1 @node gnutls-serv Invocation
2 @section Invoking gnutls-serv
6 # -*- buffer-read-only: t -*- vi: set ro:
8 # DO NOT EDIT THIS FILE (invoke-gnutls-serv.texi)
10 # It has been AutoGen-ed May 9, 2012 at 08:06:12 PM by AutoGen 5.16
11 # From the definitions ../src/serv-args.def
12 # and the template file agtexi-cmd.tpl
16 Server program that listens to incoming TLS connections.
18 This section was generated by @strong{AutoGen},
19 using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program.
20 This software is released under the GNU General Public License, version 3 or later.
23 @anchor{gnutls-serv usage}
24 @subheading gnutls-serv help/usage (-h)
25 @cindex gnutls-serv help
27 This is the automatically generated usage text for gnutls-serv.
28 The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print
29 the usage text by passing it through a pager program.
30 @code{more-help} is disabled on platforms without a working
31 @code{fork(2)} function. The @code{PAGER} environment variable is
32 used to select the program, defaulting to @file{more}. Both will exit
33 with a status code of 0.
37 gnutls-serv - GnuTLS server - Ver. 3.0.21
38 USAGE: gnutls-serv [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
40 -d, --debug=num Enable debugging.
41 - It must be in the range:
43 --noticket Don't accept session tickets
44 -g, --generate Generate Diffie-Hellman and RSA-export parameters
45 -q, --quiet Suppress some messages
46 --nodb Do not use a resumption database
47 --http Act as an HTTP server
48 --echo Act as an Echo server
49 -u, --udp Use DTLS (datagram TLS) over UDP
50 --mtu=num Set MTU for datagram TLS
51 - It must be in the range:
53 -a, --disable-client-cert Do not request a client certificate
54 -r, --require-client-cert Require a client certificate
55 --x509fmtder Use DER format for certificates to read from
56 --priority=str Priorities string
57 --dhparams=file DH params file to use
59 --x509cafile=str Certificate file or PKCS #11 URL to use
60 --x509crlfile=file CRL file to use
62 --pgpkeyfile=file PGP Key file to use
64 --pgpkeyring=file PGP Key ring file to use
66 --pgpcertfile=file PGP Public Key (certificate) file to use
68 --x509keyfile=str X.509 key file or PKCS #11 URL to use
69 --x509certfile=str X.509 Certificate file or PKCS #11 URL to use
70 --x509dsakeyfile=str Alternative X.509 key file or PKCS #11 URL to use
71 --x509dsacertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use
72 --x509ecckeyfile=str Alternative X.509 key file or PKCS #11 URL to use
73 --x509ecccertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use
74 --pgpsubkey=str PGP subkey to use (hex or auto)
75 --srppasswd=file SRP password file to use
77 --srppasswdconf=file SRP password configuration file to use
79 --pskpasswd=file PSK password file to use
81 --pskhint=str PSK identity hint to use
82 -p, --port=num The port to connect to
83 -l, --list Print a list of the supported algorithms and modes
84 -v, --version[=arg] Output version information and exit
85 -h, --help Display extended usage information and exit
86 -!, --more-help Extended usage information passed thru pager
88 Options are specified by doubled hyphens and their name or by a single
89 hyphen and the flag character.
93 Server program that listens to incoming TLS connections.
95 please send bug reports to: bug-gnutls@@gnu.org
99 @anchor{gnutls-serv debug}
100 @subheading debug option (-d)
101 @cindex gnutls-serv-debug
103 This is the ``enable debugging.'' option.
104 This option takes an argument number.
105 Specifies the debug level.
106 @anchor{gnutls-serv priority}
107 @subheading priority option
108 @cindex gnutls-serv-priority
110 This is the ``priorities string'' option.
111 This option takes an argument string.
112 TLS algorithms and protocols to enable. You can
113 use predefined sets of ciphersuites such as PERFORMANCE,
114 NORMAL, SECURE128, SECURE256.
116 Check the GnuTLS manual on section ``Priority strings'' for more
117 information on allowed keywords
118 @anchor{gnutls-serv list}
119 @subheading list option (-l)
120 @cindex gnutls-serv-list
122 This is the ``print a list of the supported algorithms and modes'' option.
123 Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
124 @anchor{gnutls-serv exit status}
125 @subheading gnutls-serv exit status
127 One of the following exit values will be returned:
129 @item 0 (EXIT_SUCCESS)
130 Successful program execution.
131 @item 1 (EXIT_FAILURE)
132 The operation failed or the command syntax was not valid.
134 @anchor{gnutls-serv See Also}
135 @subheading gnutls-serv See Also
136 gnutls-cli-debug(1), gnutls-cli(1)
138 @anchor{gnutls-serv Examples}
139 @subheading gnutls-serv Examples
140 Running your own TLS server based on GnuTLS can be useful when
141 debugging clients and/or GnuTLS itself. This section describes how to
142 use @code{gnutls-serv} as a simple HTTPS server.
