search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bumped version
[gnutls.git] / src / serv-args.def
blob9264d137cf924e689d61149f724277890c7bf823
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
8
9 #include args-std.def
10
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
15 };
16
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
22 };
23
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
29 };
30
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
35 };
36
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
41 };
42
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
47 };
48
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
54 };
55
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
62 };
63
64 flag = {
65 name = disable-client-cert;
66 value = a;
67 descrip = "Do not request a client certificate";
68 doc = "";
69 };
70
71 flag = {
72 name = require-client-cert;
73 value = r;
74 descrip = "Require a client certificate";
75 doc = "";
76 };
77
78 flag = {
79 name = x509fmtder;
80 descrip = "Use DER format for certificates to read from";
81 doc = "";
82 };
83
84 flag = {
85 name = priority;
86 arg-type = string;
87 descrip = "Priorities string";
88 doc = "TLS algorithms and protocols to enable. You can
89 use predefined sets of ciphersuites such as PERFORMANCE,
90 NORMAL, SECURE128, SECURE256.
91
92 Check the GnuTLS manual on section ``Priority strings'' for more
93 information on allowed keywords";
94 };
95
96 flag = {
97 name = dhparams;
98 arg-type = file;
99 file-exists = yes;
100 descrip = "DH params file to use";
101 doc = "";
102 };
103
104 flag = {
105 name = x509cafile;
106 arg-type = string;
107 descrip = "Certificate file or PKCS #11 URL to use";
108 doc = "";
109 };
110
111 flag = {
112 name = x509crlfile;
113 arg-type = file;
114 file-exists = yes;
115 descrip = "CRL file to use";
116 doc = "";
117 };
118
119 flag = {
120 name = pgpkeyfile;
121 arg-type = file;
122 file-exists = yes;
123 descrip = "PGP Key file to use";
124 doc = "";
125 };
126
127 flag = {
128 name = pgpkeyring;
129 arg-type = file;
130 file-exists = yes;
131 descrip = "PGP Key ring file to use";
132 doc = "";
133 };
134
135 flag = {
136 name = pgpcertfile;
137 arg-type = file;
138 file-exists = yes;
139 descrip = "PGP Public Key (certificate) file to use";
140 doc = "";
141 };
142
143 flag = {
144 name = x509keyfile;
145 arg-type = string;
146 descrip = "X.509 key file or PKCS #11 URL to use";
147 doc = "";
148 };
149
150 flag = {
151 name = x509certfile;
152 arg-type = string;
153 descrip = "X.509 Certificate file or PKCS #11 URL to use";
154 doc = "";
155 };
156
157 flag = {
158 name = x509dsakeyfile;
159 arg-type = string;
160 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
161 doc = "";
162 };
163
164 flag = {
165 name = x509dsacertfile;
166 arg-type = string;
167 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
168 doc = "";
169 };
170
171 flag = {
172 name = x509ecckeyfile;
173 arg-type = string;
174 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
175 doc = "";
176 };
177
178 flag = {
179 name = x509ecccertfile;
180 arg-type = string;
181 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
182 doc = "";
183 };
184
185 flag = {
186 name = pgpsubkey;
187 arg-type = string;
188 descrip = "PGP subkey to use (hex or auto)";
189 doc = "";
190 };
191
192 flag = {
193 name = srppasswd;
194 arg-type = file;
195 file-exists = yes;
196 descrip = "SRP password file to use";
197 doc = "";
198 };
199
200 flag = {
201 name = srppasswdconf;
202 arg-type = file;
203 file-exists = yes;
204 descrip = "SRP password configuration file to use";
205 doc = "";
206 };
207
208 flag = {
209 name = pskpasswd;
210 arg-type = file;
211 file-exists = yes;
212 descrip = "PSK password file to use";
213 doc = "";
214 };
215
216 flag = {
217 name = pskhint;
218 arg-type = string;
219 descrip = "PSK identity hint to use";
220 doc = "";
221 };
222
223 flag = {
224 name = port;
225 value = p;
226 arg-type = number;
227 descrip = "The port to connect to";
228 doc = "";
229 };
230
231 flag = {
232 name = list;
233 value = l;
234 descrip = "Print a list of the supported algorithms and modes";
235 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
236 };
237
238 doc-section = {
239 ds-type = 'SEE ALSO'; // or anything else
240 ds-format = 'texi'; // or texi or mdoc format
241 ds-text = <<-_EOText_
242 gnutls-cli-debug(1), gnutls-cli(1)
243 _EOText_;
244 };
245
246 doc-section = {
247 ds-type = 'EXAMPLES';
248 ds-format = 'texi';
249 ds-text = <<-_EOF_
250 Running your own TLS server based on GnuTLS can be useful when
251 debugging clients and/or GnuTLS itself. This section describes how to
252 use @code{gnutls-serv} as a simple HTTPS server.
