1gnutls-serv(1)                   User Commands                  gnutls-serv(1)
2
3
4

NAME

6       gnutls-serv - GnuTLS server
7

SYNOPSIS

9       gnutls-serv [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12
13

DESCRIPTION

15       Server program that listens to incoming TLS connections.
16

OPTIONS

18       -d number, --debug=number
19              Enable  debugging.   This  option takes an integer number as its
20              argument.  The value of number is constrained to being:
21                  in the range  0 through 9999
22
23              Specifies the debug level.
24
25       --sni-hostname=string
26              Server's hostname for server name extension.
27
28              Server name of type host_name that the server will recognise as
29              its own. If the server receives client hello with different
30              name, it will send a warning-level unrecognized_name alert.
31
32       --sni-hostname-fatal
33              Send fatal alert on sni-hostname mismatch.
34
35
36       --alpn=string
37              Specify ALPN protocol to be enabled by the server.  This option
38              may appear an unlimited number of times.
39
40              Specify the (textual) ALPN protocol for the server to use.
41
42       --alpn-fatal
43              Send fatal alert on non-matching ALPN name.
44
45
46       --noticket
47              Don't accept session tickets.
48
49
50       --earlydata
51              Accept early data.
52
53
54       --maxearlydata=number
55              The maximum early data size to accept.  This option takes an
56              integer number as its argument.  The value of number is con‐
57              strained to being:
58                  in the range  1 through 4294967295
59
60
61       --nocookie
62              Don't require cookie on DTLS sessions.
63
64
65       -g, --generate
66              Generate Diffie-Hellman parameters.
67
68
69       -q, --quiet
70              Suppress some messages.
71
72
73       --nodb Do not use a resumption database.
74
75
76       --http Act as an HTTP server.
77
78
79       --echo Act as an Echo server.
80
81
82       -u, --udp
83              Use DTLS (datagram TLS) over UDP.
84
85
86       --mtu=number
87              Set MTU for datagram TLS.  This option takes an integer number
88              as its argument.  The value of number is constrained to being:
89                  in the range  0 through 17000
90
91
92       --srtp-profiles=string
93              Offer SRTP profiles.
94
95
96       -a, --disable-client-cert
97              Do not request a client certificate.  This option must not
98              appear in combination with any of the following options:
99              require-client-cert.
100
101
102       -r, --require-client-cert
103              Require a client certificate.
104
105              This option before 3.6.0 used to imply --verify-client-cert.
106              Since 3.6.0 it will no longer verify the certificate by default.
107
108       --verify-client-cert
109              If a client certificate is sent then verify it..
110
111              Do not require, but if a client certificate is sent then verify
112              it and close the connection if invalid.
113
114       -b, --heartbeat
115              Activate heartbeat support.
116
117              Regularly ping client via heartbeat extension messages
118
119       --x509fmtder
120              Use DER format for certificates to read from.
121
122
123       --priority=string
124              Priorities string.
125
126              TLS algorithms and protocols to enable. You can use predefined
127              sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128,
128              SECURE256. The default is NORMAL.
129
130              Check  the  GnuTLS  manual  on  section  “Priority strings” for
131              more information on allowed keywords
132
133       --dhparams=file
