Next: Invoking certtool, Previous: Invoking gnutls-cli-debug, Up: Included programs
Simple server program that listens to incoming TLS connections.
GNU TLS test server Usage: gnutls-serv [options] -d, --debug integer Enable debugging -g, --generate Generate Diffie Hellman Parameters. -p, --port integer The port to connect to. -q, --quiet Suppress some messages. --nodb Does not use the resume database. --http Act as an HTTP Server. --echo Act as an Echo Server. --dhparams FILE DH params file to use. --x509fmtder Use DER format for certificates --x509cafile FILE Certificate file to use. --x509crlfile FILE CRL file to use. --pgpkeyring FILE PGP Key ring file to use. --pgptrustdb FILE PGP trustdb file to use. --pgpkeyfile FILE PGP Key file to use. --pgpcertfile FILE PGP Public Key (certificate) file to use. --x509keyfile FILE X.509 key file to use. --x509certfile FILE X.509 Certificate file to use. --x509dsakeyfile FILE Alternative X.509 key file to use. --x509dsacertfile FILE Alternative X.509 certificate file to use. --srppasswd FILE SRP password file to use. --srppasswdconf FILE SRP password conf file to use. --ciphers cipher1 cipher2... Ciphers to enable. --protocols protocol1 protocol2... Protocols to enable. --comp comp1 comp2... Compression methods to enable. --macs mac1 mac2... MACs to enable. --kx kx1 kx2... Key exchange methods to enable. --ctypes certType1 certType2... Certificate types to enable. -l, --list Print a list of the supported algorithms and modes. -h, --help prints this help -v, --version prints the program's version number --copyright prints the program's license
Running your own TLS server based on GnuTLS can be useful when
debugging clients and/or GnuTLS itself. This section describes how to
use gnutls-serv
as a simple HTTPS server.
The most basic server can be started as:
gnutls-serv --http
It will only support anonymous ciphersuites, which many TLS clients refuse to use.
The next step is to add support for X.509. First we generate a CA:
certtool --generate-privkey > x509-ca-key.pem echo 'cn = GnuTLS test CA' > ca.tmpl echo 'ca' >> ca.tmpl echo 'cert_signing_key' >> ca.tmpl certtool --generate-self-signed --load-privkey x509-ca-key.pem \ --template ca.tmpl --outfile x509-ca.pem ...
Then generate a server certificate. Remember to change the dns_name value to the name of your server host, or skip that command to avoid the field.
certtool --generate-privkey > x509-server-key.pem echo 'organization = GnuTLS test server' > server.tmpl echo 'cn = test.gnutls.org' >> server.tmpl echo 'tls_www_server' >> server.tmpl echo 'encryption_key' >> server.tmpl echo 'signing_key' >> server.tmpl echo 'dns_name = test.gnutls.org' >> server.tmpl certtool --generate-certificate --load-privkey x509-server-key.pem \ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ --template server.tmpl --outfile x509-server.pem ...
For use in the client, you may want to generate a client certificate as well.
certtool --generate-privkey > x509-client-key.pem echo 'cn = GnuTLS test client' > client.tmpl echo 'tls_www_client' >> client.tmpl echo 'encryption_key' >> client.tmpl echo 'signing_key' >> client.tmpl certtool --generate-certificate --load-privkey x509-client-key.pem \ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ --template client.tmpl --outfile x509-client.pem ...
For icing, we'll create a proxy certificate for the client too.
certtool --generate-privkey > x509-proxy-key.pem echo 'cn = GnuTLS test client proxy' > proxy.tmpl certtool --generate-proxy --load-privkey x509-proxy-key.pem \ --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \ --load-certificate x509-client.pem --template proxy.tmpl \ --outfile x509-proxy.pem ...
Then start the server again:
gnutls-serv --http \ --x509cafile x509-ca.pem \ --x509keyfile x509-server-key.pem \ --x509certfile x509-server.pem
Try connecting to the server using your web browser. Note that the server listens to port 5556 by default.
While you are at it, to allow connections using DSA, you can also create a DSA key and certificate for the server. These credentials will be used in the final example below.
certtool --generate-privkey --dsa > x509-server-key-dsa.pem certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ --template server.tmpl --outfile x509-server-dsa.pem ...
The next step is to create OpenPGP credentials for the server.
gpg --gen-key ...enter whatever details you want, use 'test.gnutls.org' as name...
Make a note of the OpenPGP key identifier of the newly generated key,
here it was 5D1D14D8
. You will need to export the key for
GnuTLS to be able to use it.
gpg -a --export 5D1D14D8 > openpgp-server.txt gpg --export 5D1D14D8 > openpgp-server.bin gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
Let's start the server with support for OpenPGP credentials:
gnutls-serv --http \ --pgpkeyfile openpgp-server-key.txt \ --pgpcertfile openpgp-server.txt
The next step is to add support for SRP authentication.
srptool --create-conf srp-tpasswd.conf srptool --passwd-conf srp-tpasswd.conf --username jas --passwd srp-passwd.txt Enter password: [TYPE "foo"]
Start the server with SRP support:
gnutls-serv --http \ --srppasswdconf srp-tpasswd.conf \ --srppasswd srp-passwd.txt
Let's also add support for PSK.
$ psktool --passwd psk-passwd.txt
Start the server with PSK support:
gnutls-serv --http \ --pskpasswd psk-passwd.txt
Finally, we start the server with all the earlier parameters and you get this command:
gnutls-serv --http \ --x509cafile x509-ca.pem \ --x509keyfile x509-server-key.pem \ --x509certfile x509-server.pem \ --x509dsakeyfile x509-server-key-dsa.pem \ --x509dsacertfile x509-server-dsa.pem \ --pgpkeyfile openpgp-server-key.txt \ --pgpcertfile openpgp-server.txt \ --srppasswdconf srp-tpasswd.conf \ --srppasswd srp-passwd.txt \ --pskpasswd psk-passwd.txt