source: postlfs/security/gnutls.xml@ 1f886074

12.0 12.1 kea ken/TL2024 ken/tuningfonts lazarus lxqt plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal
Last change on this file since 1f886074 was 09a464a, checked in by Douglas R. Reno <renodr@…>, 17 months ago

Lots of tags and a typo fix in Nettle
  • Property mode set to 100644
File size: 12.7 KB
RevLine 
[d5404360]1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[b1c55f00]7 <!ENTITY gnutls-download-http "&gnupg-http;/gnutls/v3.8/gnutls-&gnutls-version;.tar.xz">
8 <!ENTITY gnutls-download-ftp "&gnupg-ftp;/gnutls/v3.8/gnutls-&gnutls-version;.tar.xz">
[14d673a2]9 <!ENTITY gnutls-download-ftp " ">
[b1c55f00]10 <!ENTITY gnutls-md5sum "20a662caf20112b6b9ad1f4a64db3a97">
11 <!ENTITY gnutls-size "6.1 MB">
12 <!ENTITY gnutls-buildsize "165 MB (add 113 MB for tests)">
13 <!ENTITY gnutls-time "0.8 SBU (add 2.3 SBU for tests; both using parallelism=4)">
[d5404360]14]>
15
16<sect1 id="gnutls" xreflabel="GnuTLS-&gnutls-version;">
17 <?dbhtml filename="gnutls.html"?>
18
19
20 <title>GnuTLS-&gnutls-version;</title>
21
22 <indexterm zone="gnutls">
23 <primary sortas="a-GnuTLS">GnuTLS</primary>
24 </indexterm>
25
26 <sect2 role="package">
27 <title>Introduction to GnuTLS</title>
28
[3ee626e]29 <para>
30 The <application>GnuTLS</application> package contains libraries and
31 userspace tools which provide a secure layer over a reliable transport
32 layer. Currently the <application>GnuTLS</application> library implements
33 the proposed standards by the IETF's TLS working group. Quoting from the
[2c6c92d6]34 <ulink url="https://datatracker.ietf.org/doc/rfc8446/">
35 TLS 1.3 protocol specification
36 </ulink>:
[3ee626e]37 </para>
38
39 <para>
[2c6c92d6]40 <quote>
41 TLS allows client/server applications to communicate over the Internet
42 in a way that is designed to prevent eavesdropping, tampering, and
43 message forgery.
44 </quote>
[3ee626e]45 </para>
46
47 <para>
[2c6c92d6]48 <application>GnuTLS</application> provides support for TLS 1.3, TLS 1.2,
49 TLS 1.1, TLS 1.0, and (optionally) SSL 3.0 protocols. It also supports
50 TLS extensions, including server name and max record size. Additionally,
51 the library supports authentication using the SRP protocol, X.509
52 certificates, and OpenPGP keys, along with support for the TLS
53 Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA)
54 extension, and X.509 and OpenPGP certificate handling.
[3ee626e]55 </para>
[d5404360]56
[09a464a]57 &lfs113_checked;
[214718a]58
[d5404360]59 <bridgehead renderas="sect3">Package Information</bridgehead>
60 <itemizedlist spacing="compact">
[546b042]61 <listitem>
[3ee626e]62 <para>
63 Download (HTTP): <ulink url="&gnutls-download-http;"/>
64 </para>
[546b042]65 </listitem>
[d5404360]66 <listitem>
[3ee626e]67 <para>
68 Download (FTP): <ulink url="&gnutls-download-ftp;"/>
69 </para>
[d5404360]70 </listitem>
71 <listitem>
[3ee626e]72 <para>
73 Download MD5 sum: &gnutls-md5sum;
74 </para>
[d5404360]75 </listitem>
76 <listitem>
[3ee626e]77 <para>
78 Download size: &gnutls-size;
79 </para>
[d5404360]80 </listitem>
81 <listitem>
[3ee626e]82 <para>
83 Estimated disk space required: &gnutls-buildsize;
84 </para>
[d5404360]85 </listitem>
86 <listitem>
[3ee626e]87 <para>
88 Estimated build time: &gnutls-time;
89 </para>
[d5404360]90 </listitem>
91 </itemizedlist>
92
93 <bridgehead renderas="sect3">GnuTLS Dependencies</bridgehead>
94
95 <bridgehead renderas="sect4">Required</bridgehead>
[3ee626e]96 <para role="required">
