Changeset 1ac799b

Timestamp:

07/04/2017 11:28:56 PM (7 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

6bb33c2

Parents:

542d478

Message:

Use PKCS #11 modules where possible with gnutls.
Update to GnuTLS-3.5.14. Fixes #9444.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18915 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• introduction/welcome/changelog.xml (modified) (1 diff)
• networking/netlibs/glib-networking.xml (modified) (2 diffs)
• postlfs/security/gnutls.xml (modified) (3 diffs)
• postlfs/security/nss.xml (modified) (2 diffs)
• postlfs/security/p11-kit.xml (modified) (2 diffs)

introduction/welcome/changelog.xml

@@ -46 +46 @@
      <para>July 4th, 2017</para>
      <itemizedlist>
+       <listitem>
+         <para>[dj] - Use PKCS #11 modules where possible with gnutls.</para>
+       </listitem>
+       <listitem>
+         <para>[dj] - Update to GnuTLS-3.5.14. Fixes
+         <ulink url="&blfs-ticket-root;9444">#9444</ulink>.</para>
+       </listitem>
        <listitem>
          <para>[dj] - Update to Node.js-8.1.3. Fixes

networking/netlibs/glib-networking.xml

@@ -106 +106 @@
     </para>
 
-<screen><userinput>./configure --prefix=/usr                                 \
-            --with-ca-certificates=/etc/ssl/ca-bundle.crt \
-            --disable-static                              &amp;&amp;
+<screen><userinput>./configure --prefix=/usr             \
+            --without-ca-certificates \
+            --disable-static          &amp;&amp;
 make</userinput></screen>
 
@@ -127 +127 @@
 
     <para>
-      <parameter>--with-ca-certificates=/etc/ssl/ca-bundle.crt</parameter>:
-      This parameter specifies where the trusted root certificates are
-      located.
+      <parameter>--without-ca-certificates</parameter>: This parameter forces
+      use of PKCS #11 modules for TLS certificate validation instead of a
+      bundle of certificates.
     </para>
 

postlfs/security/gnutls.xml

@@ -7 +7 @@
   <!ENTITY gnutls-download-http "https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/gnutls-&gnutls-version;.tar.xz">
   <!ENTITY gnutls-download-ftp  "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-&gnutls-version;.tar.xz">
-  <!ENTITY gnutls-md5sum        "4fd41ad86572933c2379b4cc321a0959">
+  <!ENTITY gnutls-md5sum        "1e84b57a472b5f3b01f2c1b7a3a2bcbe">
   <!ENTITY gnutls-size          "6.9 MB">
-  <!ENTITY gnutls-buildsize     "121 MB (add 44 MB for tests)">
-  <!ENTITY gnutls-time          "1.5 SBU (add 8.9 SBU for tests)">
+  <!ENTITY gnutls-buildsize     "147 MB (add 42 MB for tests)">
+  <!ENTITY gnutls-time          "1.3 SBU (add 5.0 SBU for tests)">
 ]>
 
@@ -143 +143 @@
 
 <screen><userinput>./configure --prefix=/usr \
-            --with-default-trust-store-file=/etc/ssl/ca-bundle.crt &amp;&amp;
+            --with-default-trust-store-pkcs11="pkcs11:" &amp;&amp;
 make</userinput></screen>
 
@@ -181 +181 @@
 
     <para>
-      <parameter>--with-default-trust-store-file=/etc/ssl/ca-bundle.crt</parameter>:
+      <parameter>--with-default-trust-store-pkcs11="pkcs11:"</parameter>: This
+      switch tells gnutls to use the PKCS #11 trust store as the default trust.
+      Omit this switch if <xref linkend="p11-kit"/> is not installed.
+    </para>
+
+    <para>
+      <option>--with-default-trust-store-file=/etc/ssl/ca-bundle.crt</option>:
       This switch tells <command>configure</command> where to find the
-      CA Certificates.
+      legacy CA certificate bundle and to use it instead of PKCS #11 module
+      by default. Use this if <xref linkend="p11-kit"/> is not installed.
     </para>
 

postlfs/security/nss.xml

@@ -210 +210 @@
     <title>Configuring NSS</title>
 
-    <para>If <xref linkend="p11-kit"/> is installed,
-    <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in
-    replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+    <para>If <xref linkend="p11-kit"/> is installed, the
+    <application>p11-kit</application> trust module
+    (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
+    drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
     transparently make the system CAs available to
     <application>NSS</application> aware applications, rather than the static
@@ -222 +223 @@
   readlink /usr/lib/libnssckbi.so ||
   rm -v /usr/lib/libnssckbi.so    &amp;&amp;
-  ln -sfv libp11-kit.so /usr/lib/libnssckbi.so
+  ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
 fi</userinput></screen>
 

postlfs/security/p11-kit.xml

@@ -143 +143 @@
     <title>Configuring p11-kit</title>
 
-    <para>If <xref linkend="nss"/> is installed,
-    <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in
-    replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+    <para>The <application>p11-kit</application> trust module
+    (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
+    drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
     transparently make the system CAs available to
     <application>NSS</application> aware applications, rather than the static
@@ -155 +155 @@
   readlink /usr/lib/libnssckbi.so ||
   rm -v /usr/lib/libnssckbi.so    &amp;&amp;
-  ln -sfv libp11-kit.so /usr/lib/libnssckbi.so
+  ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
 fi</userinput></screen>