source: postlfs/security/gnutls.xml@ 8f79d9f5

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY gnutls-download-http " ">
  <!ENTITY gnutls-download-ftp  "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-&gnutls-version;.tar.xz">
  <!ENTITY gnutls-md5sum        "aa015c2666b031044edfb01b01980d84">
  <!ENTITY gnutls-size          "6.2 MB">
  <!ENTITY gnutls-buildsize     "124 MB (with built in API documentation; additional 15 MB for tests)">
  <!ENTITY gnutls-time          "0.8 SBU (additional 2.6 SBU for tests)">
]>

<sect1 id="gnutls" xreflabel="GnuTLS-&gnutls-version;">
  <?dbhtml filename="gnutls.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>GnuTLS-&gnutls-version;</title>

  <indexterm zone="gnutls">
    <primary sortas="a-GnuTLS">GnuTLS</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to GnuTLS</title>

    <para>
      The <application>GnuTLS</application> package contains libraries and
      userspace tools which provide a secure layer over a reliable transport
      layer. Currently the <application>GnuTLS</application> library implements
      the proposed standards by the IETF's TLS working group. Quoting from the
      TLS protocol specification:
    </para>

    <para>
      <quote>The TLS protocol provides communications privacy over the
      Internet. The protocol allows client/server applications to communicate in
      a way that is designed to prevent eavesdropping, tampering, or message
      forgery.</quote>
    </para>

    <para>
      <application>GnuTLS</application> provides support for TLS 1.2, TLS 1.1, 
      TLS 1.0, and SSL 3.0 protocols, TLS extensions, including server name and max
      record size. Additionally, the library supports authentication using the
      SRP protocol, X.509 certificates and OpenPGP keys, along with support for
      the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA)
      extension and X.509 and OpenPGP certificate handling.
    </para>

    &lfs77_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&gnutls-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&gnutls-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &gnutls-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &gnutls-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &gnutls-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &gnutls-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">GnuTLS Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="nettle"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="cacerts"/> and
      <xref linkend="libtasn1"/>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="doxygen"/>,
      <xref linkend="gtk-doc"/>,
      <xref linkend="guile"/>,
      <xref linkend="libidn"/>,
      <xref linkend="p11-kit"/>,
      <xref linkend="texlive"/> or <xref linkend="tl-installer"/>,
      <xref linkend="unbound"/> (to build the DANE library), 
      <xref linkend="valgrind"/> (used during the test suite),
      <ulink url="http://ftp.gnu.org/gnu/autogen/">autogen</ulink>, and
      <ulink url="http://sourceforge.net/projects/trousers/files/trousers/">Trousers</ulink> (Trusted Platform Module support)
    </para>

    <note><para>
      Note that if you do not install <xref linkend="libtasn1"/>, an older
      version shipped in the <application>GnuTLS</application> tarball will be
      used instead.
    </para></note>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/gnutls"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of GnuTLS</title>

    <para>
      Install <application>GnuTLS</application> by running the
      following commands:
    </para>

<screen><userinput>sed -e '/FUNCS=/ s/-d/&amp;|uniq/'    \
    -e '/get_x509_crt/ {n;d}'     \
    -e '/get_x509_key/ {n;d}'     \
    -e '/get_verify_flags/ {n;d}' \
    -i doc/manpages/Makefile      &amp;&amp;

./configure --prefix=/usr \
            --with-default-trust-store-file=/etc/ssl/ca-bundle.crt &amp;&amp;
make</userinput></screen>

    <para>
      To test the results, issue: <command>make check</command>.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem>
      user:
    </para>

<screen role="root"><userinput>make install</userinput></screen>

    <para>
      If you did not pass the <option>--enable-gtk-doc</option> parameter to
      the <command>configure</command> script, you can install the API
      documentation to the <filename
      class="directory">/usr/share/gtk-doc/html/gnutls</filename> directory
      using the following command as the
      <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make -C doc/reference install-data-local</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <command>sed -e ... -i doc/manpages/Makefile</command>:
      This command removes some duplicate lines and fixes the doc Makefile.
    </para>

