doc update
[gnutls.git] / src / serv-args.def
blob2132ca898d70255f00b05f35a68af47d7e76ac8f
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
9 #include args-std.def
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
64 flag = {
65 name = srtp_profiles;
66 arg-type = string;
67 descrip = "Offer SRTP profiles";
68 doc = "";
71 flag = {
72 name = disable-client-cert;
73 value = a;
74 descrip = "Do not request a client certificate";
75 doc = "";
78 flag = {
79 name = require-client-cert;
80 value = r;
81 descrip = "Require a client certificate";
82 doc = "";
85 flag = {
86 name = heartbeat;
87 value = b;
88 descrip = "Activate heartbeat support";
89 doc = "Regularly ping client via heartbeat extension messages";
92 flag = {
93 name = x509fmtder;
94 descrip = "Use DER format for certificates to read from";
95 doc = "";
98 flag = {
99 name = priority;
100 arg-type = string;
101 descrip = "Priorities string";
102 doc = "TLS algorithms and protocols to enable. You can
103 use predefined sets of ciphersuites such as PERFORMANCE,
104 NORMAL, SECURE128, SECURE256.
106 Check the GnuTLS manual on section ``Priority strings'' for more
107 information on allowed keywords";
110 flag = {
111 name = dhparams;
112 arg-type = file;
113 file-exists = yes;
114 descrip = "DH params file to use";
115 doc = "";
118 flag = {
119 name = x509cafile;
120 arg-type = string;
121 descrip = "Certificate file or PKCS #11 URL to use";
122 doc = "";
125 flag = {
126 name = x509crlfile;
127 arg-type = file;
128 file-exists = yes;
129 descrip = "CRL file to use";
130 doc = "";
133 flag = {
134 name = pgpkeyfile;
135 arg-type = file;
136 file-exists = yes;
137 descrip = "PGP Key file to use";
138 doc = "";
141 flag = {
142 name = pgpkeyring;
143 arg-type = file;
144 file-exists = yes;
145 descrip = "PGP Key ring file to use";
146 doc = "";
149 flag = {
150 name = pgpcertfile;
151 arg-type = file;
152 file-exists = yes;
153 descrip = "PGP Public Key (certificate) file to use";
154 doc = "";
157 flag = {
158 name = x509keyfile;
159 arg-type = string;
160 descrip = "X.509 key file or PKCS #11 URL to use";
161 doc = "";
164 flag = {
165 name = x509certfile;
166 arg-type = string;
167 descrip = "X.509 Certificate file or PKCS #11 URL to use";
168 doc = "";
171 flag = {
172 name = x509dsakeyfile;
173 arg-type = string;
174 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
175 doc = "";
178 flag = {
179 name = x509dsacertfile;
180 arg-type = string;
181 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
182 doc = "";
185 flag = {
186 name = x509ecckeyfile;
187 arg-type = string;
188 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
189 doc = "";
192 flag = {
193 name = x509ecccertfile;
194 arg-type = string;
195 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
196 doc = "";
199 flag = {
200 name = pgpsubkey;
201 arg-type = string;
202 descrip = "PGP subkey to use (hex or auto)";
203 doc = "";
206 flag = {
207 name = srppasswd;
208 arg-type = file;
209 file-exists = yes;
210 descrip = "SRP password file to use";
211 doc = "";
214 flag = {
215 name = srppasswdconf;
216 arg-type = file;
217 file-exists = yes;
218 descrip = "SRP password configuration file to use";
219 doc = "";
222 flag = {
223 name = pskpasswd;
224 arg-type = file;
225 file-exists = yes;
226 descrip = "PSK password file to use";
227 doc = "";
230 flag = {
231 name = pskhint;
232 arg-type = string;
233 descrip = "PSK identity hint to use";
234 doc = "";
237 flag = {
238 name = ocsp-response;
239 arg-type = file;
240 file-exists = yes;
241 descrip = "The OCSP response to send to client";
242 doc = "If the client requested an OCSP response, return data from this file to the client.";
245 flag = {
246 name = port;
247 value = p;
248 arg-type = number;
249 descrip = "The port to connect to";
250 doc = "";
253 flag = {
254 name = list;
255 value = l;
256 descrip = "Print a list of the supported algorithms and modes";
257 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
260 doc-section = {
261 ds-type = 'SEE ALSO'; // or anything else
262 ds-format = 'texi'; // or texi or mdoc format
263 ds-text = <<-_EOText_
264 gnutls-cli-debug(1), gnutls-cli(1)
265 _EOText_;
268 doc-section = {
269 ds-type = 'EXAMPLES';
270 ds-format = 'texi';
271 ds-text = <<-_EOF_
272 Running your own TLS server based on GnuTLS can be useful when
273 debugging clients and/or GnuTLS itself. This section describes how to
274 use @code{gnutls-serv} as a simple HTTPS server.
