search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Increased security levels by adding insecure.
[gnutls.git] / src / serv-args.def
blobe61034e58d2593b906b7ee0ae81458b36af22193
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
8
9 #include args-std.def
10
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
15 };
16
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
22 };
23
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
29 };
30
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
35 };
36
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
41 };
42
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
47 };
48
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
54 };
55
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
62 };
63
64 flag = {
65 name = disable-client-cert;
66 value = a;
67 descrip = "Do not request a client certificate";
68 doc = "";
69 };
70
71 flag = {
72 name = require-client-cert;
73 value = r;
74 descrip = "Require a client certificate";
75 doc = "";
76 };
77
78 flag = {
79 name = heartbeat;
80 value = b;
81 descrip = "Activate heartbeat support";
82 doc = "Regularly ping client via heartbeat extension messages";
83 };
84
85 flag = {
86 name = x509fmtder;
87 descrip = "Use DER format for certificates to read from";
88 doc = "";
89 };
90
91 flag = {
92 name = priority;
93 arg-type = string;
94 descrip = "Priorities string";
95 doc = "TLS algorithms and protocols to enable. You can
96 use predefined sets of ciphersuites such as PERFORMANCE,
97 NORMAL, SECURE128, SECURE256.
98
99 Check the GnuTLS manual on section ``Priority strings'' for more
100 information on allowed keywords";
101 };
102
103 flag = {
104 name = dhparams;
105 arg-type = file;
106 file-exists = yes;
107 descrip = "DH params file to use";
108 doc = "";
109 };
110
111 flag = {
112 name = x509cafile;
113 arg-type = string;
114 descrip = "Certificate file or PKCS #11 URL to use";
115 doc = "";
116 };
117
118 flag = {
119 name = x509crlfile;
120 arg-type = file;
121 file-exists = yes;
122 descrip = "CRL file to use";
123 doc = "";
124 };
125
126 flag = {
127 name = pgpkeyfile;
128 arg-type = file;
129 file-exists = yes;
130 descrip = "PGP Key file to use";
131 doc = "";
132 };
133
134 flag = {
135 name = pgpkeyring;
136 arg-type = file;
137 file-exists = yes;
138 descrip = "PGP Key ring file to use";
139 doc = "";
140 };
141
142 flag = {
143 name = pgpcertfile;
144 arg-type = file;
145 file-exists = yes;
146 descrip = "PGP Public Key (certificate) file to use";
147 doc = "";
148 };
149
150 flag = {
151 name = x509keyfile;
152 arg-type = string;
153 descrip = "X.509 key file or PKCS #11 URL to use";
154 doc = "";
155 };
156
157 flag = {
158 name = x509certfile;
159 arg-type = string;
160 descrip = "X.509 Certificate file or PKCS #11 URL to use";
161 doc = "";
162 };
163
164 flag = {
165 name = x509dsakeyfile;
166 arg-type = string;
167 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
168 doc = "";
169 };
170
171 flag = {
172 name = x509dsacertfile;
173 arg-type = string;
174 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
175 doc = "";
176 };
177
178 flag = {
179 name = x509ecckeyfile;
180 arg-type = string;
181 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
182 doc = "";
183 };
184
185 flag = {
186 name = x509ecccertfile;
187 arg-type = string;
188 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
189 doc = "";
190 };
191
192 flag = {
193 name = pgpsubkey;
194 arg-type = string;
195 descrip = "PGP subkey to use (hex or auto)";
196 doc = "";
197 };
198
199 flag = {
200 name = srppasswd;
201 arg-type = file;
202 file-exists = yes;
203 descrip = "SRP password file to use";
204 doc = "";
205 };
206
207 flag = {
208 name = srppasswdconf;
209 arg-type = file;
210 file-exists = yes;
211 descrip = "SRP password configuration file to use";
212 doc = "";
213 };
214
215 flag = {
216 name = pskpasswd;
217 arg-type = file;
218 file-exists = yes;
219 descrip = "PSK password file to use";
220 doc = "";
221 };
222
223 flag = {
224 name = pskhint;
225 arg-type = string;
226 descrip = "PSK identity hint to use";
227 doc = "";
228 };
229
230 flag = {
231 name = port;
232 value = p;
233 arg-type = number;
234 descrip = "The port to connect to";
235 doc = "";
236 };
237
238 flag = {
239 name = list;
240 value = l;
241 descrip = "Print a list of the supported algorithms and modes";
242 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
243 };
244
245 doc-section = {
246 ds-type = 'SEE ALSO'; // or anything else
247 ds-format = 'texi'; // or texi or mdoc format
248 ds-text = <<-_EOText_
249 gnutls-cli-debug(1), gnutls-cli(1)
250 _EOText_;
251 };
252
253 doc-section = {
254 ds-type = 'EXAMPLES';
255 ds-format = 'texi';
256 ds-text = <<-_EOF_
257 Running your own TLS server based on GnuTLS can be useful when
258 debugging clients and/or GnuTLS itself. This section describes how to
259 use @code{gnutls-serv} as a simple HTTPS server.
