The GNU Transport Layer Security Library
[Test Server]

Gnutls Logo [Overview]   [News]   [Download]   [Commercial Support]   [Mailing lists]   [Documentation]
[Security Advisories]   [Related projects]   [Applications]   [Contributors]
[Comparison]   [Test Server]   [Development]   [Bug tracker]


An online HTTPS server running GnuTLS is available:

The server is hosted and maintained by Simon Josefsson Datakonsult. If you want to use it as an attack target for trying to find security problems in GnuTLS, please contact me first.

The server do ask for, and accepts, a client certificate, but some browsers won't send it unless the server mentions the particular CA. Right now, the server loads some CA certificates for this purpose. If you want other CA's added, let me know!

The GnuTLS manual explain how you can set up your own test server.

The server supports these mechanisms:

Certificate types:X.509, OPENPGP
Protocols:TLS1.2, TLS1.1, TLS1.0, SSL3.0
Ciphers:AES-256-CBC, AES-128-CBC, 3DES-CBC, CAMELLIA-128, CAMELLIA-256, ARCFOUR, ARCFOUR-40
MACs:SHA512, SHA384, SHA256, SHA1, RMD160, MD5
Key exchange algorithms:RSA, RSA-EXPORT, DHE-DSS, DHE-RSA, DHE-PSK, PSK, SRP, SRP-RSA, SRP-DSS, ANON-DH
Compression methods:DEFLATE, LZO, NULL
Extensions:Max record size, Cert Type (OpenPGP), Server Name, SRP, TLS/IA, Opaque PRF Input

For X.509 authentication the following CA and trust information are used:

x509-ca.pem GnuTLS test server CA x509-ca.crt
x509-ca-key.pem Private RSA key of the CA.
x509-trust.pem GnuTLS test server CA trust list
x509-other-ca.pem List of other CA certificates

For X.509 authentication the server uses the following credential:

x509-server.pem GnuTLS server certificate. x509-server.crt
x509-server-key.pem Private RSA key of the server.
x509-server-dsa.pem GnuTLS server certificate (DSA). x509-server-dsa.crt
x509-server-key-dsa.pem Private DSA key of the server.

For X.509 authentication your client may use the following credentials:

x509-client.pem GnuTLS client certificate. x509-client.crt
x509-client-key.pem Private RSA key of the client.
x509-client-key.p12 Client in PKCS#12 format (password 'foo').

For OpenPGP authentication the following credentials are used:

openpgp-server.txtGnuTLS test server OpenPGP keyopenpgp-server.bin
openpgp-server-key.txtPrivate key of the OpenPGP key.openpgp-server-key.bin

For SRP authentication the following credentials are used:

srp-tpasswd.confGnuTLS test server SRP password configuration file
srp-passwd.txtPassword file (user 'jas' password 'foo')

For PSK authentication the following credentials are used:

psk-passwd.txtGnuTLS test server PSK symmetric key file

For Opaque PRF Input support you need to use the same extension type that we do, pending the IANA registration. We use number 42.

If you want to run your own server, install GnuTLS and download the credentials. Then invoke the server as follows:

gnutls-serv --http
	--x509cafile x509-trust.pem
	--x509keyfile x509-server-key.pem
	--x509certfile x509-server.pem
	--x509dsakeyfile x509-server-key-dsa.pem
	--x509dsacertfile x509-server-dsa.pem
	--pgpkeyfile openpgp-server-key.txt
	--pgpcertfile openpgp-server.txt
	--srppasswdconf srp-tpasswd.conf
	--srppasswd srp-passwd.txt
	--pskpasswd psk-passwd.txt
	--opaque-prf-input gnutls