search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
_gnutls_strdatum_to_buf() will account for NULL input.
[gnutls.git] / src / serv-args.def
blob2132ca898d70255f00b05f35a68af47d7e76ac8f
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
8
9 #include args-std.def
10
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
15 };
16
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
22 };
23
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
29 };
30
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
35 };
36
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
41 };
42
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
47 };
48
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
54 };
55
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
62 };
63
64 flag = {
65 name = srtp_profiles;
66 arg-type = string;
67 descrip = "Offer SRTP profiles";
68 doc = "";
69 };
70
71 flag = {
72 name = disable-client-cert;
73 value = a;
74 descrip = "Do not request a client certificate";
75 doc = "";
76 };
77
78 flag = {
79 name = require-client-cert;
80 value = r;
81 descrip = "Require a client certificate";
82 doc = "";
83 };
84
85 flag = {
86 name = heartbeat;
87 value = b;
88 descrip = "Activate heartbeat support";
89 doc = "Regularly ping client via heartbeat extension messages";
90 };
91
92 flag = {
93 name = x509fmtder;
94 descrip = "Use DER format for certificates to read from";
95 doc = "";
96 };
97
98 flag = {
99 name = priority;
100 arg-type = string;
101 descrip = "Priorities string";
102 doc = "TLS algorithms and protocols to enable. You can
103 use predefined sets of ciphersuites such as PERFORMANCE,
104 NORMAL, SECURE128, SECURE256.
105
106 Check the GnuTLS manual on section ``Priority strings'' for more
107 information on allowed keywords";
108 };
109
110 flag = {
111 name = dhparams;
112 arg-type = file;
113 file-exists = yes;
114 descrip = "DH params file to use";
115 doc = "";
116 };
117
118 flag = {
119 name = x509cafile;
120 arg-type = string;
121 descrip = "Certificate file or PKCS #11 URL to use";
122 doc = "";
123 };
124
125 flag = {
126 name = x509crlfile;
127 arg-type = file;
128 file-exists = yes;
129 descrip = "CRL file to use";
130 doc = "";
131 };
132
133 flag = {
134 name = pgpkeyfile;
135 arg-type = file;
136 file-exists = yes;
137 descrip = "PGP Key file to use";
138 doc = "";
139 };
140
141 flag = {
142 name = pgpkeyring;
143 arg-type = file;
144 file-exists = yes;
145 descrip = "PGP Key ring file to use";
146 doc = "";
147 };
148
149 flag = {
150 name = pgpcertfile;
151 arg-type = file;
152 file-exists = yes;
153 descrip = "PGP Public Key (certificate) file to use";
154 doc = "";
155 };
156
157 flag = {
158 name = x509keyfile;
159 arg-type = string;
160 descrip = "X.509 key file or PKCS #11 URL to use";
161 doc = "";
162 };
163
164 flag = {
165 name = x509certfile;
166 arg-type = string;
167 descrip = "X.509 Certificate file or PKCS #11 URL to use";
168 doc = "";
169 };
170
171 flag = {
172 name = x509dsakeyfile;
173 arg-type = string;
174 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
175 doc = "";
176 };
177
178 flag = {
179 name = x509dsacertfile;
180 arg-type = string;
181 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
182 doc = "";
183 };
184
185 flag = {
186 name = x509ecckeyfile;
187 arg-type = string;
188 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
189 doc = "";
190 };
191
192 flag = {
193 name = x509ecccertfile;
194 arg-type = string;
195 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
196 doc = "";
197 };
198
199 flag = {
200 name = pgpsubkey;
201 arg-type = string;
202 descrip = "PGP subkey to use (hex or auto)";
203 doc = "";
204 };
205
206 flag = {
207 name = srppasswd;
208 arg-type = file;
209 file-exists = yes;
210 descrip = "SRP password file to use";
211 doc = "";
212 };
213
214 flag = {
215 name = srppasswdconf;
216 arg-type = file;
217 file-exists = yes;
218 descrip = "SRP password configuration file to use";
219 doc = "";
220 };
221
222 flag = {
223 name = pskpasswd;
224 arg-type = file;
225 file-exists = yes;
226 descrip = "PSK password file to use";
227 doc = "";
228 };
229
230 flag = {
231 name = pskhint;
232 arg-type = string;
233 descrip = "PSK identity hint to use";
234 doc = "";
235 };
236
237 flag = {
238 name = ocsp-response;
239 arg-type = file;
240 file-exists = yes;
241 descrip = "The OCSP response to send to client";
242 doc = "If the client requested an OCSP response, return data from this file to the client.";
243 };
244
245 flag = {
246 name = port;
247 value = p;
248 arg-type = number;
249 descrip = "The port to connect to";
250 doc = "";
251 };
252
253 flag = {
254 name = list;
255 value = l;
256 descrip = "Print a list of the supported algorithms and modes";
257 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
258 };
259
260 doc-section = {
261 ds-type = 'SEE ALSO'; // or anything else
262 ds-format = 'texi'; // or texi or mdoc format
263 ds-text = <<-_EOText_
264 gnutls-cli-debug(1), gnutls-cli(1)
265 _EOText_;
266 };
267
268 doc-section = {
269 ds-type = 'EXAMPLES';
270 ds-format = 'texi';
271 ds-text = <<-_EOF_
272 Running your own TLS server based on GnuTLS can be useful when
273 debugging clients and/or GnuTLS itself. This section describes how to
274 use @code{gnutls-serv} as a simple HTTPS server.