260
261 The most basic server can be started as:
262
263 @example
264 gnutls-serv --http
265 @end example
266
267 It will only support anonymous ciphersuites, which many TLS clients
268 refuse to use.
269
270 The next step is to add support for X.509. First we generate a CA:
271
272 @example
273 $ certtool --generate-privkey > x509-ca-key.pem
274 $ echo 'cn = GnuTLS test CA' > ca.tmpl
275 $ echo 'ca' >> ca.tmpl
276 $ echo 'cert_signing_key' >> ca.tmpl
277 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
278 --template ca.tmpl --outfile x509-ca.pem
279 ...
280 @end example
281
282 Then generate a server certificate. Remember to change the dns_name
283 value to the name of your server host, or skip that command to avoid
284 the field.
285
286 @example
287 $ certtool --generate-privkey > x509-server-key.pem
288 $ echo 'organization = GnuTLS test server' > server.tmpl
289 $ echo 'cn = test.gnutls.org' >> server.tmpl
290 $ echo 'tls_www_server' >> server.tmpl
291 $ echo 'encryption_key' >> server.tmpl
292 $ echo 'signing_key' >> server.tmpl
293 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
294 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
295 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
296 --template server.tmpl --outfile x509-server.pem
297 ...
298 @end example
299
300 For use in the client, you may want to generate a client certificate
301 as well.
302
303 @example
304 $ certtool --generate-privkey > x509-client-key.pem
305 $ echo 'cn = GnuTLS test client' > client.tmpl
306 $ echo 'tls_www_client' >> client.tmpl
307 $ echo 'encryption_key' >> client.tmpl
308 $ echo 'signing_key' >> client.tmpl
309 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
310 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
311 --template client.tmpl --outfile x509-client.pem
312 ...
313 @end example
314
315 To be able to import the client key/certificate into some
316 applications, you will need to convert them into a PKCS#12 structure.
317 This also encrypts the security sensitive key with a password.
318
319 @example
320 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
321 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
322 --outder --outfile x509-client.p12
323 @end example
324
325 For icing, we'll create a proxy certificate for the client too.
326
327 @example
328 $ certtool --generate-privkey > x509-proxy-key.pem
329 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
330 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
331 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
332 --load-certificate x509-client.pem --template proxy.tmpl \
333 --outfile x509-proxy.pem
334 ...
335 @end example
336
337 Then start the server again:
338
339 @example
340 $ gnutls-serv --http \
341 --x509cafile x509-ca.pem \
342 --x509keyfile x509-server-key.pem \
343 --x509certfile x509-server.pem
344 @end example
345
346 Try connecting to the server using your web browser. Note that the
347 server listens to port 5556 by default.
348
349 While you are at it, to allow connections using DSA, you can also
350 create a DSA key and certificate for the server. These credentials
351 will be used in the final example below.
352
353 @example
354 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
355 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
356 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
357 --template server.tmpl --outfile x509-server-dsa.pem
358 ...
359 @end example
360
361 The next step is to create OpenPGP credentials for the server.
362
363 @example
364 gpg --gen-key
365 ...enter whatever details you want, use 'test.gnutls.org' as name...
366 @end example
367
368 Make a note of the OpenPGP key identifier of the newly generated key,
369 here it was @code{5D1D14D8}. You will need to export the key for
370 GnuTLS to be able to use it.
371
372 @example
373 gpg -a --export 5D1D14D8 > openpgp-server.txt
374 gpg --export 5D1D14D8 > openpgp-server.bin
375 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
376 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
377 @end example
378
379 Let's start the server with support for OpenPGP credentials:
380
381 @example
382 gnutls-serv --http \
383 --pgpkeyfile openpgp-server-key.txt \
384 --pgpcertfile openpgp-server.txt
385 @end example
386
387 The next step is to add support for SRP authentication. This requires
388 an SRP password file created with @code{srptool}.
389 To start the server with SRP support:
390
391 @example
392 gnutls-serv --http \
393 --srppasswdconf srp-tpasswd.conf \
394 --srppasswd srp-passwd.txt
395 @end example
396
397 Let's also start a server with support for PSK. This would require
398 a password file created with @code{psktool}.
399
400 @example
401 gnutls-serv --http \
402 --pskpasswd psk-passwd.txt
403 @end example
404
405 Finally, we start the server with all the earlier parameters and you
406 get this command:
407
408 @example
409 gnutls-serv --http \
410 --x509cafile x509-ca.pem \
411 --x509keyfile x509-server-key.pem \
412 --x509certfile x509-server.pem \
413 --x509dsakeyfile x509-server-key-dsa.pem \
414 --x509dsacertfile x509-server-dsa.pem \
415 --pgpkeyfile openpgp-server-key.txt \
416 --pgpcertfile openpgp-server.txt \
417 --srppasswdconf srp-tpasswd.conf \
418 --srppasswd srp-passwd.txt \
419 --pskpasswd psk-passwd.txt
420 @end example
421 _EOF_;
422 };
423
Implementation of the SSL/TLS protocol