    <para>
      <parameter>--with-default-trust-store-file=/etc/ssl/ca-bundle.crt</parameter>:
      This switch tells <command>configure</command> where to find the
      CA Certificates.
    </para>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/gtk-doc-rebuild.xml"/>

    <para>
      <option>--enable-openssl-compatibility</option>:
      Use this switch if you wish building the OpenSSL compatibility library.
    </para>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          certtool, crywrap, danetool, gnutls-cli, gnutls-cli-debug,
          gnutls-serv, ocsptool, p11tool, psktool, and srptool
        </seg>
        <seg>
          libgnutls.so, libgnutls-dane.so,
          libgnutls-openssl.so, libgnutlsxx.so, and
          /usr/lib/guile/2.0/guile-gnutls-v-2.so
        </seg>
        <seg>
          /usr/include/gnutls,
          /usr/share/gtk-doc/html/gnutls, and
          /usr/share/guile/site/gnutls
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="certtool">
        <term><command>certtool</command></term>
        <listitem>
          <para>
            is used to generate X.509 certificates, certificate requests,
            and private keys.
          </para>
          <indexterm zone="gnutls certtool">
            <primary sortas="b-certtool">certtool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="crywrap">
        <term><command>crywrap</command></term>
        <listitem>
          <para>
            is a simple wrapper that waits for TLS/SSL connections,
            and proxies them to an unencrypted location. Only installed if
            <xref linkend="libidn"/> is present.
          </para>
          <indexterm zone="gnutls crywrap">
            <primary sortas="b-crywrap">crywrap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="danetool">
        <term><command>danetool</command></term>
        <listitem>
          <para>
            is a tool used to generate and check DNS resource records
            for the DANE protocol.
          </para>
          <indexterm zone="gnutls danetool">
            <primary sortas="b-danetool">danetool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gnutls-cli">
        <term><command>gnutls-cli</command></term>
        <listitem>
          <para>
            is a simple client program to set up a TLS connection to some
            other computer.
          </para>
          <indexterm zone="gnutls gnutls-cli">
            <primary sortas="b-gnutls-cli">gnutls-cli</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gnutls-cli-debug">
        <term><command>gnutls-cli-debug</command></term>
        <listitem>
          <para>
            is a simple client program to set up a TLS connection to some
            other computer and produces very verbose progress results.
          </para>
          <indexterm zone="gnutls gnutls-cli-debug">
            <primary sortas="b-gnutls-cli-debug">gnutls-cli-debug</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gnutls-serv">
        <term><command>gnutls-serv</command></term>
        <listitem>
          <para>
            is a simple server program that listens to incoming TLS
            connections.
          </para>
          <indexterm zone="gnutls gnutls-serv">
            <primary sortas="b-gnutls-serv">gnutls-serv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ocsptool">
        <term><command>ocsptool</command></term>
        <listitem>
          <para>
            is a program that can parse and print information about OCSP
            requests/responses, generate requests and verify responses.
          </para>
          <indexterm zone="gnutls ocsptool">
            <primary sortas="b-ocsptool">ocsptool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="p11tool">
        <term><command>p11tool</command></term>
        <listitem>
          <para>
            is a program that allows handling data from PKCS #11 smart cards
            and security modules.
          </para>
          <indexterm zone="gnutls p11tool">
            <primary sortas="b-p11tool">p11tool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="psktool">
        <term><command>psktool</command></term>
        <listitem>
          <para>
            is a simple program that generates random keys for use with TLS-PSK.
          </para>
          <indexterm zone="gnutls psktool">
            <primary sortas="b-psktool">psktool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="srptool">
        <term><command>srptool</command></term>
        <listitem>
          <para>
            is a simple program that emulates the programs in the Stanford
            SRP (Secure Remote Password) libraries using GnuTLS.
          </para>
          <indexterm zone="gnutls srptool">
            <primary sortas="b-srptool">srptool</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libgnutls">
        <term><filename class="libraryfile">libgnutls.so</filename></term>
        <listitem>
          <para>
            contains the core API functions and X.509 certificate API functions.
          </para>
          <indexterm zone="gnutls libgnutls">
            <primary sortas="c-libgnutls">libgnutls.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>