diff options
Diffstat (limited to 'src/serv-args.def')
-rw-r--r-- | src/serv-args.def | 557 |
1 files changed, 0 insertions, 557 deletions
diff --git a/src/serv-args.def b/src/serv-args.def deleted file mode 100644 index ca61801c1e..0000000000 --- a/src/serv-args.def +++ /dev/null @@ -1,557 +0,0 @@ -AutoGen Definitions options; -prog-name = gnutls-serv; -prog-title = "GnuTLS server"; -prog-desc = "Simple server program to act as an HTTPS or TLS echo service."; -short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n"; -explain = ""; -detail = "Server program that listens to incoming TLS connections."; - -#include args-std.def - -flag = { - name = sni-hostname; - descrip = "Server's hostname for server name extension"; - arg-type = string; - doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert."; -}; - -flag = { - name = sni-hostname-fatal; - descrip = "Send fatal alert on sni-hostname mismatch"; - doc = ""; -}; - -flag = { - name = alpn; - arg-type = string; - descrip = "Specify ALPN protocol to be enabled by the server"; - doc = "Specify the (textual) ALPN protocol for the server to use."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = alpn-fatal; - descrip = "Send fatal alert on non-matching ALPN name"; - doc = ""; -}; - -flag = { - name = noticket; - descrip = "Don't accept session tickets"; - doc = ""; -}; - -flag = { - name = earlydata; - descrip = "Accept early data"; - doc = ""; -}; - -flag = { - name = maxearlydata; - arg-type = number; - arg-range = "1->"; - descrip = "The maximum early data size to accept"; - doc = ""; -}; - -flag = { - name = nocookie; - descrip = "Don't require cookie on DTLS sessions"; - doc = ""; -}; - -flag = { - name = generate; - value = g; - descrip = "Generate Diffie-Hellman parameters"; - doc = ""; -}; - -flag = { - name = quiet; - value = q; - descrip = "Suppress some messages"; - doc = ""; -}; - -flag = { - name = nodb; - descrip = "Do not use a resumption database"; - doc = ""; -}; - -flag = { - name = http; - descrip = "Act as an HTTP server"; - doc = ""; -}; - -flag = { - name = echo; - descrip = "Act as an Echo server"; - doc = ""; -}; - -flag = { - name = crlf; - descrip = "Do not replace CRLF by LF in Echo server mode"; - doc = ""; -}; - -flag = { - name = udp; - value = u; - descrip = "Use DTLS (datagram TLS) over UDP"; - doc = ""; -}; - -flag = { - name = mtu; - arg-type = number; - arg-range = "0->17000"; - descrip = "Set MTU for datagram TLS"; - doc = ""; -}; - -flag = { - name = srtp_profiles; - arg-type = string; - descrip = "Offer SRTP profiles"; - doc = ""; -}; - -flag = { - name = disable-client-cert; - value = a; - descrip = "Do not request a client certificate"; - doc = ""; - flags-cant = require-client-cert; -}; - -flag = { - name = require-client-cert; - value = r; - descrip = "Require a client certificate"; - doc = "This option before 3.6.0 used to imply --verify-client-cert. -Since 3.6.0 it will no longer verify the certificate by default."; -}; - -flag = { - name = verify-client-cert; - disabled; - descrip = "If a client certificate is sent then verify it."; - doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid."; -}; - -flag = { - name = heartbeat; - value = b; - descrip = "Activate heartbeat support"; - doc = "Regularly ping client via heartbeat extension messages"; -}; - -flag = { - name = x509fmtder; - descrip = "Use DER format for certificates to read from"; - doc = ""; -}; - -flag = { - name = priority; - arg-type = string; - descrip = "Priorities string"; - doc = "TLS algorithms and protocols to enable. You can -use predefined sets of ciphersuites such as PERFORMANCE, -NORMAL, SECURE128, SECURE256. The default is NORMAL. - -Check the GnuTLS manual on section ``Priority strings'' for more -information on allowed keywords"; -}; - -flag = { - name = dhparams; - arg-type = file; - file-exists = yes; - descrip = "DH params file to use"; - doc = ""; -}; - -flag = { - name = x509cafile; - arg-type = string; - descrip = "Certificate file or PKCS #11 URL to use"; - doc = ""; -}; - -flag = { - name = x509crlfile; - arg-type = file; - file-exists = yes; - descrip = "CRL file to use"; - doc = ""; -}; - -flag = { - name = pgpkeyfile; - arg-type = file; - file-exists = yes; - descrip = "PGP Key file to use"; - doc = ""; - deprecated; -}; - - -flag = { - name = x509keyfile; - arg-type = string; - descrip = "X.509 key file or PKCS #11 URL to use"; - doc = "Specify the private key file or URI to use; it must correspond to -the certificate specified in --x509certfile. Multiple keys and certificates -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding x509certfile or vice-versa."