|
Packit |
549fdc |
AutoGen Definitions options;
|
|
Packit |
549fdc |
prog-name = gnutls-serv;
|
|
Packit |
549fdc |
prog-title = "GnuTLS server";
|
|
Packit |
549fdc |
prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
|
|
Packit |
549fdc |
short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
|
|
Packit |
549fdc |
explain = "";
|
|
Packit |
549fdc |
detail = "Server program that listens to incoming TLS connections.";
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include args-std.def
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = sni-hostname;
|
|
Packit |
549fdc |
descrip = "Server's hostname for server name extension";
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = sni-hostname-fatal;
|
|
Packit |
549fdc |
descrip = "Send fatal alert on sni-hostname mismatch";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = alpn;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Specify ALPN protocol to be enabled by the server";
|
|
Packit |
549fdc |
doc = "Specify the (textual) ALPN protocol for the server to use.";
|
|
Packit |
549fdc |
stack-arg;
|
|
Packit |
549fdc |
max = NOLIMIT;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = alpn-fatal;
|
|
Packit |
549fdc |
descrip = "Send fatal alert on non-matching ALPN name";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = noticket;
|
|
Packit |
549fdc |
descrip = "Don't accept session tickets";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate;
|
|
Packit |
549fdc |
value = g;
|
|
Packit |
549fdc |
descrip = "Generate Diffie-Hellman parameters";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = quiet;
|
|
Packit |
549fdc |
value = q;
|
|
Packit |
549fdc |
descrip = "Suppress some messages";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = nodb;
|
|
Packit |
549fdc |
descrip = "Do not use a resumption database";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = http;
|
|
Packit |
549fdc |
descrip = "Act as an HTTP server";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = echo;
|
|
Packit |
549fdc |
descrip = "Act as an Echo server";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = udp;
|
|
Packit |
549fdc |
value = u;
|
|
Packit |
549fdc |
descrip = "Use DTLS (datagram TLS) over UDP";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mtu;
|
|
Packit |
549fdc |
arg-type = number;
|
|
Packit |
549fdc |
arg-range = "0->17000";
|
|
Packit |
549fdc |
descrip = "Set MTU for datagram TLS";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = srtp_profiles;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Offer SRTP profiles";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = disable-client-cert;
|
|
Packit |
549fdc |
value = a;
|
|
Packit |
549fdc |
descrip = "Do not request a client certificate";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = require-client-cert;
|
|
Packit |
549fdc |
value = r;
|
|
Packit |
549fdc |
descrip = "Require a client certificate";
|
|
Packit |
549fdc |
doc = "This option before 3.6.0 used to imply --verify-client-cert.
|
|
Packit |
549fdc |
Since 3.6.0 it will no longer verify the certificate by default.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = verify-client-cert;
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "If a client certificate is sent then verify it.";
|
|
Packit |
549fdc |
doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = heartbeat;
|
|
Packit |
549fdc |
value = b;
|
|
Packit |
549fdc |
descrip = "Activate heartbeat support";
|
|
Packit |
549fdc |
doc = "Regularly ping client via heartbeat extension messages";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509fmtder;
|
|
Packit |
549fdc |
descrip = "Use DER format for certificates to read from";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = priority;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Priorities string";
|
|
Packit |
549fdc |
doc = "TLS algorithms and protocols to enable. You can
|
|
Packit |
549fdc |
use predefined sets of ciphersuites such as PERFORMANCE,
|
|
Packit |
549fdc |
NORMAL, SECURE128, SECURE256. The default is NORMAL.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Check the GnuTLS manual on section ``Priority strings'' for more
|
|
Packit |
549fdc |
information on allowed keywords";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = dhparams;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "DH params file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509cafile;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Certificate file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509crlfile;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "CRL file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = pgpkeyfile;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "PGP Key file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509keyfile;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "X.509 key file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
doc = "Specify the private key file or URI to use; it must correspond to
|
|
Packit |
549fdc |
the certificate specified in --x509certfile. Multiple keys and certificates
|
|
Packit |
549fdc |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
549fdc |
must be followed by the corresponding x509certfile or vice-versa.";
|
|
Packit |
549fdc |
stack-arg;
|
|
Packit |
549fdc |
max = NOLIMIT;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509certfile;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
doc = "Specify the certificate file or URI to use; it must correspond to
|
|
Packit |
549fdc |
the key specified in --x509keyfile. Multiple keys and certificates
|
|
Packit |
549fdc |
can be specified with this option and in that case each occurrence of keyfile
|
|
Packit |
549fdc |
must be followed by the corresponding x509certfile or vice-versa.";
|
|
Packit |
549fdc |
stack-arg;
|
|
Packit |
549fdc |
max = NOLIMIT;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509dsakeyfile;
|
|
Packit |
549fdc |
aliases = x509keyfile;
|
|
Packit |
549fdc |
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509dsacertfile;
|
|
Packit |
549fdc |
aliases = x509certfile;
|
|
Packit |
549fdc |
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509ecckeyfile;
|
|
Packit |
549fdc |
aliases = x509keyfile;
|
|
Packit |
549fdc |
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = x509ecccertfile;
|
|
Packit |
549fdc |
aliases = x509certfile;
|
|
Packit |
549fdc |
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = srppasswd;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "SRP password file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = srppasswdconf;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "SRP password configuration file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = pskpasswd;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "PSK password file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = pskhint;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "PSK identity hint to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = ocsp-response;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "The OCSP response to send to client";