97 <xref linkend="nettle"/>
98 </para>
[d5404360]99
[5eaf9af8]100 <bridgehead renderas="sect4">Recommended</bridgehead>
101 <para role="recommended">
[2198a32]102 <xref linkend="make-ca"/>,
[c805117a]103 <xref linkend="libunistring"/>,
104 <xref linkend="libtasn1"/>, and
[74239ce]105 <xref linkend="p11-kit"/>
[5eaf9af8]106 </para>
107
[d5404360]108 <bridgehead renderas="sect4">Optional</bridgehead>
[0c6c35d]109 <para role="optional">
[3bf95196]110 <xref linkend="brotli"/>,
[b9abcb5]111 <xref linkend="doxygen"/>,
[0c6c35d]112 <xref linkend="gtk-doc"/>,
[8558044]113 <xref linkend="libidn"/> or
[ac6b671]114 <xref linkend="libidn2"/>,
115 <xref linkend="libseccomp"/>,
[dd7d9b0]116 <xref linkend="net-tools"/> (used during the test suite),
[b9abcb5]117 <xref linkend="texlive"/> or <xref linkend="tl-installer"/>,
[6c6990c]118 <xref linkend="unbound"/> (to build the DANE library),
[ffa3d4e]119 <xref linkend="valgrind"/> (used during the test suite),
[8dfc5c3]120 <ulink url="&gnu-http;/autogen/">autogen</ulink>,
[4412abb2]121 <ulink url="https://cmocka.org/">cmocka</ulink> and
[c6b192c]122 <ulink url="https://ftp.debian.org/debian/pool/main/d/datefudge/">datefudge</ulink> (used during the test suite if the DANE library is built), and
[8dfc5c3]123 <ulink url="&sourceforge-dl;/trousers/">Trousers</ulink> (Trusted Platform Module support)
[3ee626e]124 </para>
[d5404360]125
[d224244f]126 <note><para>
[b1c55f00]127 <!-- Note that if you do not install <xref linkend="libtasn1"/>, an older
128 3.8.0 includes minitasn1 4.19 which is currnet at the moment. ken -->
129 Note that if you do not install <xref linkend="libtasn1"/>, a
[3ee626e]130 version shipped in the <application>GnuTLS</application> tarball will be
131 used instead.
[d224244f]132 </para></note>
[38b68055]133
[d5404360]134 <para condition="html" role="usernotes">User Notes:
[5eaf9af8]135 <ulink url="&blfs-wiki;/gnutls"/>
136 </para>
[d5404360]137 </sect2>
138
139 <sect2 role="installation">
140 <title>Installation of GnuTLS</title>
141
[3ee626e]142 <para>
143 Install <application>GnuTLS</application> by running the
144 following commands:
145 </para>
[d5404360]146
[1c8a066f]147<screen><userinput>./configure --prefix=/usr \
[8cb62480]148 --docdir=/usr/share/doc/gnutls-&gnutls-version; \
[1ac799b]149 --with-default-trust-store-pkcs11="pkcs11:" &amp;&amp;
[d5404360]150make</userinput></screen>
[c9384fd]151<!-- - -disable-rpath \
152 Old gnutls versions (around 3.5) had a problem with rpath, because
153 libraries in the build tree were linked with rpath pointing to the
154 system libraries, so that tests failed. Present versions don't have
155 this problem, and do exactly what is expected without using the
156 disable-rpath option: rpath pointing to the build tree when libraries
157 are first linked, but rpath removed when libraries are relinked at
158 install time. -->
[d5404360]159
[3ee626e]160 <para>
[9b43114]161 To test the results, issue: <command>make check</command>.
[3ee626e]162 </para>
[d5404360]163
[3ee626e]164 <para>
165 Now, as the <systemitem class="username">root</systemitem>
166 user:
167 </para>
[d5404360]168
[73d97caf]169<screen role="root"><userinput>make install</userinput></screen>
[2e81579]170
[d5404360]171 </sect2>
172
[d309b21]173 <sect2 role="commands">
174 <title>Command Explanations</title>
175
[4c39aff]176 <para>
[1ac799b]177 <parameter>--with-default-trust-store-pkcs11="pkcs11:"</parameter>: This
178 switch tells gnutls to use the PKCS #11 trust store as the default trust.