134              DH params file to use.
135
136
137       --x509cafile=string
138              Certificate file or PKCS #11 URL to use.
139
140
141       --x509crlfile=file
142              CRL file to use.
143
144
145       --pgpkeyfile=file
146              PGP Key file to use.
147
148
149              NOTE: THIS OPTION IS DEPRECATED
150
151       --x509keyfile=string
152              X.509 key file or PKCS #11 URL to use.  This option may appear
153              an unlimited number of times.
154
155              Specify the private key file or URI to use; it must correspond
156              to the certificate specified in --x509certfile. Multiple keys
157              and certificates can be specified with this option and in that
158              case each occurrence of keyfile must be followed by the corre‐
159              sponding x509certfile or vice-versa.
160
161       --x509certfile=string
162              X.509 Certificate file or PKCS #11 URL to use.  This option may
163              appear an unlimited number of times.
164
165              Specify the certificate file or URI to use; it must correspond
166              to the key specified in --x509keyfile. Multiple keys and cer‐
167              tificates can be specified with this option and in that case
168              each occurrence of keyfile must be followed by the corresponding
169              x509certfile or vice-versa.
170
171       --x509dsakeyfile
172              This is an alias for the --x509keyfile option.
173
174              NOTE: THIS OPTION IS DEPRECATED
175
176       --x509dsacertfile
177              This is an alias for the --x509certfile option.
178
179              NOTE: THIS OPTION IS DEPRECATED
180
181       --x509ecckeyfile
182              This is an alias for the --x509keyfile option.
183
184              NOTE: THIS OPTION IS DEPRECATED
185
186       --x509ecccertfile
187              This is an alias for the --x509certfile option.
188
189              NOTE: THIS OPTION IS DEPRECATED
190
191       --srppasswd=file
192              SRP password file to use.
193
194
195       --srppasswdconf=file
196              SRP password configuration file to use.
197
198
199       --pskpasswd=file
200              PSK password file to use.
201
202
203       --pskhint=string
204              PSK identity hint to use.
205
206
207       --ocsp-response=string
208              The OCSP response to send to client.  This option may appear an
209              unlimited number of times.
210
211              If the client requested an OCSP response, return data from this
212              file to the client.
213
214       --ignore-ocsp-response-errors
215              Ignore any errors when setting the OCSP response.
216
217              That option instructs gnutls to not attempt to match the pro‐
218              vided OCSP responses with the certificates.
219
220       -p number, --port=number
221              The port to connect to.  This option takes an integer number as
222              its argument.
223
224
225       -l, --list
226              Print a list of the supported algorithms and modes.
227
228              Print a list of the supported algorithms and modes. If a prior‐
229              ity string is given then only the enabled ciphersuites are
230              shown.
231
232       --provider=file
233              Specify the PKCS #11 provider library.
234
235              This will override the default options in
236              /etc/gnutls/pkcs11.conf
237
238       -h, --help
239              Display usage information and exit.
240
241       -!, --more-help
242              Pass the extended usage information through a pager.
243
244       -v [{v|c|n --version [{v|c|n}]}]
245              Output version of program and exit.  The default mode is `v', a
246              simple version.  The `c' mode will print copyright information
247              and `n' will print the full copyright notice.
248

