Introduction to GnuTLS
The GnuTLS package contains libraries and userspace tools which
provide a secure layer over a reliable transport layer. Currently
the GnuTLS library implements the proposed standards by the IETF's
TLS working group. Quoting from the TLS 1.3 protocol
specification :
“ TLS allows client/server
applications to communicate over the Internet in a way that is
designed to prevent eavesdropping, tampering, and message
forgery. ”
GnuTLS provides support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and
(optionally) SSL 3.0 protocols. It also supports TLS extensions,
including server name and max record size. Additionally, the
library supports authentication using the SRP protocol, X.509
certificates, and OpenPGP keys, along with support for the TLS
Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA)
extension, and X.509 and OpenPGP certificate handling.
Note
This may take a while to build. Feel free to do something else
while this is building.
GnuTLS Dependencies
Required
Nettle-3.10.1
Recommended
make-ca-1.16.1, libunistring-1.3,
libtasn1-4.20.0, and p11-kit-0.25.5
Optional
autogen, cmocka and datefudge
(used during the test suite if the DANE library is built),
leancrypto, and
Trousers (Trusted
Platform Module support)
Note
Note that if you do not install libtasn1-4.20.0, a
version shipped in the GnuTLS tarball will be used instead.
Installation of GnuTLS
Install GnuTLS by running the following commands:
./configure --prefix=/usr \
--docdir=/usr/share/doc/gnutls-3.8.10 \
--with-default-trust-store-pkcs11="pkcs11:" &&
make
To test the results, issue: make
check.
Now, as the root
user:
make install
Command Explanations
Note
Run ./configure
--help for a full list of options.
--with-default-trust-store-pkcs11="pkcs11:"
:
This switch tells gnutls to use the PKCS #11 trust store as the
default trust. Omit this switch if p11-kit-0.25.5 is not
installed.
--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt
:
This switch tells configure where to find the
legacy CA certificate bundle and to use it instead of PKCS #11
module by default. Use this if p11-kit-0.25.5 is not installed.
--enable-openssl-compatibility
: Use
this switch if you wish to build the OpenSSL compatibility library.
--without-p11-kit
: Use this switch if
you have not installed p11-kit-0.25.5.
--with-included-unistring
: This switch
uses the bundled version of libunistring, instead of the system
one. Use this switch if you have not installed libunistring-1.3.
--disable-dsa
: This option completely
disables DSA algorithm support.