Added "Since" field to new functions.
[gnutls.git] / src / serv-args.def
blobdf196bae11bdcb9b91f89cb8434ed7ef85524fb6
1 AutoGen Definitions options;
2 prog-name = gnutls-serv;
3 prog-title = "GnuTLS server";
4 prog-desc = "Simple server program to act as an HTTPS or TLS echo service.";
5 short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n";
6 explain = "";
7 detail = "Server program that listens to incoming TLS connections.";
9 #include args-std.def
11 flag = {
12 name = noticket;
13 descrip = "Don't accept session tickets";
14 doc = "";
17 flag = {
18 name = generate;
19 value = g;
20 descrip = "Generate Diffie-Hellman and RSA-export parameters";
21 doc = "";
24 flag = {
25 name = quiet;
26 value = q;
27 descrip = "Suppress some messages";
28 doc = "";
31 flag = {
32 name = nodb;
33 descrip = "Do not use a resumption database";
34 doc = "";
37 flag = {
38 name = http;
39 descrip = "Act as an HTTP server";
40 doc = "";
43 flag = {
44 name = echo;
45 descrip = "Act as an Echo server";
46 doc = "";
49 flag = {
50 name = udp;
51 value = u;
52 descrip = "Use DTLS (datagram TLS) over UDP";
53 doc = "";
56 flag = {
57 name = mtu;
58 arg-type = number;
59 arg-range = "0->17000";
60 descrip = "Set MTU for datagram TLS";
61 doc = "";
64 flag = {
65 name = disable-client-cert;
66 value = a;
67 descrip = "Do not request a client certificate";
68 doc = "";
71 flag = {
72 name = require-client-cert;
73 value = r;
74 descrip = "Require a client certificate";
75 doc = "";
78 flag = {
79 name = heartbeat;
80 value = b;
81 descrip = "Activate heartbeat support";
82 doc = "Regularly ping client via heartbeat extension messages";
85 flag = {
86 name = x509fmtder;
87 descrip = "Use DER format for certificates to read from";
88 doc = "";
91 flag = {
92 name = priority;
93 arg-type = string;
94 descrip = "Priorities string";
95 doc = "TLS algorithms and protocols to enable. You can
96 use predefined sets of ciphersuites such as PERFORMANCE,
97 NORMAL, SECURE128, SECURE256.
99 Check the GnuTLS manual on section ``Priority strings'' for more
100 information on allowed keywords";
103 flag = {
104 name = dhparams;
105 arg-type = file;
106 file-exists = yes;
107 descrip = "DH params file to use";
108 doc = "";
111 flag = {
112 name = x509cafile;
113 arg-type = string;
114 descrip = "Certificate file or PKCS #11 URL to use";
115 doc = "";
118 flag = {
119 name = x509crlfile;
120 arg-type = file;
121 file-exists = yes;
122 descrip = "CRL file to use";
123 doc = "";
126 flag = {
127 name = pgpkeyfile;
128 arg-type = file;
129 file-exists = yes;
130 descrip = "PGP Key file to use";
131 doc = "";
134 flag = {
135 name = pgpkeyring;
136 arg-type = file;
137 file-exists = yes;
138 descrip = "PGP Key ring file to use";
139 doc = "";
142 flag = {
143 name = pgpcertfile;
144 arg-type = file;
145 file-exists = yes;
146 descrip = "PGP Public Key (certificate) file to use";
147 doc = "";
150 flag = {
151 name = x509keyfile;
152 arg-type = string;
153 descrip = "X.509 key file or PKCS #11 URL to use";
154 doc = "";
157 flag = {
158 name = x509certfile;
159 arg-type = string;
160 descrip = "X.509 Certificate file or PKCS #11 URL to use";
161 doc = "";
164 flag = {
165 name = x509dsakeyfile;
166 arg-type = string;
167 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
168 doc = "";
171 flag = {
172 name = x509dsacertfile;
173 arg-type = string;
174 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
175 doc = "";
178 flag = {
179 name = x509ecckeyfile;
180 arg-type = string;
181 descrip = "Alternative X.509 key file or PKCS #11 URL to use";
182 doc = "";
185 flag = {
186 name = x509ecccertfile;
187 arg-type = string;
188 descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
189 doc = "";
192 flag = {
193 name = pgpsubkey;
194 arg-type = string;
195 descrip = "PGP subkey to use (hex or auto)";
196 doc = "";
199 flag = {
200 name = srppasswd;
201 arg-type = file;
202 file-exists = yes;
203 descrip = "SRP password file to use";
204 doc = "";
207 flag = {
208 name = srppasswdconf;
209 arg-type = file;
210 file-exists = yes;
211 descrip = "SRP password configuration file to use";
212 doc = "";
215 flag = {
216 name = pskpasswd;
217 arg-type = file;
218 file-exists = yes;
219 descrip = "PSK password file to use";
220 doc = "";
223 flag = {
224 name = pskhint;
225 arg-type = string;
226 descrip = "PSK identity hint to use";
227 doc = "";
230 flag = {
231 name = ocsp-response;
232 arg-type = file;
233 file-exists = yes;
234 descrip = "The OCSP response to send to client";
235 doc = "If the client requested an OCSP response, return data from this file to the client.";
238 flag = {
239 name = port;
240 value = p;
241 arg-type = number;
242 descrip = "The port to connect to";
243 doc = "";
246 flag = {
247 name = list;
248 value = l;
249 descrip = "Print a list of the supported algorithms and modes";
250 doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.";
253 doc-section = {
254 ds-type = 'SEE ALSO'; // or anything else
255 ds-format = 'texi'; // or texi or mdoc format
256 ds-text = <<-_EOText_
257 gnutls-cli-debug(1), gnutls-cli(1)
258 _EOText_;
261 doc-section = {
262 ds-type = 'EXAMPLES';
263 ds-format = 'texi';
264 ds-text = <<-_EOF_
265 Running your own TLS server based on GnuTLS can be useful when
266 debugging clients and/or GnuTLS itself. This section describes how to
267 use @code{gnutls-serv} as a simple HTTPS server.