|
|
Packit |
549fdc |
doc = "If the client requested an OCSP response, return data from this file to the client.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = port;
|
|
Packit |
549fdc |
value = p;
|
|
Packit |
549fdc |
arg-type = number;
|
|
Packit |
549fdc |
descrip = "The port to connect to";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list;
|
|
Packit |
549fdc |
value = l;
|
|
Packit |
549fdc |
descrip = "Print a list of the supported algorithms and modes";
|
|
Packit |
549fdc |
doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = provider;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "Specify the PKCS #11 provider library";
|
|
Packit |
549fdc |
doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'SEE ALSO'; // or anything else
|
|
Packit |
549fdc |
ds-format = 'texi'; // or texi or mdoc format
|
|
Packit |
549fdc |
ds-text = <<-_EOText_
|
|
Packit |
549fdc |
gnutls-cli-debug(1), gnutls-cli(1)
|
|
Packit |
549fdc |
_EOText_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'EXAMPLES';
|
|
Packit |
549fdc |
ds-format = 'texi';
|
|
Packit |
549fdc |
ds-text = <<-_EOF_
|
|
Packit |
549fdc |
Running your own TLS server based on GnuTLS can be useful when
|
|
Packit |
549fdc |
debugging clients and/or GnuTLS itself. This section describes how to
|
|
Packit |
549fdc |
use @code{gnutls-serv} as a simple HTTPS server.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The most basic server can be started as:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
It will only support anonymous ciphersuites, which many TLS clients
|
|
Packit |
549fdc |
refuse to use.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The next step is to add support for X.509. First we generate a CA:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-ca-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test CA' > ca.tmpl
|
|
Packit |
549fdc |
$ echo 'ca' >> ca.tmpl
|
|
Packit |
549fdc |
$ echo 'cert_signing_key' >> ca.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template ca.tmpl --outfile x509-ca.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Then generate a server certificate. Remember to change the dns_name
|
|
Packit |
549fdc |
value to the name of your server host, or skip that command to avoid
|
|
Packit |
549fdc |
the field.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-server-key.pem
|
|
Packit |
549fdc |
$ echo 'organization = GnuTLS test server' > server.tmpl
|
|
Packit |
549fdc |
$ echo 'cn = test.gnutls.org' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'tls_www_server' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'encryption_key' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'signing_key' >> server.tmpl
|
|
Packit |
549fdc |
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template server.tmpl --outfile x509-server.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
For use in the client, you may want to generate a client certificate
|
|
Packit |
549fdc |
as well.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-client-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test client' > client.tmpl
|
|
Packit |
549fdc |
$ echo 'tls_www_client' >> client.tmpl
|
|
Packit |
549fdc |
$ echo 'encryption_key' >> client.tmpl
|
|
Packit |
549fdc |
$ echo 'signing_key' >> client.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template client.tmpl --outfile x509-client.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To be able to import the client key/certificate into some
|
|
Packit |
549fdc |
applications, you will need to convert them into a PKCS#12 structure.
|
|
Packit |
549fdc |
This also encrypts the security sensitive key with a password.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
|
|
Packit |
549fdc |
--load-privkey x509-client-key.pem --load-certificate x509-client.pem \
|
|
Packit |
549fdc |
--outder --outfile x509-client.p12
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
For icing, we'll create a proxy certificate for the client too.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey > x509-proxy-key.pem
|
|
Packit |
549fdc |
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
|
|
Packit |
549fdc |
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
|
|
Packit |
549fdc |
--load-certificate x509-client.pem --template proxy.tmpl \
|
|
Packit |
549fdc |
--outfile x509-proxy.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Then start the server again:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ gnutls-serv --http \
|
|
Packit |
549fdc |
--x509cafile x509-ca.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Try connecting to the server using your web browser. Note that the
|
|
Packit |
549fdc |
server listens to port 5556 by default.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
While you are at it, to allow connections using ECDSA, you can also
|
|
Packit |
549fdc |
create a ECDSA key and certificate for the server. These credentials
|
|
Packit |
549fdc |
will be used in the final example below.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
|
|
Packit |
549fdc |
$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
|
|
Packit |
549fdc |
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
|
|
Packit |
549fdc |
--template server.tmpl --outfile x509-server-ecc.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
The next step is to add support for SRP authentication. This requires
|
|
Packit |
549fdc |
an SRP password file created with @code{srptool}.
|
|
Packit |
549fdc |
To start the server with SRP support:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
|
|
Packit |
549fdc |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
549fdc |
--srppasswd srp-passwd.txt
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Let's also start a server with support for PSK. This would require
|
|
Packit |
549fdc |
a password file created with @code{psktool}.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
|
|
Packit |
549fdc |
--pskpasswd psk-passwd.txt
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
Finally, we start the server with all the earlier parameters and you
|
|
Packit |
549fdc |
get this command:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
gnutls-serv --http --priority NORMAL:+PSK:+SRP \
|
|
Packit |
549fdc |
--x509cafile x509-ca.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server.pem \
|
|
Packit |
549fdc |
--x509keyfile x509-server-key-ecc.pem \
|
|
Packit |
549fdc |
--x509certfile x509-server-ecc.pem \
|
|
Packit |
549fdc |
--srppasswdconf srp-tpasswd.conf \
|
|
Packit |
549fdc |
--srppasswd srp-passwd.txt \
|
|
Packit |
549fdc |
--pskpasswd psk-passwd.txt
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
_EOF_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|