179 Omit this switch if <xref linkend="p11-kit"/> is not installed.
180 </para>
[c9384fd]181 <!-- see above
[9b43114]182 <para>
[c9384fd]183 <parameter>- -disable-rpath</parameter>: This switch prevents building
[9b43114]184 GnuTLS utilities and tests with hardcoded runtime library search path.
185 Hardcoded rpath is unneeded for BLFS, and it causes test failures if
186 an old version of GnuTLS is installed.
187 </para>
[c9384fd]188 -->
[1ac799b]189 <para>
[5c3f3856]190 <option>--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt</option>:
[4c39aff]191 This switch tells <command>configure</command> where to find the
[1ac799b]192 legacy CA certificate bundle and to use it instead of PKCS #11 module
193 by default. Use this if <xref linkend="p11-kit"/> is not installed.
[4c39aff]194 </para>
195
[e05cd03f]196 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
[5eaf9af8]197 href="../../xincludes/gtk-doc-rebuild.xml"/>
[d309b21]198
[b9abcb5]199 <para>
200 <option>--enable-openssl-compatibility</option>:
[74239ce]201 Use this switch if you wish to build the OpenSSL compatibility library.
202 </para>
203
204 <para>
205 <option>--without-p11-kit</option>: use this switch if you have not
206 installed <application>p11-kit</application>.
[b9abcb5]207 </para>
208
[c805117a]209 <para>
210 <option>--with-included-unistring</option>: uses the bundled version of
211 libunistring, instead of the system one. Use this switch if you have not
212 installed <xref linkend="libunistring"/>.
213 </para>
214
[d309b21]215 </sect2>
216
[d5404360]217 <sect2 role="content">
218 <title>Contents</title>
219
220 <segmentedlist>
221 <segtitle>Installed Programs</segtitle>
222 <segtitle>Installed Libraries</segtitle>
[32dfb13c]223 <segtitle>Installed Directories</segtitle>
[d5404360]224
225 <seglistitem>
[3ee626e]226 <seg>
[495703a]227 certtool, danetool, gnutls-cli, gnutls-cli-debug,
[c202a254]228 gnutls-serv, ocsptool, p11tool, psktool, and srptool
[3ee626e]229 </seg>
230 <seg>
[2c6c92d6]231 libgnutls.so, libgnutls-dane.so, libgnutlsxx.so,
232 libgnutls-openssl.so (optional), and
233 /usr/lib/guile/3.0/extensions/guile-gnutls-v-2.so
[3ee626e]234 </seg>
235 <seg>
[cfc1f98]236 /usr/include/gnutls,
[2c6c92d6]237 /usr/lib/guile/3.0/site-ccache/gnutls,
238 /usr/share/guile/site/3.0/gnutls, and
[cfc1f98]239 /usr/share/doc/gnutls-&gnutls-version;
[3ee626e]240 </seg>
[d5404360]241 </seglistitem>
242 </segmentedlist>
243
244 <variablelist>
245 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
246 <?dbfo list-presentation="list"?>
247 <?dbhtml list-presentation="table"?>
248
249 <varlistentry id="certtool">
250 <term><command>certtool</command></term>
251 <listitem>
[3ee626e]252 <para>
253 is used to generate X.509 certificates, certificate requests,
[4c24eb0a]254 and private keys
[3ee626e]255 </para>
[d5404360]256 <indexterm zone="gnutls certtool">
257 <primary sortas="b-certtool">certtool</primary>
258 </indexterm>
259 </listitem>
260 </varlistentry>
[a5c54e0]261
[4c39aff]262 <varlistentry id="danetool">
263 <term><command>danetool</command></term>
264 <listitem>
265 <para>
266 is a tool used to generate and check DNS resource records
[4c24eb0a]267 for the DANE protocol
[4c39aff]268 </para>
269 <indexterm zone="gnutls danetool">
270 <primary sortas="b-danetool">danetool</primary>
271 </indexterm>
272 </listitem>
273 </varlistentry>
274
[d5404360]275 <varlistentry id="gnutls-cli">
