Invoking gnutls-serv - GNU TLS 1.7.7

Next: Invoking certtool, Previous: Invoking gnutls-cli-debug, Up: Included programs

8.4 Invoking gnutls-serv

Simple server program that listens to incoming TLS connections.

GNU TLS test server
Usage: gnutls-serv [options]

     -d, --debug integer      Enable debugging
     -g, --generate           Generate Diffie Hellman Parameters.
     -p, --port integer       The port to connect to.
     -q, --quiet              Suppress some messages.
     --nodb                   Does not use the resume database.
     --http                   Act as an HTTP Server.
     --echo                   Act as an Echo Server.
     --dhparams FILE          DH params file to use.
     --x509fmtder             Use DER format for certificates
     --x509cafile FILE        Certificate file to use.
     --x509crlfile FILE       CRL file to use.
     --pgpkeyring FILE        PGP Key ring file to use.
     --pgptrustdb FILE        PGP trustdb file to use.
     --pgpkeyfile FILE        PGP Key file to use.
     --pgpcertfile FILE       PGP Public Key (certificate) file to
                              use.
     --x509keyfile FILE       X.509 key file to use.
     --x509certfile FILE      X.509 Certificate file to use.
     --x509dsakeyfile FILE    Alternative X.509 key file to use.
     --x509dsacertfile FILE   Alternative X.509 certificate file to
                              use.
     --srppasswd FILE         SRP password file to use.
     --srppasswdconf FILE     SRP password conf file to use.
     --ciphers cipher1 cipher2...
                              Ciphers to enable.
     --protocols protocol1 protocol2...
                              Protocols to enable.
     --comp comp1 comp2...    Compression methods to enable.
     --macs mac1 mac2...      MACs to enable.
     --kx kx1 kx2...          Key exchange methods to enable.
     --ctypes certType1 certType2...
                              Certificate types to enable.
     -l, --list               Print a list of the supported
                              algorithms  and modes.
     -h, --help               prints this help
     -v, --version            prints the program's version number
     --copyright              prints the program's license

8.4.1 Setting up a test HTTPS server

Running your own TLS server based on GnuTLS can be useful when debugging clients and/or GnuTLS itself. This section describes how to use gnutls-serv as a simple HTTPS server.

The most basic server can be started as:

     gnutls-serv --http

It will only support anonymous ciphersuites, which many TLS clients refuse to use.

The next step is to add support for X.509. First we generate a CA:

     certtool --generate-privkey > x509-ca-key.pem
     echo 'cn = GnuTLS test CA' > ca.tmpl
     echo 'ca' >> ca.tmpl
     echo 'cert_signing_key' >> ca.tmpl
     certtool --generate-self-signed --load-privkey x509-ca-key.pem \
       --template ca.tmpl --outfile x509-ca.pem
     ...

Then generate a server certificate. Remember to change the dns_name value to the name of your server host, or skip that command to avoid the field.

     certtool --generate-privkey > x509-server-key.pem
     echo 'organization = GnuTLS test server' > server.tmpl
     echo 'cn = test.gnutls.org' >> server.tmpl
     echo 'tls_www_server' >> server.tmpl
     echo 'encryption_key' >> server.tmpl
     echo 'signing_key' >> server.tmpl
     echo 'dns_name = test.gnutls.org' >> server.tmpl
     certtool --generate-certificate --load-privkey x509-server-key.pem \
       --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
       --template server.tmpl --outfile x509-server.pem
     ...

For use in the client, you may want to generate a client certificate as well.

     certtool --generate-privkey > x509-client-key.pem
     echo 'cn = GnuTLS test client' > client.tmpl
     echo 'tls_www_client' >> client.tmpl
     echo 'encryption_key' >> client.tmpl
     echo 'signing_key' >> client.tmpl
     certtool --generate-certificate --load-privkey x509-client-key.pem \
       --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
       --template client.tmpl --outfile x509-client.pem
     ...

For icing, we'll create a proxy certificate for the client too.

     certtool --generate-privkey > x509-proxy-key.pem
     echo 'cn = GnuTLS test client proxy' > proxy.tmpl
     certtool --generate-proxy --load-privkey x509-proxy-key.pem \
       --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
       --load-certificate x509-client.pem --template proxy.tmpl \
       --outfile x509-proxy.pem
     ...

Then start the server again:

     gnutls-serv --http \
                 --x509cafile x509-ca.pem \
                 --x509keyfile x509-server-key.pem \
                 --x509certfile x509-server.pem

Try connecting to the server using your web browser. Note that the server listens to port 5556 by default.

While you are at it, to allow connections using DSA, you can also create a DSA key and certificate for the server. These credentials will be used in the final example below.

     certtool --generate-privkey --dsa > x509-server-key-dsa.pem
     certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
       --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
       --template server.tmpl --outfile x509-server-dsa.pem
     ...

The next step is to create OpenPGP credentials for the server.

     gpg --gen-key
     ...enter whatever details you want, use 'test.gnutls.org' as name...

Make a note of the OpenPGP key identifier of the newly generated key, here it was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it.

     gpg -a --export 5D1D14D8 > openpgp-server.txt
     gpg --export 5D1D14D8 > openpgp-server.bin
     gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
     gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt

Let's start the server with support for OpenPGP credentials:

     gnutls-serv --http \
                 --pgpkeyfile openpgp-server-key.txt \
                 --pgpcertfile openpgp-server.txt

The next step is to add support for SRP authentication.

     srptool --create-conf srp-tpasswd.conf
     srptool --passwd-conf srp-tpasswd.conf --username jas --passwd srp-passwd.txt
     Enter password: [TYPE "foo"]

Start the server with SRP support:

     gnutls-serv --http \
                 --srppasswdconf srp-tpasswd.conf \
                 --srppasswd srp-passwd.txt

Let's also add support for PSK.

     $ psktool --passwd psk-passwd.txt

Start the server with PSK support:

     gnutls-serv --http \
                 --pskpasswd psk-passwd.txt

Finally, we start the server with all the earlier parameters and you get this command:

     gnutls-serv --http \
                 --x509cafile x509-ca.pem \
                 --x509keyfile x509-server-key.pem \
                 --x509certfile x509-server.pem \
                 --x509dsakeyfile x509-server-key-dsa.pem \
                 --x509dsacertfile x509-server-dsa.pem \
                 --pgpkeyfile openpgp-server-key.txt \
                 --pgpcertfile openpgp-server.txt \
                 --srppasswdconf srp-tpasswd.conf \
                 --srppasswd srp-passwd.txt \
                 --pskpasswd psk-passwd.txt