275
276 The most basic server can be started as:
277
278 @example
279 gnutls-serv --http
280 @end example
281
282 It will only support anonymous ciphersuites, which many TLS clients
283 refuse to use.
284
285 The next step is to add support for X.509. First we generate a CA:
286
287 @example
288 $ certtool --generate-privkey > x509-ca-key.pem
289 $ echo 'cn = GnuTLS test CA' > ca.tmpl
290 $ echo 'ca' >> ca.tmpl
291 $ echo 'cert_signing_key' >> ca.tmpl
292 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
293 --template ca.tmpl --outfile x509-ca.pem
294 ...
295 @end example
296
297 Then generate a server certificate. Remember to change the dns_name
298 value to the name of your server host, or skip that command to avoid
299 the field.
300
301 @example
302 $ certtool --generate-privkey > x509-server-key.pem
303 $ echo 'organization = GnuTLS test server' > server.tmpl
304 $ echo 'cn = test.gnutls.org' >> server.tmpl
305 $ echo 'tls_www_server' >> server.tmpl
306 $ echo 'encryption_key' >> server.tmpl
307 $ echo 'signing_key' >> server.tmpl
308 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
309 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
310 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
311 --template server.tmpl --outfile x509-server.pem
312 ...
313 @end example
314
315 For use in the client, you may want to generate a client certificate
316 as well.
317
318 @example
319 $ certtool --generate-privkey > x509-client-key.pem
320 $ echo 'cn = GnuTLS test client' > client.tmpl
321 $ echo 'tls_www_client' >> client.tmpl
322 $ echo 'encryption_key' >> client.tmpl
323 $ echo 'signing_key' >> client.tmpl
324 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
325 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
326 --template client.tmpl --outfile x509-client.pem
327 ...
328 @end example
329
330 To be able to import the client key/certificate into some
331 applications, you will need to convert them into a PKCS#12 structure.
332 This also encrypts the security sensitive key with a password.
333
334 @example
335 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
336 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
337 --outder --outfile x509-client.p12
338 @end example
339
340 For icing, we'll create a proxy certificate for the client too.
341
342 @example
343 $ certtool --generate-privkey > x509-proxy-key.pem
344 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
345 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
346 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
347 --load-certificate x509-client.pem --template proxy.tmpl \
348 --outfile x509-proxy.pem
349 ...
350 @end example
351
352 Then start the server again:
353
354 @example
355 $ gnutls-serv --http \
356 --x509cafile x509-ca.pem \
357 --x509keyfile x509-server-key.pem \
358 --x509certfile x509-server.pem
359 @end example
360
361 Try connecting to the server using your web browser. Note that the
362 server listens to port 5556 by default.
363
364 While you are at it, to allow connections using DSA, you can also
365 create a DSA key and certificate for the server. These credentials
366 will be used in the final example below.
367
368 @example
369 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
370 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
371 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
372 --template server.tmpl --outfile x509-server-dsa.pem
373 ...
374 @end example
375
376 The next step is to create OpenPGP credentials for the server.
377
378 @example
379 gpg --gen-key
380 ...enter whatever details you want, use 'test.gnutls.org' as name...
381 @end example
382
383 Make a note of the OpenPGP key identifier of the newly generated key,
384 here it was @code{5D1D14D8}. You will need to export the key for
385 GnuTLS to be able to use it.
386
387 @example
388 gpg -a --export 5D1D14D8 > openpgp-server.txt
389 gpg --export 5D1D14D8 > openpgp-server.bin
390 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
391 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
392 @end example
393
394 Let's start the server with support for OpenPGP credentials:
395
396 @example
397 gnutls-serv --http \
398 --pgpkeyfile openpgp-server-key.txt \
399 --pgpcertfile openpgp-server.txt
400 @end example
401
402 The next step is to add support for SRP authentication. This requires
403 an SRP password file created with @code{srptool}.
404 To start the server with SRP support:
405
406 @example
407 gnutls-serv --http \
408 --srppasswdconf srp-tpasswd.conf \
409 --srppasswd srp-passwd.txt
410 @end example
411
412 Let's also start a server with support for PSK. This would require
413 a password file created with @code{psktool}.
414
415 @example
416 gnutls-serv --http \
417 --pskpasswd psk-passwd.txt
418 @end example
419
420 Finally, we start the server with all the earlier parameters and you
421 get this command:
422
423 @example
424 gnutls-serv --http \
425 --x509cafile x509-ca.pem \
426 --x509keyfile x509-server-key.pem \
427 --x509certfile x509-server.pem \
428 --x509dsakeyfile x509-server-key-dsa.pem \
429 --x509dsacertfile x509-server-dsa.pem \
430 --pgpkeyfile openpgp-server-key.txt \
431 --pgpcertfile openpgp-server.txt \
432 --srppasswdconf srp-tpasswd.conf \
433 --srppasswd srp-passwd.txt \
434 --pskpasswd psk-passwd.txt
435 @end example
436 _EOF_;
437 };
438
Implementation of the SSL/TLS protocol