Beyond Linux^® From Scratch (System V Edition) - Version 11.0

Chapter 4. Security

Prev
GnuPG-2.2.29
Next
GPGME-1.16.0
Up
Home

GnuTLS-3.7.2

Introduction to GnuTLS

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:

“The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.”

GnuTLS provides support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.

This package is known to build and work properly using an LFS-11.0 platform.

Package Information

Download (HTTP): https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz
Download MD5 sum: 95c32a1af583ecfcb280648874c0fbd9
Download size: 5.8 MB
Estimated disk space required: 139 MB (add 112 MB for tests)
Estimated build time: 0.9 SBU (add 2.9 SBU for tests; both using parallelism=4)

GnuTLS Dependencies

Required

Recommended

make-ca-1.7, libunistring-0.9.10, libtasn1-4.17.0, and p11-kit-0.24.0

Optional

Doxygen-1.9.2, GTK-Doc-1.33.2, Guile-3.0.7, libidn-1.38 or libidn2-2.3.2, libseccomp-2.5.1, Net-tools-2.10 (used during the test suite), texlive-20210325 or install-tl-unx, Unbound-1.13.2 (to build the DANE library), Valgrind-3.17.0 (used during the test suite), autogen, cmocka and datefudge (used during the test suite if the DANE library is built), and Trousers (Trusted Platform Module support)

[Note]

Note

Note that if you do not install libtasn1-4.17.0, an older version shipped in the GnuTLS tarball will be used instead.

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/gnutls

Installation of GnuTLS

Install GnuTLS by running the following commands:

./configure --prefix=/usr \
            --docdir=/usr/share/doc/gnutls-3.7.2 \
            --disable-guile \
            --disable-rpath \
            --with-default-trust-store-pkcs11="pkcs11:" &&
make

To test the results, issue: make check.

Now, as the root user:

make install

If you passed --enable-gtk-doc to the configure script, the API will automatically be installed. Otherwise, if desired, you can still install the API documentation to the /usr/share/gtk-doc/html/gnutls directory using the following command as the root user:

make -C doc/reference install-data-local

Command Explanations

--with-default-trust-store-pkcs11="pkcs11:": This switch tells gnutls to use the PKCS #11 trust store as the default trust. Omit this switch if p11-kit-0.24.0 is not installed.

--disable-guile: This switch disables GUILE support, since GnuTLS does not support Guile-2.2.x yet.

--disable-rpath: This switch prevents building GnuTLS utilities and tests with hardcoded runtime library search path. Hardcoded rpath is unneeded for BLFS, and it causes test failures if an old version of GnuTLS is installed.

--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt: This switch tells configure where to find the legacy CA certificate bundle and to use it instead of PKCS #11 module by default. Use this if p11-kit-0.24.0 is not installed.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

--enable-openssl-compatibility: Use this switch if you wish to build the OpenSSL compatibility library.

--without-p11-kit: use this switch if you have not installed p11-kit.

--with-included-unistring: uses the bundled version of libunistring, instead of the system one. Use this switch if you have not installed libunistring-0.9.10.

Contents

Installed Programs: certtool, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool, and srptool

Installed Libraries: libgnutls.so, libgnutls-dane.so, libgnutlsxx.so, and libgnutls-openssl.so (optional)

Installed Directories: /usr/include/gnutls, /usr/share/gtk-doc/html/gnutls, and /usr/share/doc/gnutls-3.7.2

Short Descriptions

certtool	is used to generate X.509 certificates, certificate requests, and private keys
danetool	is a tool used to generate and check DNS resource records for the DANE protocol
gnutls-cli	is a simple client program to set up a TLS connection to some other computer
gnutls-cli-debug	is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results
gnutls-serv	is a simple server program that listens to incoming TLS connections
ocsptool	is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses
p11tool	is a program that allows handling data from PKCS #11 smart cards and security modules
psktool	is a simple program that generates random keys for use with TLS-PSK
srptool	is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS
`libgnutls.so`	contains the core API functions and X.509 certificate API functions

Last updated on

Prev
GnuPG-2.2.29
Next
GPGME-1.16.0
Up
Home