1gnutls-serv(1)                   User Commands                  gnutls-serv(1)
2
3
4

NAME

6       gnutls-serv - GnuTLS server
7

SYNOPSIS

9       gnutls-serv [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12
13

DESCRIPTION

15       Server program that listens to incoming TLS connections.
16

OPTIONS

18       -d number, --debug=number
19              Enable  debugging.   This  option takes an integer number as its
20              argument.  The value of number is constrained to being:
21                  in the range  0 through 9999
22
23              Specifies the debug level.
24
25       --sni-hostname=string
26              Server's hostname for server name extension.
27
28              Server name of type host_name that the server will recognise as
29              its own. If the server receives client hello with different
30              name, it will send a warning-level unrecognized_name alert.
31
32       --sni-hostname-fatal
33              Send fatal alert on sni-hostname mismatch.
34
35
36       --alpn=string
37              Specify ALPN protocol to be enabled by the server.  This option
38              may appear an unlimited number of times.
39
40              Specify the (textual) ALPN protocol for the server to use.
41
42       --alpn-fatal
43              Send fatal alert on non-matching ALPN name.
44
45
46       --noticket
47              Don't accept session tickets.
48
49
50       --earlydata
51              Accept early data.
52
53
54       --maxearlydata=number
55              The maximum early data size to accept.  This option takes an in‐
56              teger number as its argument.  The value of number is con‐
57              strained to being:
58                  greater than or equal to 1
59
60
61       --nocookie
62              Don't require cookie on DTLS sessions.
63
64
65       -g, --generate
66              Generate Diffie-Hellman parameters.
67
68
69       -q, --quiet
70              Suppress some messages.
71
72
73       --nodb Do not use a resumption database.
74
75
76       --http Act as an HTTP server.
77
78
79       --echo Act as an Echo server.
80
81
82       --crlf Do not replace CRLF by LF in Echo server mode.
83
84
85       -u, --udp
86              Use DTLS (datagram TLS) over UDP.
87
88
89       --mtu=number
90              Set MTU for datagram TLS.  This option takes an integer number
91              as its argument.  The value of number is constrained to being:
92                  in the range  0 through 17000
93
94
95       --srtp-profiles=string
96              Offer SRTP profiles.
97
98
99       -a, --disable-client-cert
100              Do not request a client certificate.  This option must not ap‐
101              pear in combination with any of the following options: require-
102              client-cert.
103
104
105       -r, --require-client-cert
106              Require a client certificate.
107
108              This option before 3.6.0 used to imply --verify-client-cert.
109              Since 3.6.0 it will no longer verify the certificate by default.
110
111       --verify-client-cert
112              If a client certificate is sent then verify it..
113
114              Do not require, but if a client certificate is sent then verify
115              it and close the connection if invalid.
116
117       -b, --heartbeat
118              Activate heartbeat support.
119
120              Regularly ping client via heartbeat extension messages
121
122       --x509fmtder
123              Use DER format for certificates to read from.
124
125
126       --priority=string
127              Priorities string.
128
129              TLS algorithms and protocols to enable. You can use predefined
130              sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128, SE‐
131              CURE256. The default is NORMAL.
132
133              Check  the  GnuTLS  manual  on  section  “Priority strings” for
134              more information on allowed keywords
135
136       --dhparams=file
137              DH params file to use.
138
139
140       --x509cafile=string
141              Certificate file or PKCS #11 URL to use.
142
143
144       --x509crlfile=file
145              CRL file to use.
146
147
148       --pgpkeyfile=file
149              PGP Key file to use.
150
151
152              NOTE: THIS OPTION IS DEPRECATED
153
154       --x509keyfile=string
155              X.509 key file or PKCS #11 URL to use.  This option may appear
156              an unlimited number of times.
157
158              Specify the private key file or URI to use; it must correspond
159              to the certificate specified in --x509certfile. Multiple keys
160              and certificates can be specified with this option and in that
161              case each occurrence of keyfile must be followed by the corre‐
162              sponding x509certfile or vice-versa.
163
164       --x509certfile=string
165              X.509 Certificate file or PKCS #11 URL to use.  This option may
166              appear an unlimited number of times.
167
168              Specify the certificate file or URI to use; it must correspond
169              to the key specified in --x509keyfile. Multiple keys and cer‐
170              tificates can be specified with this option and in that case