EXAMPLES

250       Running your own TLS server based on GnuTLS can be useful when debug‐
251       ging clients and/or GnuTLS itself.  This section describes how to use
252       gnutls-serv as a simple HTTPS server.
253
254       The most basic server can be started as:
255
256           gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
257
258       It will only support anonymous ciphersuites, which many TLS clients
259       refuse to use.
260
261       The next step is to add support for X.509.  First we generate a CA:
262
263           $ certtool --generate-privkey > x509-ca-key.pem
264           $ echo 'cn = GnuTLS test CA' > ca.tmpl
265           $ echo 'ca' >> ca.tmpl
266           $ echo 'cert_signing_key' >> ca.tmpl
267           $ certtool --generate-self-signed --load-privkey x509-ca-key.pem   --template ca.tmpl --outfile x509-ca.pem
268
269       Then generate a server certificate.  Remember to change the dns_name
270       value to the name of your server host, or skip that command to avoid
271       the field.
272
273           $ certtool --generate-privkey > x509-server-key.pem
274           $ echo 'organization = GnuTLS test server' > server.tmpl
275           $ echo 'cn = test.gnutls.org' >> server.tmpl
276           $ echo 'tls_www_server' >> server.tmpl
277           $ echo 'encryption_key' >> server.tmpl
278           $ echo 'signing_key' >> server.tmpl
279           $ echo 'dns_name = test.gnutls.org' >> server.tmpl
280           $ certtool --generate-certificate --load-privkey x509-server-key.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template server.tmpl --outfile x509-server.pem
281
282       For use in the client, you may want to generate a client certificate as
283       well.
284
285           $ certtool --generate-privkey > x509-client-key.pem
286           $ echo 'cn = GnuTLS test client' > client.tmpl
287           $ echo 'tls_www_client' >> client.tmpl
288           $ echo 'encryption_key' >> client.tmpl
289           $ echo 'signing_key' >> client.tmpl
290           $ certtool --generate-certificate --load-privkey x509-client-key.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template client.tmpl --outfile x509-client.pem
291
292       To be able to import the client key/certificate into some applications,
293       you will need to convert them into a PKCS#12 structure.  This also
294       encrypts the security sensitive key with a password.
295
296           $ certtool --to-p12 --load-ca-certificate x509-ca.pem   --load-privkey x509-client-key.pem --load-certificate x509-client.pem   --outder --outfile x509-client.p12
297
298       For icing, we'll create a proxy certificate for the client too.
299
300           $ certtool --generate-privkey > x509-proxy-key.pem
301           $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
302           $ certtool --generate-proxy --load-privkey x509-proxy-key.pem   --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem   --load-certificate x509-client.pem --template proxy.tmpl   --outfile x509-proxy.pem
303
304       Then start the server again:
305
306           $ gnutls-serv --http             --x509cafile x509-ca.pem             --x509keyfile x509-server-key.pem             --x509certfile x509-server.pem
307
308       Try connecting to the server using your web browser.  Note that the
309       server listens to port 5556 by default.
310
311       While you are at it, to allow connections using ECDSA, you can also
312       create a ECDSA key and certificate for the server.  These credentials
313       will be used in the final example below.
314
315           $ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
316           $ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template server.tmpl --outfile x509-server-ecc.pem
317
318
319       The next step is to add support for SRP authentication. This requires
320       an SRP password file created with srptool.  To start the server with
321       SRP support:
322
323           gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP             --srppasswdconf srp-tpasswd.conf             --srppasswd srp-passwd.txt
324
325       Let's also start a server with support for PSK. This would require a
326       password file created with psktool.
327
328           gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK             --pskpasswd psk-passwd.txt
329
330       Finally, we start the server with all the earlier parameters and you
331       get this command:
332
333           gnutls-serv --http --priority NORMAL:+PSK:+SRP             --x509cafile x509-ca.pem             --x509keyfile x509-server-key.pem             --x509certfile x509-server.pem             --x509keyfile x509-server-key-ecc.pem             --x509certfile x509-server-ecc.pem             --srppasswdconf srp-tpasswd.conf             --srppasswd srp-passwd.txt             --pskpasswd psk-passwd.txt
334

EXIT STATUS

336       One of the following exit values will be returned:
337
338       0  (EXIT_SUCCESS)
339              Successful program execution.
340
341       1  (EXIT_FAILURE)
342              The operation failed or the command syntax was not valid.
343
344       70  (EX_SOFTWARE)
345              libopts had an internal operational error.  Please report it to
346              autogen-users@lists.sourceforge.net.  Thank you.
347

SEE ALSO

349       gnutls-cli-debug(1), gnutls-cli(1)
350

AUTHORS

352       Nikos Mavrogiannopoulos, Simon Josefsson and others; see
353       /usr/share/doc/gnutls/AUTHORS for a complete list.
354
356       Copyright (C) 2000-2019 Free Software Foundation, and others all rights
357       reserved.  This program is released under the terms of the GNU General
358       Public License, version 3 or later.
359

BUGS

361       Please send bug reports to: bugs@gnutls.org
362

NOTES

364       This manual page was AutoGen-erated from the gnutls-serv option defini‐
365       tions.
366
367
368
3693.6.6                             17 Feb 2019                   gnutls-serv(1)
Impressum