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = x509certfile; - arg-type = string; - descrip = "X.509 Certificate file or PKCS #11 URL to use"; - doc = "Specify the certificate file or URI to use; it must correspond to -the key specified in --x509keyfile. Multiple keys and certificates -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding x509certfile or vice-versa."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = x509dsakeyfile; - aliases = x509keyfile; - descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509dsacertfile; - aliases = x509certfile; - descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509ecckeyfile; - aliases = x509keyfile; - descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509ecccertfile; - aliases = x509certfile; - descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = rawpkkeyfile; - arg-type = string; - descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use"; - doc = "Specify the private key file or URI to use; it must correspond to -the raw public-key specified in --rawpkfile. Multiple key pairs -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding rawpkfile or vice-versa. - -In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = rawpkfile; - arg-type = string; - descrip = "Raw public-key file to use"; - doc = "Specify the raw public-key file to use; it must correspond to -the private key specified in --rawpkkeyfile. Multiple key pairs -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding rawpkfile or vice-versa. - -In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; - stack-arg; - max = NOLIMIT; - flags-must = rawpkkeyfile; -}; - -flag = { - name = srppasswd; - arg-type = file; - file-exists = yes; - descrip = "SRP password file to use"; - doc = ""; -}; - -flag = { - name = srppasswdconf; - arg-type = file; - file-exists = yes; - descrip = "SRP password configuration file to use"; - doc = ""; -}; - -flag = { - name = pskpasswd; - arg-type = file; - file-exists = yes; - descrip = "PSK password file to use"; - doc = ""; -}; - -flag = { - name = pskhint; - arg-type = string; - descrip = "PSK identity hint to use"; - doc = ""; -}; - -flag = { - name = ocsp-response; - arg-type = string; - descrip = "The OCSP response to send to client"; - doc = "If the client requested an OCSP response, return data from this file to the client."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = ignore-ocsp-response-errors; - descrip = "Ignore any errors when setting the OCSP response"; - doc = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates."; -}; - -flag = { - name = port; - value = p; - arg-type = number; - descrip = "The port to connect to"; - doc = ""; -}; - -flag = { - name = list; - value = l; - descrip = "Print a list of the supported algorithms and modes"; - doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown."; -}; - -flag = { - name = provider; - arg-type = file; - file-exists = yes; - descrip = "Specify the PKCS #11 provider library"; - doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; -}; - -flag = { - name = keymatexport; - arg-type = string; - descrip = "Label used for exporting keying material"; - doc = ""; -}; - -flag = { - name = keymatexportsize; - arg-type = number; - descrip = "Size of the exported keying material"; - doc = ""; -}; - -flag = { - name = recordsize; - arg-type = number; - arg-range = "0->16384"; - descrip = "The maximum record size to advertise"; - doc = ""; -}; - -flag = { - name = httpdata; - arg-type = file; - file-exists = yes; - descrip = "The data used as HTTP response"; - doc = ""; -}; - -doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format - ds-text = <<-_EOText_ -gnutls-cli-debug(1), gnutls-cli(1) -_EOText_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOF_ -Running your own TLS server based on GnuTLS can be useful when -debugging clients and/or GnuTLS itself. This section describes how to -use @code{gnutls-serv} as a simple HTTPS server. - -The most basic server can be started as: - -@example -gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH" -@end