276 The most basic server can be started as:
278 @example
279 gnutls-serv --http
280 @end example
282 It will only support anonymous ciphersuites, which many TLS clients
283 refuse to use.
285 The next step is to add support for X.509. First we generate a CA:
287 @example
288 $ certtool --generate-privkey > x509-ca-key.pem
289 $ echo 'cn = GnuTLS test CA' > ca.tmpl
290 $ echo 'ca' >> ca.tmpl
291 $ echo 'cert_signing_key' >> ca.tmpl
292 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
293 --template ca.tmpl --outfile x509-ca.pem
295 @end example
297 Then generate a server certificate. Remember to change the dns_name
298 value to the name of your server host, or skip that command to avoid
299 the field.
301 @example
302 $ certtool --generate-privkey > x509-server-key.pem
303 $ echo 'organization = GnuTLS test server' > server.tmpl
304 $ echo 'cn = test.gnutls.org' >> server.tmpl
305 $ echo 'tls_www_server' >> server.tmpl
306 $ echo 'encryption_key' >> server.tmpl
307 $ echo 'signing_key' >> server.tmpl
308 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
309 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
310 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
311 --template server.tmpl --outfile x509-server.pem
313 @end example
315 For use in the client, you may want to generate a client certificate
316 as well.
318 @example
319 $ certtool --generate-privkey > x509-client-key.pem
320 $ echo 'cn = GnuTLS test client' > client.tmpl
321 $ echo 'tls_www_client' >> client.tmpl
322 $ echo 'encryption_key' >> client.tmpl
323 $ echo 'signing_key' >> client.tmpl
324 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
325 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
326 --template client.tmpl --outfile x509-client.pem
328 @end example
330 To be able to import the client key/certificate into some
331 applications, you will need to convert them into a PKCS#12 structure.
332 This also encrypts the security sensitive key with a password.
334 @example
335 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
336 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
337 --outder --outfile x509-client.p12
338 @end example
340 For icing, we'll create a proxy certificate for the client too.
342 @example
343 $ certtool --generate-privkey > x509-proxy-key.pem
344 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
345 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
346 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
347 --load-certificate x509-client.pem --template proxy.tmpl \
348 --outfile x509-proxy.pem
350 @end example
352 Then start the server again:
354 @example
355 $ gnutls-serv --http \
356 --x509cafile x509-ca.pem \
357 --x509keyfile x509-server-key.pem \
358 --x509certfile x509-server.pem
359 @end example
361 Try connecting to the server using your web browser. Note that the
362 server listens to port 5556 by default.
364 While you are at it, to allow connections using DSA, you can also
365 create a DSA key and certificate for the server. These credentials
366 will be used in the final example below.
368 @example
369 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
370 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
371 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
372 --template server.tmpl --outfile x509-server-dsa.pem
374 @end example
376 The next step is to create OpenPGP credentials for the server.
378 @example
379 gpg --gen-key
380 ...enter whatever details you want, use 'test.gnutls.org' as name...
381 @end example
383 Make a note of the OpenPGP key identifier of the newly generated key,
384 here it was @code{5D1D14D8}. You will need to export the key for
385 GnuTLS to be able to use it.
387 @example
388 gpg -a --export 5D1D14D8 > openpgp-server.txt
389 gpg --export 5D1D14D8 > openpgp-server.bin
390 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
391 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
392 @end example
394 Let's start the server with support for OpenPGP credentials:
396 @example
397 gnutls-serv --http \
398 --pgpkeyfile openpgp-server-key.txt \
399 --pgpcertfile openpgp-server.txt
400 @end example
402 The next step is to add support for SRP authentication. This requires
403 an SRP password file created with @code{srptool}.
404 To start the server with SRP support:
406 @example
407 gnutls-serv --http \
408 --srppasswdconf srp-tpasswd.conf \
409 --srppasswd srp-passwd.txt
410 @end example
412 Let's also start a server with support for PSK. This would require
413 a password file created with @code{psktool}.
415 @example
416 gnutls-serv --http \
417 --pskpasswd psk-passwd.txt
418 @end example
420 Finally, we start the server with all the earlier parameters and you
421 get this command:
423 @example
424 gnutls-serv --http \
425 --x509cafile x509-ca.pem \
426 --x509keyfile x509-server-key.pem \
427 --x509certfile x509-server.pem \
428 --x509dsakeyfile x509-server-key-dsa.pem \
429 --x509dsacertfile x509-server-dsa.pem \
430 --pgpkeyfile openpgp-server-key.txt \
431 --pgpcertfile openpgp-server.txt \
432 --srppasswdconf srp-tpasswd.conf \
433 --srppasswd srp-passwd.txt \
434 --pskpasswd psk-passwd.txt
435 @end example
436 _EOF_;