Introduction to GnuTLS
The GnuTLS package contains
libraries and userspace tools which provide a secure layer over a
reliable transport layer. Currently the GnuTLS library implements the proposed
standards by the IETF's TLS working group. Quoting from the TLS
protocol specification:
“The TLS protocol
provides communications privacy over the Internet. The protocol
allows client/server applications to communicate in a way that is
designed to prevent eavesdropping, tampering, or message
forgery.”
GnuTLS provides support for TLS
1.3, TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0 protocols, TLS
extensions, including server name and max record size.
Additionally, the library supports authentication using the SRP
protocol, X.509 certificates and OpenPGP keys, along with support
for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application
(TLS/IA) extension and X.509 and OpenPGP certificate handling.
This package is known to build and work properly using an LFS-11.2
platform.
Package Information
GnuTLS Dependencies
Required
Nettle-3.8.1
Recommended
make-ca-1.10, libunistring-1.0, libtasn1-4.18.0, and p11-kit-0.24.1
Optional
Brotli-1.0.9, Doxygen-1.9.4,
GTK-Doc-1.33.2, Guile-3.0.8,
libidn-1.41 or libidn2-2.3.3,
libseccomp-2.5.4, Net-tools-2.10 (used during the test suite),
texlive-20220321 or install-tl-unx, Unbound-1.16.2
(to build the DANE library), Valgrind-3.19.0 (used during the test suite),
autogen, cmocka and datefudge
(used during the test suite if the DANE library is built), and
Trousers (Trusted
Platform Module support)
Note
Note that if you do not install libtasn1-4.18.0, an older version shipped
in the GnuTLS tarball will be
used instead.
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/gnutls
Installation of GnuTLS
Install GnuTLS by running the
following commands:
./configure --prefix=/usr \
--docdir=/usr/share/doc/gnutls-3.7.7 \
--disable-guile \
--disable-rpath \
--with-default-trust-store-pkcs11="pkcs11:" &&
make
To test the results, issue: make
check.
Now, as the root
user:
make install
Command Explanations
--with-default-trust-store-pkcs11="pkcs11:"
:
This switch tells gnutls to use the PKCS #11 trust store as the
default trust. Omit this switch if p11-kit-0.24.1 is not
installed.
--disable-guile
: This
switch disables GUILE support, since GnuTLS does not support
Guile-2.2.x yet.
--disable-rpath
: This
switch prevents building GnuTLS utilities and tests with hardcoded
runtime library search path. Hardcoded rpath is unneeded for BLFS,
and it causes test failures if an old version of GnuTLS is
installed.
--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt
:
This switch tells configure where to find the
legacy CA certificate bundle and to use it instead of PKCS #11
module by default. Use this if p11-kit-0.24.1 is not installed.
--enable-gtk-doc
: Use this parameter if
GTK-Doc is installed and you wish
to rebuild and install the API documentation.
--enable-openssl-compatibility
: Use
this switch if you wish to build the OpenSSL compatibility library.
--without-p11-kit
: use this switch if
you have not installed p11-kit.
--with-included-unistring
: uses the
bundled version of libunistring, instead of the system one. Use
this switch if you have not installed libunistring-1.0.