276 <term><command>gnutls-cli</command></term>
277 <listitem>
[3ee626e]278 <para>
279 is a simple client program to set up a TLS connection to some
[4c24eb0a]280 other computer
[3ee626e]281 </para>
[d5404360]282 <indexterm zone="gnutls gnutls-cli">
283 <primary sortas="b-gnutls-cli">gnutls-cli</primary>
284 </indexterm>
285 </listitem>
286 </varlistentry>
287
288 <varlistentry id="gnutls-cli-debug">
289 <term><command>gnutls-cli-debug</command></term>
290 <listitem>
[3ee626e]291 <para>
292 is a simple client program to set up a TLS connection to some
[4c24eb0a]293 other computer and produces very verbose progress results
[3ee626e]294 </para>
[d5404360]295 <indexterm zone="gnutls gnutls-cli-debug">
296 <primary sortas="b-gnutls-cli-debug">gnutls-cli-debug</primary>
297 </indexterm>
298 </listitem>
299 </varlistentry>
300
301 <varlistentry id="gnutls-serv">
302 <term><command>gnutls-serv</command></term>
303 <listitem>
[3ee626e]304 <para>
305 is a simple server program that listens to incoming TLS
[4c24eb0a]306 connections
[3ee626e]307 </para>
[d5404360]308 <indexterm zone="gnutls gnutls-serv">
309 <primary sortas="b-gnutls-serv">gnutls-serv</primary>
310 </indexterm>
311 </listitem>
312 </varlistentry>
313
[546b042]314 <varlistentry id="ocsptool">
315 <term><command>ocsptool</command></term>
316 <listitem>
[3ee626e]317 <para>
[0d7900a]318 is a program that can parse and print information about OCSP
[4c24eb0a]319 requests/responses, generate requests and verify responses
[3ee626e]320 </para>
[546b042]321 <indexterm zone="gnutls ocsptool">
322 <primary sortas="b-ocsptool">ocsptool</primary>
323 </indexterm>
324 </listitem>
325 </varlistentry>
326
327 <varlistentry id="p11tool">
328 <term><command>p11tool</command></term>
329 <listitem>
[3ee626e]330 <para>
331 is a program that allows handling data from PKCS #11 smart cards
[4c24eb0a]332 and security modules
[3ee626e]333 </para>
[546b042]334 <indexterm zone="gnutls p11tool">
335 <primary sortas="b-p11tool">p11tool</primary>
336 </indexterm>
337 </listitem>
338 </varlistentry>
339
[d5404360]340 <varlistentry id="psktool">
341 <term><command>psktool</command></term>
342 <listitem>
[3ee626e]343 <para>
[4c24eb0a]344 is a simple program that generates random keys for use with TLS-PSK
[3ee626e]345 </para>
[d5404360]346 <indexterm zone="gnutls psktool">
347 <primary sortas="b-psktool">psktool</primary>
348 </indexterm>
349 </listitem>
350 </varlistentry>
351
352 <varlistentry id="srptool">
353 <term><command>srptool</command></term>
354 <listitem>
[3ee626e]355 <para>
356 is a simple program that emulates the programs in the Stanford
[4c24eb0a]357 SRP (Secure Remote Password) libraries using GnuTLS
[3ee626e]358 </para>
[d5404360]359 <indexterm zone="gnutls srptool">
360 <primary sortas="b-srptool">srptool</primary>
361 </indexterm>
362 </listitem>
363 </varlistentry>
364
365 <varlistentry id="libgnutls">
[73d97caf]366 <term><filename class="libraryfile">libgnutls.so</filename></term>
[d5404360]367 <listitem>
[3ee626e]368 <para>
[4c24eb0a]369 contains the core API functions and X.509 certificate API functions
[3ee626e]370 </para>
[d5404360]371 <indexterm zone="gnutls libgnutls">
[5eaf9af8]372 <primary sortas="c-libgnutls">libgnutls.so</primary>
[d5404360]373 </indexterm>
374 </listitem>
375 </varlistentry>
376
377 </variablelist>
378
379 </sect2>
380
381</sect1>
Note: See TracBrowser for help on using the repository browser.