171              each occurrence of keyfile must be followed by the corresponding
172              x509certfile or vice-versa.
173
174       --x509dsakeyfile
175              This is an alias for the --x509keyfile option.
176
177              NOTE: THIS OPTION IS DEPRECATED
178
179       --x509dsacertfile
180              This is an alias for the --x509certfile option.
181
182              NOTE: THIS OPTION IS DEPRECATED
183
184       --x509ecckeyfile
185              This is an alias for the --x509keyfile option.
186
187              NOTE: THIS OPTION IS DEPRECATED
188
189       --x509ecccertfile
190              This is an alias for the --x509certfile option.
191
192              NOTE: THIS OPTION IS DEPRECATED
193
194       --rawpkkeyfile=string
195              Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use.
196              This option may appear an unlimited number of times.
197
198              Specify the private key file or URI to use; it must correspond
199              to the raw public-key specified in --rawpkfile. Multiple key
200              pairs can be specified with this option and in that case each
201              occurrence of keyfile must be followed by the corresponding raw‐
202              pkfile or vice-versa.
203
204              In order to instruct the application to negotiate raw public
205              keys one must enable the respective certificate types via the
206              priority strings (i.e. CTYPE-CLI-* and CTYPE-SRV-* flags).
207
208              Check  the  GnuTLS  manual  on  section  “Priority strings” for
209              more information on how to set certificate types.
210
211       --rawpkfile=string
212              Raw public-key file to use.  This option may appear an unlimited
213              number of times.  This option must appear in combination with
214              the following options: rawpkkeyfile.
215
216              Specify the raw public-key file to use; it must correspond to
217              the private key specified in --rawpkkeyfile. Multiple key pairs
218              can be specified with this option and in that case each occur‐
219              rence of keyfile must be followed by the corresponding rawpkfile
220              or vice-versa.
221
222              In order to instruct the application to negotiate raw public
223              keys one must enable the respective certificate types via the
224              priority strings (i.e. CTYPE-CLI-* and CTYPE-SRV-* flags).
225
226              Check  the  GnuTLS  manual  on  section  “Priority strings” for
227              more information on how to set certificate types.
228
229       --srppasswd=file
230              SRP password file to use.
231
232
233       --srppasswdconf=file
234              SRP password configuration file to use.
235
236
237       --pskpasswd=file
238              PSK password file to use.
239
240
241       --pskhint=string
242              PSK identity hint to use.
243
244
245       --ocsp-response=string
246              The OCSP response to send to client.  This option may appear an
247              unlimited number of times.
248
249              If the client requested an OCSP response, return data from this
250              file to the client.
251
252       --ignore-ocsp-response-errors
253              Ignore any errors when setting the OCSP response.
254
255              That option instructs gnutls to not attempt to match the pro‐
256              vided OCSP responses with the certificates.
257
258       -p number, --port=number
259              The port to connect to.  This option takes an integer number as
260              its argument.
261
262
263       -l, --list
264              Print a list of the supported algorithms and modes.
265
266              Print a list of the supported algorithms and modes. If a prior‐
267              ity string is given then only the enabled ciphersuites are
268              shown.
269
270       --provider=file
271              Specify the PKCS #11 provider library.
272
273              This will override the default options in
274              /etc/gnutls/pkcs11.conf
275
276       --keymatexport=string
277              Label used for exporting keying material.
278
279
280       --keymatexportsize=number
281              Size of the exported keying material.  This option takes an in‐
282              teger number as its argument.
283
284
285       --recordsize=number
286              The maximum record size to advertise.  This option takes an in‐
287              teger number as its argument.  The value of number is con‐
288              strained to being:
289                  in the range  0 through 16384
290
291
292       --httpdata=file
293              The data used as HTTP response.
294
295
296       -h, --help
297              Display usage information and exit.
298
299       -!, --more-help
300              Pass the extended usage information through a pager.
301
302       -v [{v|c|n --version [{v|c|n}]}]
303              Output version of program and exit.  The default mode is `v', a
304              simple version.  The `c' mode will print copyright information
305              and `n' will print the full copyright notice.
306