253
254 The most basic server can be started as:
255
256 @example
257 gnutls-serv --http
258 @end example
259
260 It will only support anonymous ciphersuites, which many TLS clients
261 refuse to use.
262
263 The next step is to add support for X.509. First we generate a CA:
264
265 @example
266 $ certtool --generate-privkey > x509-ca-key.pem
267 $ echo 'cn = GnuTLS test CA' > ca.tmpl
268 $ echo 'ca' >> ca.tmpl
269 $ echo 'cert_signing_key' >> ca.tmpl
270 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
271 --template ca.tmpl --outfile x509-ca.pem
272 ...
273 @end example
274
275 Then generate a server certificate. Remember to change the dns_name
276 value to the name of your server host, or skip that command to avoid
277 the field.
278
279 @example
280 $ certtool --generate-privkey > x509-server-key.pem
281 $ echo 'organization = GnuTLS test server' > server.tmpl
282 $ echo 'cn = test.gnutls.org' >> server.tmpl
283 $ echo 'tls_www_server' >> server.tmpl
284 $ echo 'encryption_key' >> server.tmpl
285 $ echo 'signing_key' >> server.tmpl
286 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
287 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
288 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
289 --template server.tmpl --outfile x509-server.pem
290 ...
291 @end example
292
293 For use in the client, you may want to generate a client certificate
294 as well.
295
296 @example
297 $ certtool --generate-privkey > x509-client-key.pem
298 $ echo 'cn = GnuTLS test client' > client.tmpl
299 $ echo 'tls_www_client' >> client.tmpl
300 $ echo 'encryption_key' >> client.tmpl
301 $ echo 'signing_key' >> client.tmpl
302 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
303 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
304 --template client.tmpl --outfile x509-client.pem
305 ...
306 @end example
307
308 To be able to import the client key/certificate into some
309 applications, you will need to convert them into a PKCS#12 structure.
310 This also encrypts the security sensitive key with a password.
311
312 @example
313 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
314 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
315 --outder --outfile x509-client.p12
316 @end example
317
318 For icing, we'll create a proxy certificate for the client too.
319
320 @example
321 $ certtool --generate-privkey > x509-proxy-key.pem
322 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
323 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
324 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
325 --load-certificate x509-client.pem --template proxy.tmpl \
326 --outfile x509-proxy.pem
327 ...
328 @end example
329
330 Then start the server again:
331
332 @example
333 $ gnutls-serv --http \
334 --x509cafile x509-ca.pem \
335 --x509keyfile x509-server-key.pem \
336 --x509certfile x509-server.pem
337 @end example
338
339 Try connecting to the server using your web browser. Note that the
340 server listens to port 5556 by default.
341
342 While you are at it, to allow connections using DSA, you can also
343 create a DSA key and certificate for the server. These credentials
344 will be used in the final example below.
345
346 @example
347 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
348 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
349 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
350 --template server.tmpl --outfile x509-server-dsa.pem
351 ...
352 @end example
353
354 The next step is to create OpenPGP credentials for the server.
355
356 @example
357 gpg --gen-key
358 ...enter whatever details you want, use 'test.gnutls.org' as name...
359 @end example
360
361 Make a note of the OpenPGP key identifier of the newly generated key,
362 here it was @code{5D1D14D8}. You will need to export the key for
363 GnuTLS to be able to use it.
364
365 @example
366 gpg -a --export 5D1D14D8 > openpgp-server.txt
367 gpg --export 5D1D14D8 > openpgp-server.bin
368 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
369 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
370 @end example
371
372 Let's start the server with support for OpenPGP credentials:
373
374 @example
375 gnutls-serv --http \
376 --pgpkeyfile openpgp-server-key.txt \
377 --pgpcertfile openpgp-server.txt
378 @end example
379
380 The next step is to add support for SRP authentication. This requires
381 an SRP password file created with @code{srptool}.
382 To start the server with SRP support:
383
384 @example
385 gnutls-serv --http \
386 --srppasswdconf srp-tpasswd.conf \
387 --srppasswd srp-passwd.txt
388 @end example
389
390 Let's also start a server with support for PSK. This would require
391 a password file created with @code{psktool}.
392
393 @example
394 gnutls-serv --http \
395 --pskpasswd psk-passwd.txt
396 @end example
397
398 Finally, we start the server with all the earlier parameters and you
399 get this command:
400
401 @example
402 gnutls-serv --http \
403 --x509cafile x509-ca.pem \
404 --x509keyfile x509-server-key.pem \
405 --x509certfile x509-server.pem \
406 --x509dsakeyfile x509-server-key-dsa.pem \
407 --x509dsacertfile x509-server-dsa.pem \
408 --pgpkeyfile openpgp-server-key.txt \
409 --pgpcertfile openpgp-server.txt \
410 --srppasswdconf srp-tpasswd.conf \
411 --srppasswd srp-passwd.txt \
412 --pskpasswd psk-passwd.txt
413 @end example
414 _EOF_;
415 };
416
Implementation of the SSL/TLS protocol