example - -It will only support anonymous ciphersuites, which many TLS clients -refuse to use. - -The next step is to add support for X.509. First we generate a CA: - -@example -$ certtool --generate-privkey > x509-ca-key.pem -$ echo 'cn = GnuTLS test CA' > ca.tmpl -$ echo 'ca' >> ca.tmpl -$ echo 'cert_signing_key' >> ca.tmpl -$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \ - --template ca.tmpl --outfile x509-ca.pem -@end example - -Then generate a server certificate. Remember to change the dns_name -value to the name of your server host, or skip that command to avoid -the field. - -@example -$ certtool --generate-privkey > x509-server-key.pem -$ echo 'organization = GnuTLS test server' > server.tmpl -$ echo 'cn = test.gnutls.org' >> server.tmpl -$ echo 'tls_www_server' >> server.tmpl -$ echo 'encryption_key' >> server.tmpl -$ echo 'signing_key' >> server.tmpl -$ echo 'dns_name = test.gnutls.org' >> server.tmpl -$ certtool --generate-certificate --load-privkey x509-server-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server.pem -@end example - -For use in the client, you may want to generate a client certificate -as well. - -@example -$ certtool --generate-privkey > x509-client-key.pem -$ echo 'cn = GnuTLS test client' > client.tmpl -$ echo 'tls_www_client' >> client.tmpl -$ echo 'encryption_key' >> client.tmpl -$ echo 'signing_key' >> client.tmpl -$ certtool --generate-certificate --load-privkey x509-client-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template client.tmpl --outfile x509-client.pem -@end example - -To be able to import the client key/certificate into some -applications, you will need to convert them into a PKCS#12 structure. -This also encrypts the security sensitive key with a password. - -@example -$ certtool --to-p12 --load-ca-certificate x509-ca.pem \ - --load-privkey x509-client-key.pem --load-certificate x509-client.pem \ - --outder --outfile x509-client.p12 -@end example - -For icing, we'll create a proxy certificate for the client too. - -@example -$ certtool --generate-privkey > x509-proxy-key.pem -$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl -$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \ - --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \ - --load-certificate x509-client.pem --template proxy.tmpl \ - --outfile x509-proxy.pem -@end example - -Then start the server again: - -@example -$ gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem -@end example - -Try connecting to the server using your web browser. Note that the -server listens to port 5556 by default. - -While you are at it, to allow connections using ECDSA, you can also -create a ECDSA key and certificate for the server. These credentials -will be used in the final example below. - -@example -$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem -$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server-ecc.pem -@end example - - -The next step is to add support for SRP authentication. This requires -an SRP password file created with @code{srptool}. -To start the server with SRP support: - -@example -gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt -@end example - -Let's also start a server with support for PSK. This would require -a password file created with @code{psktool}. - -@example -gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \ - --pskpasswd psk-passwd.txt -@end example - -If you want a server with support for raw public-keys we can also add these -credentials. Note however that there is no identity information linked to these -keys as is the case with regular x509 certificates. Authentication must be done -via different means. Also we need to explicitly enable raw public-key certificates -via the priority strings. - -@example -gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ - --rawpkfile srv.rawpk.pem \ - --rawpkkeyfile srv.key.pem -@end example - - -Finally, we start the server with all the earlier parameters and you -get this command: - -@example -gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem \ - --x509keyfile x509-server-key-ecc.pem \ - --x509certfile x509-server-ecc.pem \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt \ - --pskpasswd psk-passwd.txt \ - --rawpkfile srv.rawpk.pem \ - --rawpkkeyfile srv.key.pem -@end example -_EOF_; -}; - |