search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added gnutls_x509_crl_reason_flags_t.
[gnutls.git] / src / serv-args.def
blobdf196bae11bdcb9b91f89cb8434ed7ef85524fb6
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
8
9 #include args-std.def
10
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
15 };
16
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
22 };
23
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
29 };
30
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
35 };
36
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
41 };
42
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
47 };
48
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
54 };
55
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
62 };
63
64 flag = {
65 name = disable-client-cert;
66 value = a;
67 descrip = "Do not request a client certificate";
68 doc = "";
69 };
70
71 flag = {
72 name = require-client-cert;
73 value = r;
74 descrip = "Require a client certificate";
75 doc = "";
76 };
77
78 flag = {
79 name = heartbeat;
80 value = b;
81 descrip = "Activate heartbeat support";
82 doc = "Regularly ping client via heartbeat extension messages";
83 };
84
85 flag = {
86 name = x509fmtder;
87 descrip = "Use DER format for certificates to read from";
88 doc = "";
89 };
90
91 flag = {
92 name = priority;
93 arg-type = string;
94 descrip = "Priorities string";
95 doc = "TLS algorithms and protocols to enable. You can
96 use predefined sets of ciphersuites such as PERFORMANCE,
97 NORMAL, SECURE128, SECURE256.
98
99 Check the GnuTLS manual on section ``Priority strings'' for more
100 information on allowed keywords";
101 };
102
103 flag = {
104 name = dhparams;
105 arg-type = file;
106 file-exists = yes;
107 descrip = "DH params file to use";
108 doc = "";
109 };
110
111 flag = {
112 name = x509cafile;
113 arg-type = string;
114 descrip = "Certificate file or PKCS #11 URL to use";
115 doc = "";
116 };
117
118 flag = {
119 name = x509crlfile;
120 arg-type = file;
121 file-exists = yes;
122 descrip = "CRL file to use";
123 doc = "";
124 };
125
126 flag = {
127 name = pgpkeyfile;
128 arg-type = file;
129 file-exists = yes;
130 descrip = "PGP Key file to use";
131 doc = "";
132 };
133
134 flag = {
135 name = pgpkeyring;
136 arg-type = file;
137 file-exists = yes;
138 descrip = "PGP Key ring file to use";
139 doc = "";
140 };
141
142 flag = {
143 name = pgpcertfile;
144 arg-type = file;
145 file-exists = yes;
146 descrip = "PGP Public Key (certificate) file to use";
147 doc = "";
148 };
149
150 flag = {
151 name = x509keyfile;
152 arg-type = string;
153 descrip = "X.509 key file or PKCS #11 URL to use";
154 doc = "";
155 };
156
157 flag = {
158 name = x509certfile;
159 arg-type = string;
160 descrip = "X.509 Certificate file or PKCS #11 URL to use";
161 doc = "";
162 };
163
164 flag = {
165 name = x509dsakeyfile;
166 arg-type = string;
167 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
168 doc = "";
169 };
170
171 flag = {
172 name = x509dsacertfile;
173 arg-type = string;
174 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
175 doc = "";
176 };
177
178 flag = {
179 name = x509ecckeyfile;
180 arg-type = string;
181 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
182 doc = "";
183 };
184
185 flag = {
186 name = x509ecccertfile;
187 arg-type = string;
188 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
189 doc = "";
190 };
191
192 flag = {
193 name = pgpsubkey;
194 arg-type = string;
195 descrip = "PGP subkey to use (hex or auto)";
196 doc = "";
197 };
198
199 flag = {
200 name = srppasswd;
201 arg-type = file;
202 file-exists = yes;
203 descrip = "SRP password file to use";
204 doc = "";
205 };
206
207 flag = {
208 name = srppasswdconf;
209 arg-type = file;
210 file-exists = yes;
211 descrip = "SRP password configuration file to use";
212 doc = "";
213 };
214
215 flag = {
216 name = pskpasswd;
217 arg-type = file;
218 file-exists = yes;
219 descrip = "PSK password file to use";
220 doc = "";
221 };
222
223 flag = {
224 name = pskhint;
225 arg-type = string;
226 descrip = "PSK identity hint to use";
227 doc = "";
228 };
229
230 flag = {
231 name = ocsp-response;
232 arg-type = file;
233 file-exists = yes;
234 descrip = "The OCSP response to send to client";
235 doc = "If the client requested an OCSP response, return data from this file to the client.";
236 };
237
238 flag = {
239 name = port;
240 value = p;
241 arg-type = number;
242 descrip = "The port to connect to";
243 doc = "";
244 };
245
246 flag = {
247 name = list;
248 value = l;
249 descrip = "Print a list of the supported algorithms and modes";
250 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
251 };
252
253 doc-section = {
254 ds-type = 'SEE ALSO'; // or anything else
255 ds-format = 'texi'; // or texi or mdoc format
256 ds-text = <<-_EOText_
257 gnutls-cli-debug(1), gnutls-cli(1)
258 _EOText_;
259 };
260
261 doc-section = {
262 ds-type = 'EXAMPLES';
263 ds-format = 'texi';
264 ds-text = <<-_EOF_
265 Running your own TLS server based on GnuTLS can be useful when
266 debugging clients and/or GnuTLS itself. This section describes how to
267 use @code{gnutls-serv} as a simple HTTPS server.