144 The most basic server can be started as:
150 It will only support anonymous ciphersuites, which many TLS clients
153 The next step is to add support for X.509. First we generate a CA:
156 $ certtool --generate-privkey > x509-ca-key.pem
157 $ echo 'cn = GnuTLS test CA' > ca.tmpl
158 $ echo 'ca' >> ca.tmpl
159 $ echo 'cert_signing_key' >> ca.tmpl
160 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
161 --template ca.tmpl --outfile x509-ca.pem
165 Then generate a server certificate. Remember to change the dns_name
166 value to the name of your server host, or skip that command to avoid
170 $ certtool --generate-privkey > x509-server-key.pem
171 $ echo 'organization = GnuTLS test server' > server.tmpl
172 $ echo 'cn = test.gnutls.org' >> server.tmpl
173 $ echo 'tls_www_server' >> server.tmpl
174 $ echo 'encryption_key' >> server.tmpl
175 $ echo 'signing_key' >> server.tmpl
176 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
177 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
178 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
179 --template server.tmpl --outfile x509-server.pem
183 For use in the client, you may want to generate a client certificate
187 $ certtool --generate-privkey > x509-client-key.pem
188 $ echo 'cn = GnuTLS test client' > client.tmpl
189 $ echo 'tls_www_client' >> client.tmpl
190 $ echo 'encryption_key' >> client.tmpl
191 $ echo 'signing_key' >> client.tmpl
192 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
193 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
194 --template client.tmpl --outfile x509-client.pem
198 To be able to import the client key/certificate into some
199 applications, you will need to convert them into a PKCS#12 structure.
200 This also encrypts the security sensitive key with a password.
203 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
204 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
205 --outder --outfile x509-client.p12
208 For icing, we'll create a proxy certificate for the client too.
211 $ certtool --generate-privkey > x509-proxy-key.pem
212 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
213 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
214 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
215 --load-certificate x509-client.pem --template proxy.tmpl \
216 --outfile x509-proxy.pem
220 Then start the server again:
223 $ gnutls-serv --http \
224 --x509cafile x509-ca.pem \
225 --x509keyfile x509-server-key.pem \
226 --x509certfile x509-server.pem
229 Try connecting to the server using your web browser. Note that the
230 server listens to port 5556 by default.
232 While you are at it, to allow connections using DSA, you can also
233 create a DSA key and certificate for the server. These credentials
234 will be used in the final example below.
237 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
238 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
239 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
240 --template server.tmpl --outfile x509-server-dsa.pem
244 The next step is to create OpenPGP credentials for the server.
248 ...enter whatever details you want, use 'test.gnutls.org' as name...
251 Make a note of the OpenPGP key identifier of the newly generated key,
252 here it was @code{5D1D14D8}. You will need to export the key for
253 GnuTLS to be able to use it.
256 gpg -a --export 5D1D14D8 > openpgp-server.txt
257 gpg --export 5D1D14D8 > openpgp-server.bin
258 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
259 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
262 Let's start the server with support for OpenPGP credentials:
266 --pgpkeyfile openpgp-server-key.txt \
267 --pgpcertfile openpgp-server.txt
270 The next step is to add support for SRP authentication. This requires
271 an SRP password file created with @code{srptool}.
272 To start the server with SRP support:
276 --srppasswdconf srp-tpasswd.conf \
277 --srppasswd srp-passwd.txt
280 Let's also start a server with support for PSK. This would require
281 a password file created with @code{psktool}.
285 --pskpasswd psk-passwd.txt
288 Finally, we start the server with all the earlier parameters and you
293 --x509cafile x509-ca.pem \
294 --x509keyfile x509-server-key.pem \
295 --x509certfile x509-server.pem \
296 --x509dsakeyfile x509-server-key-dsa.pem \
297 --x509dsacertfile x509-server-dsa.pem \
298 --pgpkeyfile openpgp-server-key.txt \
299 --pgpcertfile openpgp-server.txt \
300 --srppasswdconf srp-tpasswd.conf \
301 --srppasswd srp-passwd.txt \
302 --pskpasswd psk-passwd.txt