1gnutls-serv(1) User Commands gnutls-serv(1)
2
6 gnutls-serv - GnuTLS server
7
9 gnutls-serv [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
15 Server program that listens to incoming TLS connections.
16
18 -d number, --debug=number
19 Enable debugging. This option takes an integer number as its
20 argument. The value of number is constrained to being:
21 in the range 0 through 9999
22 Specifies the debug level.
24 --noticket
26 Don't accept session tickets.
27 -g, --generate
30 Generate Diffie-Hellman and RSA-export parameters.
31 -q, --quiet
34 Suppress some messages.
35 --nodb Do not use a resumption database.
38 --http Act as an HTTP server.
41 --echo Act as an Echo server.
44 -u, --udp
47 Use DTLS (datagram TLS) over UDP.
48 --mtu=number
51 Set MTU for datagram TLS. This option takes an integer number
52 as its argument. The value of number is constrained to being:
53 in the range 0 through 17000
54 --srtp-profiles=string
57 Offer SRTP profiles.
58 -a, --disable-client-cert
61 Do not request a client certificate.
62 -r, --require-client-cert
65 Require a client certificate.
66 --verify-client-cert
69 If a client certificate is sent then verify it..
70 Do not require, but if a client certificate is sent then verify
72 it and close the connection if invalid.
73 -b, --heartbeat
75 Activate heartbeat support.
76 Regularly ping client via heartbeat extension messages
78 --x509fmtder
80 Use DER format for certificates to read from.
81 --priority=string
84 Priorities string.
85 TLS algorithms and protocols to enable. You can use predefined
87 sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128,
88 SECURE256. The default is NORMAL.
89 Check the GnuTLS manual on section “Priority strings” for
91 more information on allowed keywords
92 --dhparams=file
94 DH params file to use.
95 --x509cafile=string
98 Certificate file or PKCS #11 URL to use.
99 --x509crlfile=file
102 CRL file to use.
103 --pgpkeyfile=file
106 PGP Key file to use.
107 --pgpkeyring=file
110 PGP Key ring file to use.
111 --pgpcertfile=file
114 PGP Public Key (certificate) file to use.
115 --x509keyfile=string
118 X.509 key file or PKCS #11 URL to use.
119 --x509certfile=string
122 X.509 Certificate file or PKCS #11 URL to use.
123 --x509dsakeyfile=string
126 Alternative X.509 key file or PKCS #11 URL to use.
127 --x509dsacertfile=string
130 Alternative X.509 Certificate file or PKCS #11 URL to use.
131 --x509ecckeyfile=string
134 Alternative X.509 key file or PKCS #11 URL to use.
135 --x509ecccertfile=string
138 Alternative X.509 Certificate file or PKCS #11 URL to use.
139 --pgpsubkey=string
142 PGP subkey to use (hex or auto).
143 --srppasswd=file
146 SRP password file to use.
147 --srppasswdconf=file
150 SRP password configuration file to use.
151 --pskpasswd=file
154 PSK password file to use.
155 --pskhint=string
158 PSK identity hint to use.
159 --ocsp-response=file
162 The OCSP response to send to client.
163 If the client requested an OCSP response, return data from this
165 file to the client.
166 -p number, --port=number
168 The port to connect to. This option takes an integer number as
169 its argument.
170 -l, --list
173 Print a list of the supported algorithms and modes.
174 Print a list of the supported algorithms and modes. If a prior‐
176 ity string is given then only the enabled ciphersuites are
177 shown.
178 --provider=file
180 Specify the PKCS #11 provider library.
181 This will override the default options in
183 /etc/gnutls/pkcs11.conf
184 -h, --help
186 Display usage information and exit.
187 -!, --more-help
189 Pass the extended usage information through a pager.
190 -v [{v|c|n --version [{v|c|n}]}]
192 Output version of program and exit. The default mode is `v', a
193 simple version. The `c' mode will print copyright information
194 and `n' will print the full copyright notice.
195
197 Running your own TLS server based on GnuTLS can be useful when debug‐
198 ging clients and/or GnuTLS itself. This section describes how to use
199 gnutls-serv as a simple HTTPS server.
200 The most basic server can be started as:
202 gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
204 It will only support anonymous ciphersuites, which many TLS clients
206 refuse to use.
207 The next step is to add support for X.509. First we generate a CA:
209 $ certtool --generate-privkey > x509-ca-key.pem
211 $ echo 'cn = GnuTLS test CA' > ca.tmpl
212 $ echo 'ca' >> ca.tmpl
213 $ echo 'cert_signing_key' >> ca.tmpl
214 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem --template ca.tmpl --outfile x509-ca.pem
215 Then generate a server certificate. Remember to change the dns_name
217 value to the name of your server host, or skip that command to avoid
218 the field.