EXAMPLES

308       Running your own TLS server based on GnuTLS can be useful when debug‐
309       ging clients and/or GnuTLS itself.  This section describes how to use
310       gnutls-serv as a simple HTTPS server.
311
312       The most basic server can be started as:
313
314           gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
315
316       It will only support anonymous ciphersuites, which many TLS clients
317       refuse to use.
318
319       The next step is to add support for X.509.  First we generate a CA:
320
321           $ certtool --generate-privkey > x509-ca-key.pem
322           $ echo 'cn = GnuTLS test CA' > ca.tmpl
323           $ echo 'ca' >> ca.tmpl
324           $ echo 'cert_signing_key' >> ca.tmpl
325           $ certtool --generate-self-signed --load-privkey x509-ca-key.pem   --template ca.tmpl --outfile x509-ca.pem
326
327       Then generate a server certificate.  Remember to change the dns_name
328       value to the name of your server host, or skip that command to avoid
329       the field.
330
331           $ certtool --generate-privkey > x509-server-key.pem
332           $ echo 'organization = GnuTLS test server' > server.tmpl
333           $ echo 'cn = test.gnutls.org' >> server.tmpl
334           $ echo 'tls_www_server' >> server.tmpl
335           $ echo 'encryption_key' >> server.tmpl
336           $ echo 'signing_key' >> server.tmpl
337           $ echo 'dns_name = test.gnutls.org' >> server.tmpl
338           $ certtool --generate-certificate --load-privkey x509-server-key.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template server.tmpl --outfile x509-server.pem
339
340       For use in the client, you may want to generate a client certificate as
341       well.
342
343           $ certtool --generate-privkey > x509-client-key.pem
344           $ echo 'cn = GnuTLS test client' > client.tmpl
345           $ echo 'tls_www_client' >> client.tmpl
346           $ echo 'encryption_key' >> client.tmpl
347           $ echo 'signing_key' >> client.tmpl
348           $ certtool --generate-certificate --load-privkey x509-client-key.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template client.tmpl --outfile x509-client.pem
349
350       To be able to import the client key/certificate into some applications,
351       you will need to convert them into a PKCS#12 structure.  This also en‐
352       crypts the security sensitive key with a password.
353
354           $ certtool --to-p12 --load-ca-certificate x509-ca.pem   --load-privkey x509-client-key.pem --load-certificate x509-client.pem   --outder --outfile x509-client.p12
355
356       For icing, we'll create a proxy certificate for the client too.
357
358           $ certtool --generate-privkey > x509-proxy-key.pem
359           $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
360           $ certtool --generate-proxy --load-privkey x509-proxy-key.pem   --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem   --load-certificate x509-client.pem --template proxy.tmpl   --outfile x509-proxy.pem
361
362       Then start the server again:
363
364           $ gnutls-serv --http             --x509cafile x509-ca.pem             --x509keyfile x509-server-key.pem             --x509certfile x509-server.pem
365
366       Try connecting to the server using your web browser.  Note that the
367       server listens to port 5556 by default.
368
369       While you are at it, to allow connections using ECDSA, you can also
370       create a ECDSA key and certificate for the server.  These credentials
371       will be used in the final example below.
372
373           $ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
374           $ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem   --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem   --template server.tmpl --outfile x509-server-ecc.pem
375
376
377       The next step is to add support for SRP authentication. This requires
378       an SRP password file created with srptool.  To start the server with
379       SRP support:
380
381           gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP             --srppasswdconf srp-tpasswd.conf             --srppasswd srp-passwd.txt
382
383       Let's also start a server with support for PSK. This would require a
384       password file created with psktool.
385
386           gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK             --pskpasswd psk-passwd.txt
387
388       If you want a server with support for raw public-keys we can also add
389       these credentials. Note however that there is no identity information
390       linked to these keys as is the case with regular x509 certificates. Au‐
391       thentication must be done via different means. Also we need to explic‐
392       itly enable raw public-key certificates via the priority strings.
393
394           gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK             --rawpkfile srv.rawpk.pem             --rawpkkeyfile srv.key.pem
395
396
397       Finally, we start the server with all the earlier parameters and you
398       get this command:
399
400           gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK             --x509cafile x509-ca.pem             --x509keyfile x509-server-key.pem             --x509certfile x509-server.pem             --x509keyfile x509-server-key-ecc.pem             --x509certfile x509-server-ecc.pem             --srppasswdconf srp-tpasswd.conf             --srppasswd srp-passwd.txt             --pskpasswd psk-passwd.txt             --rawpkfile srv.rawpk.pem             --rawpkkeyfile srv.key.pem
401

EXIT STATUS

403       One of the following exit values will be returned:
404
405       0  (EXIT_SUCCESS)
406              Successful program execution.
407
408       1  (EXIT_FAILURE)
409              The operation failed or the command syntax was not valid.
410
411       70  (EX_SOFTWARE)
412              libopts had an internal operational error.  Please report it to
413              autogen-users@lists.sourceforge.net.  Thank you.
414

SEE ALSO

416       gnutls-cli-debug(1), gnutls-cli(1)
417

AUTHORS

419       Nikos Mavrogiannopoulos, Simon Josefsson and others; see
420       /usr/share/doc/gnutls/AUTHORS for a complete list.
421
423       Copyright (C) 2000-2020 Free Software Foundation, and others all rights
424       reserved.  This program is released under the terms of the GNU General
425       Public License, version 3 or later.
426

BUGS

428       Please send bug reports to: bugs@gnutls.org
429

NOTES

431       This manual page was AutoGen-erated from the gnutls-serv option defini‐
432       tions.
433
434
435
4363.7.2                             29 May 2021                   gnutls-serv(1)
Impressum