor{gnutls-serv list}
|
|
Packit |
549fdc |
@subheading list option (-l)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``print a list of the supported algorithms and modes'' option.
|
|
Packit |
549fdc |
Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
|
|
Packit |
549fdc |
@anchor{gnutls-serv provider}
|
|
Packit |
549fdc |
@subheading provider option
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
This is the ``specify the pkcs #11 provider library'' option.
|
|
Packit |
549fdc |
This option takes a file argument.
|
|
Packit |
549fdc |
This will override the default options in /etc/gnutls/pkcs11.conf
|
|
Packit |
549fdc |
@anchor{gnutls-serv exit status}
|
|
Packit |
549fdc |
@subheading gnutls-serv exit status
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
One of the following exit values will be returned:
|
|
Packit |
549fdc |
@table @samp
|
|
Packit |
549fdc |
@item 0 (EXIT_SUCCESS)
|
|
Packit |
549fdc |
Successful program execution.
|
|
Packit |
549fdc |
@item 1 (EXIT_FAILURE)
|
|
Packit |
549fdc |
The operation failed or the command syntax was not valid.
|
|
Packit |
549fdc |
@end table
|
|
Packit |
549fdc |
@anchor{gnutls-serv See Also}
|
|
Packit |
549fdc |
@subheading gnutls-serv See Also
|
|
Packit |
549fdc |
gnutls-cli-debug(1), gnutls-cli(1)
|
|
Packit |
549fdc |
@anchor{gnutls-serv Examples}
|
|
Packit |
549fdc |
@subheading gnutls-serv Examples
|
|
Packit |
549fdc |
Running your own TLS server based on GnuTLS can be useful when
|
|
Packit |
549fdc |
debugging clients and/or GnuTLS itself. This section describes how to
|
|
Packit |
549fdc |
use @code{gnutls-serv} as a simple HTTPS server.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The most basic server can be started as:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
It will only support anonymous ciphersuites, which many TLS clients
|
|
Packit |
549fdc |
refuse to use.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The next step is to add support for X.509. First we generate a CA:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-ca-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test CA' > ca.tmpl
|
|
Packit |
549fdc |
$ echo 'ca' >> ca.tmpl
|
|
Packit |
549fdc |
$ echo 'cert_signing_key' >> ca.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template ca.tmpl --outfile x509-ca.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Then generate a server certificate. Remember to change the dns_name
|
|
Packit |
549fdc |
value to the name of your server host, or skip that command to avoid
|
|
Packit |
549fdc |
the field.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-server-key.pem
|
|
Packit |
549fdc |
$ echo 'organization = GnuTLS test server' > server.tmpl
|
|
Packit |
549fdc |
$ echo 'cn = test.gnutls.org' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'tls_www_server' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'encryption_key' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'signing_key' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template server.tmpl --outfile x509-server.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
For use in the client, you may want to generate a client certificate
|
|
Packit |
549fdc |
as well.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-client-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test client' > client.tmpl
|
|
Packit |
549fdc |
$ echo 'tls_www_client' >> client.tmpl
|
|
Packit |
549fdc |
$ echo 'encryption_key' >> client.tmpl
|
|
Packit |
549fdc |
$ echo 'signing_key' >> client.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template client.tmpl --outfile x509-client.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To be able to import the client key/certificate into some
|
|
Packit |
549fdc |
applications, you will need to convert them into a PKCS#12 structure.
|
|
Packit |
549fdc |
This also encrypts the security sensitive key with a password.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
|
|
Packit |
549fdc |
--load-privkey x509-client-key.pem --load-certificate x509-client.pem \
|
|
Packit |
549fdc |
--outder --outfile x509-client.p12
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
For icing, we'll create a proxy certificate for the client too.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-proxy-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
|
|
Packit |
549fdc |
--load-certificate x509-client.pem --template proxy.tmpl \
|
|
Packit |
549fdc |
--outfile x509-proxy.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Then start the server again:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ gnutls-serv --http \
|
|
Packit |
549fdc |
--x509cafile x509-ca.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Try connecting to the server using your web browser. Note that the
|
|
Packit |
549fdc |
server listens to port 5556 by default.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
While you are at it, to allow connections using ECDSA, you can also
|
|
Packit |
549fdc |
create a ECDSA key and certificate for the server. These credentials
|
|
Packit |
549fdc |
will be used in the final example below.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template server.tmpl --outfile x509-server-ecc.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The next step is to add support for SRP authentication. This requires
|
|
Packit |
549fdc |
an SRP password file created with @code{srptool}.
|
|
Packit |
549fdc |
To start the server with SRP support:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
|
|
Packit |
549fdc |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
549fdc |
--srppasswd srp-passwd.txt
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Let's also start a server with support for PSK. This would require
|
|
Packit |
549fdc |
a password file created with @code{psktool}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
|
|
Packit |
549fdc |
--pskpasswd psk-passwd.txt
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Finally, we start the server with all the earlier parameters and you
|
|
Packit |
549fdc |
get this command:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+PSK:+SRP \
|
|
Packit |
549fdc |
--x509cafile x509-ca.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key-ecc.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server-ecc.pem \
|
|
Packit |
549fdc |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
549fdc |
--srppasswd srp-passwd.txt \
|
|
Packit |
549fdc |
--pskpasswd psk-passwd.txt
|
|
Packit |
549fdc |
@end example
|