268
269 The most basic server can be started as:
270
271 @example
272 gnutls-serv --http
273 @end example
274
275 It will only support anonymous ciphersuites, which many TLS clients
276 refuse to use.
277
278 The next step is to add support for X.509. First we generate a CA:
279
280 @example
281 $ certtool --generate-privkey > x509-ca-key.pem
282 $ echo 'cn = GnuTLS test CA' > ca.tmpl
283 $ echo 'ca' >> ca.tmpl
284 $ echo 'cert_signing_key' >> ca.tmpl
285 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
286 --template ca.tmpl --outfile x509-ca.pem
287 ...
288 @end example
289
290 Then generate a server certificate. Remember to change the dns_name
291 value to the name of your server host, or skip that command to avoid
292 the field.
293
294 @example
295 $ certtool --generate-privkey > x509-server-key.pem
296 $ echo 'organization = GnuTLS test server' > server.tmpl
297 $ echo 'cn = test.gnutls.org' >> server.tmpl
298 $ echo 'tls_www_server' >> server.tmpl
299 $ echo 'encryption_key' >> server.tmpl
300 $ echo 'signing_key' >> server.tmpl
301 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
302 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
303 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
304 --template server.tmpl --outfile x509-server.pem
305 ...
306 @end example
307
308 For use in the client, you may want to generate a client certificate
309 as well.
310
311 @example
312 $ certtool --generate-privkey > x509-client-key.pem
313 $ echo 'cn = GnuTLS test client' > client.tmpl
314 $ echo 'tls_www_client' >> client.tmpl
315 $ echo 'encryption_key' >> client.tmpl
316 $ echo 'signing_key' >> client.tmpl
317 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
318 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
319 --template client.tmpl --outfile x509-client.pem
320 ...
321 @end example
322
323 To be able to import the client key/certificate into some
324 applications, you will need to convert them into a PKCS#12 structure.
325 This also encrypts the security sensitive key with a password.
326
327 @example
328 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
329 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
330 --outder --outfile x509-client.p12
331 @end example
332
333 For icing, we'll create a proxy certificate for the client too.
334
335 @example
336 $ certtool --generate-privkey > x509-proxy-key.pem
337 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
338 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
339 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
340 --load-certificate x509-client.pem --template proxy.tmpl \
341 --outfile x509-proxy.pem
342 ...
343 @end example
344
345 Then start the server again:
346
347 @example
348 $ gnutls-serv --http \
349 --x509cafile x509-ca.pem \
350 --x509keyfile x509-server-key.pem \
351 --x509certfile x509-server.pem
352 @end example
353
354 Try connecting to the server using your web browser. Note that the
355 server listens to port 5556 by default.
356
357 While you are at it, to allow connections using DSA, you can also
358 create a DSA key and certificate for the server. These credentials
359 will be used in the final example below.
360
361 @example
362 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
363 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
364 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
365 --template server.tmpl --outfile x509-server-dsa.pem
366 ...
367 @end example
368
369 The next step is to create OpenPGP credentials for the server.
370
371 @example
372 gpg --gen-key
373 ...enter whatever details you want, use 'test.gnutls.org' as name...
374 @end example
375
376 Make a note of the OpenPGP key identifier of the newly generated key,
377 here it was @code{5D1D14D8}. You will need to export the key for
378 GnuTLS to be able to use it.
379
380 @example
381 gpg -a --export 5D1D14D8 > openpgp-server.txt
382 gpg --export 5D1D14D8 > openpgp-server.bin
383 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
384 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
385 @end example
386
387 Let's start the server with support for OpenPGP credentials:
388
389 @example
390 gnutls-serv --http \
391 --pgpkeyfile openpgp-server-key.txt \
392 --pgpcertfile openpgp-server.txt
393 @end example
394
395 The next step is to add support for SRP authentication. This requires
396 an SRP password file created with @code{srptool}.
397 To start the server with SRP support:
398
399 @example
400 gnutls-serv --http \
401 --srppasswdconf srp-tpasswd.conf \
402 --srppasswd srp-passwd.txt
403 @end example
404
405 Let's also start a server with support for PSK. This would require
406 a password file created with @code{psktool}.
407
408 @example
409 gnutls-serv --http \
410 --pskpasswd psk-passwd.txt
411 @end example
412
413 Finally, we start the server with all the earlier parameters and you
414 get this command:
415
416 @example
417 gnutls-serv --http \
418 --x509cafile x509-ca.pem \
419 --x509keyfile x509-server-key.pem \
420 --x509certfile x509-server.pem \
421 --x509dsakeyfile x509-server-key-dsa.pem \
422 --x509dsacertfile x509-server-dsa.pem \
423 --pgpkeyfile openpgp-server-key.txt \
424 --pgpcertfile openpgp-server.txt \
425 --srppasswdconf srp-tpasswd.conf \
426 --srppasswd srp-passwd.txt \
427 --pskpasswd psk-passwd.txt
428 @end example
429 _EOF_;
430 };
431
Implementation of the SSL/TLS protocol