Beyond Linux® From Scratch - Version 7.4

Chapter 4. Security

GnuTLS-3.2.4

Introduction to GnuTLS

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:

The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

GnuTLS provides support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.

This package is known to build and work properly using an LFS-7.4 platform.

Package Information

GnuTLS Dependencies

Required

Nettle-2.7.1

Recommended

Certificate Authority Certificates and libtasn1-3.3

Optional

GTK-Doc-1.19, Guile-2.0.9, libidn-1.28, p11-kit-0.20.1, Unbound-1.4.20 (to build the DANE library), and Valgrind (used during the test suite)

[Note]

Note

Note that if you do not install libtasn1-3.3, an older version shipped in the GnuTLS tarball will be used instead.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnutls

Installation of GnuTLS

Install GnuTLS by running the following commands: 

./configure --prefix=/usr    \
            --disable-static \
            --with-default-trust-store-file=/etc/ssl/ca-bundle.crt &&
make

To test the results, issue: make check.

Now, as the root user: 

make install

If you did not pass the --enable-gtk-doc parameter to the configure script, you can install the API documentation to the /usr/share/gtk-doc/html/gnutls directory using the following command as the root user: 

make -C doc/reference install-data-local

Command Explanations

--with-default-trust-store-file=/etc/ssl/ca-bundle.crt: This switch tells configure where to find the CA Certificates.

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

Contents

Installed Programs: certtool, crywrap, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool and srptool
Installed Libraries: libgnutls.so, libgnutls-openssl.so, libgnutls-xssl.so and libgnutlsxx.so
Installed Directories: /usr/include/gnutls, /usr/share/doc/gnutls-3.2.1, and /usr/share/gtk-doc/html/gnutls

Short Descriptions

certtool

is used to generate X.509 certificates, certificate requests, and private keys.

crywrap

is a simple wrapper that waits for TLS/SSL connections, and proxies them to an unencrypted location.

danetool

is a tool used to generate and check DNS resource records for the DANE protocol.

gnutls-cli

is a simple client program to set up a TLS connection to some other computer.

gnutls-cli-debug

is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results.

gnutls-serv

is a simple server program that listens to incoming TLS connections.

ocsptool

is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses.

p11tool

is a program that allows handling data from PKCS #11 smart cards and security modules.

psktool

is a simple program that generates random keys for use with TLS-PSK.

srptool

is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS.

libgnutls.so

contains the core API functions and X.509 certificate API functions.

Last updated on 2013-09-01 09:34:27 -0700