219 $ certtool --generate-privkey > x509-server-key.pem
221 $ echo 'organization = GnuTLS test server' > server.tmpl
222 $ echo 'cn = test.gnutls.org' >> server.tmpl
223 $ echo 'tls_www_server' >> server.tmpl
224 $ echo 'encryption_key' >> server.tmpl
225 $ echo 'signing_key' >> server.tmpl
226 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
227 $ certtool --generate-certificate --load-privkey x509-server-key.pem --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem --template server.tmpl --outfile x509-server.pem
228 For use in the client, you may want to generate a client certificate as
230 well.
231 $ certtool --generate-privkey > x509-client-key.pem
233 $ echo 'cn = GnuTLS test client' > client.tmpl
234 $ echo 'tls_www_client' >> client.tmpl
235 $ echo 'encryption_key' >> client.tmpl
236 $ echo 'signing_key' >> client.tmpl
237 $ certtool --generate-certificate --load-privkey x509-client-key.pem --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem --template client.tmpl --outfile x509-client.pem
238 To be able to import the client key/certificate into some applications,
240 you will need to convert them into a PKCS#12 structure. This also
241 encrypts the security sensitive key with a password.
242 $ certtool --to-p12 --load-ca-certificate x509-ca.pem --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12
244 For icing, we'll create a proxy certificate for the client too.
246 $ certtool --generate-privkey > x509-proxy-key.pem
248 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
249 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem --load-certificate x509-client.pem --template proxy.tmpl --outfile x509-proxy.pem
250 Then start the server again:
252 $ gnutls-serv --http --x509cafile x509-ca.pem --x509keyfile x509-server-key.pem --x509certfile x509-server.pem
254 Try connecting to the server using your web browser. Note that the
256 server listens to port 5556 by default.
257 While you are at it, to allow connections using DSA, you can also cre‐
259 ate a DSA key and certificate for the server. These credentials will
260 be used in the final example below.
261 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
263 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem --template server.tmpl --outfile x509-server-dsa.pem
264 The next step is to create OpenPGP credentials for the server.
266 gpg --gen-key
268 Make a note of the OpenPGP key identifier of the newly generated key,
270 here it was 5D1D14D8. You will need to export the key for GnuTLS to be
271 able to use it.
272 gpg -a --export 5D1D14D8 > openpgp-server.txt
274 gpg --export 5D1D14D8 > openpgp-server.bin
275 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
276 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
277 Let's start the server with support for OpenPGP credentials:
279 gnutls-serv --http --priority NORMAL:+CTYPE-OPENPGP --pgpkeyfile openpgp-server-key.txt --pgpcertfile openpgp-server.txt
281 The next step is to add support for SRP authentication. This requires
283 an SRP password file created with srptool. To start the server with
284 SRP support:
285 gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP --srppasswdconf srp-tpasswd.conf --srppasswd srp-passwd.txt
287 Let's also start a server with support for PSK. This would require a
289 password file created with psktool.
290 gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK --pskpasswd psk-passwd.txt
292 Finally, we start the server with all the earlier parameters and you
294 get this command:
295 gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-OPENPGP --x509cafile x509-ca.pem --x509keyfile x509-server-key.pem --x509certfile x509-server.pem --x509dsakeyfile x509-server-key-dsa.pem --x509dsacertfile x509-server-dsa.pem --pgpkeyfile openpgp-server-key.txt --pgpcertfile openpgp-server.txt --srppasswdconf srp-tpasswd.conf --srppasswd srp-passwd.txt --pskpasswd psk-passwd.txt
297
299 One of the following exit values will be returned:
300 0 (EXIT_SUCCESS)
302 Successful program execution.
303 1 (EXIT_FAILURE)
305 The operation failed or the command syntax was not valid.
306 70 (EX_SOFTWARE)
308 libopts had an internal operational error. Please report it to
309 autogen-users@lists.sourceforge.net. Thank you.
310
312 gnutls-cli-debug(1), gnutls-cli(1)
313
315 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
316 /usr/share/doc/gnutls/AUTHORS for a complete list.
317
319 Copyright (C) 2000-2018 Free Software Foundation, and others all rights
320 reserved. This program is released under the terms of the GNU General
321 Public License, version 3 or later.
322
324 Please send bug reports to: bugs@gnutls.org
325
327 This manual page was AutoGen-erated from the gnutls-serv option defini‐
328 tions.
3293.3.29 16 Feb 2018 gnutls-serv(1)