269 The most basic server can be started as:
271 @example
272 gnutls-serv --http
273 @end example
275 It will only support anonymous ciphersuites, which many TLS clients
276 refuse to use.
278 The next step is to add support for X.509. First we generate a CA:
280 @example
281 $ certtool --generate-privkey > x509-ca-key.pem
282 $ echo 'cn = GnuTLS test CA' > ca.tmpl
283 $ echo 'ca' >> ca.tmpl
284 $ echo 'cert_signing_key' >> ca.tmpl
285 $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
286 --template ca.tmpl --outfile x509-ca.pem
288 @end example
290 Then generate a server certificate. Remember to change the dns_name
291 value to the name of your server host, or skip that command to avoid
292 the field.
294 @example
295 $ certtool --generate-privkey > x509-server-key.pem
296 $ echo 'organization = GnuTLS test server' > server.tmpl
297 $ echo 'cn = test.gnutls.org' >> server.tmpl
298 $ echo 'tls_www_server' >> server.tmpl
299 $ echo 'encryption_key' >> server.tmpl
300 $ echo 'signing_key' >> server.tmpl
301 $ echo 'dns_name = test.gnutls.org' >> server.tmpl
302 $ certtool --generate-certificate --load-privkey x509-server-key.pem \
303 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
304 --template server.tmpl --outfile x509-server.pem
306 @end example
308 For use in the client, you may want to generate a client certificate
309 as well.
311 @example
312 $ certtool --generate-privkey > x509-client-key.pem
313 $ echo 'cn = GnuTLS test client' > client.tmpl
314 $ echo 'tls_www_client' >> client.tmpl
315 $ echo 'encryption_key' >> client.tmpl
316 $ echo 'signing_key' >> client.tmpl
317 $ certtool --generate-certificate --load-privkey x509-client-key.pem \
318 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
319 --template client.tmpl --outfile x509-client.pem
321 @end example
323 To be able to import the client key/certificate into some
324 applications, you will need to convert them into a PKCS#12 structure.
325 This also encrypts the security sensitive key with a password.
327 @example
328 $ certtool --to-p12 --load-ca-certificate x509-ca.pem \
329 --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
330 --outder --outfile x509-client.p12
331 @end example
333 For icing, we'll create a proxy certificate for the client too.
335 @example
336 $ certtool --generate-privkey > x509-proxy-key.pem
337 $ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
338 $ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
339 --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
340 --load-certificate x509-client.pem --template proxy.tmpl \
341 --outfile x509-proxy.pem
343 @end example
345 Then start the server again:
347 @example
348 $ gnutls-serv --http \
349 --x509cafile x509-ca.pem \
350 --x509keyfile x509-server-key.pem \
351 --x509certfile x509-server.pem
352 @end example
354 Try connecting to the server using your web browser. Note that the
355 server listens to port 5556 by default.
357 While you are at it, to allow connections using DSA, you can also
358 create a DSA key and certificate for the server. These credentials
359 will be used in the final example below.
361 @example
362 $ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
363 $ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
364 --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
365 --template server.tmpl --outfile x509-server-dsa.pem
367 @end example
369 The next step is to create OpenPGP credentials for the server.
371 @example
372 gpg --gen-key
373 ...enter whatever details you want, use 'test.gnutls.org' as name...
374 @end example
376 Make a note of the OpenPGP key identifier of the newly generated key,
377 here it was @code{5D1D14D8}. You will need to export the key for
378 GnuTLS to be able to use it.
380 @example
381 gpg -a --export 5D1D14D8 > openpgp-server.txt
382 gpg --export 5D1D14D8 > openpgp-server.bin
383 gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
384 gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
385 @end example
387 Let's start the server with support for OpenPGP credentials:
389 @example
390 gnutls-serv --http \
391 --pgpkeyfile openpgp-server-key.txt \
392 --pgpcertfile openpgp-server.txt
393 @end example
395 The next step is to add support for SRP authentication. This requires
396 an SRP password file created with @code{srptool}.
397 To start the server with SRP support:
399 @example
400 gnutls-serv --http \
401 --srppasswdconf srp-tpasswd.conf \
402 --srppasswd srp-passwd.txt
403 @end example
405 Let's also start a server with support for PSK. This would require
406 a password file created with @code{psktool}.
408 @example
409 gnutls-serv --http \
410 --pskpasswd psk-passwd.txt
411 @end example
413 Finally, we start the server with all the earlier parameters and you
414 get this command:
416 @example
417 gnutls-serv --http \
418 --x509cafile x509-ca.pem \
419 --x509keyfile x509-server-key.pem \
420 --x509certfile x509-server.pem \
421 --x509dsakeyfile x509-server-key-dsa.pem \
422 --x509dsacertfile x509-server-dsa.pem \
423 --pgpkeyfile openpgp-server-key.txt \
424 --pgpcertfile openpgp-server.txt \
425 --srppasswdconf srp-tpasswd.conf \
426 --srppasswd srp-passwd.txt \
427 --pskpasswd psk-passwd.txt
428 @end example
429 _EOF_;