如何编译安装gnutls-devel?

编译安装

1 基础知识

1.1 GnuTLS的简介

– GnuTLS是一个安全的通讯库
– GnuTLS使用TLS/SSL(传输层安全协议又称安全套接字层)和DTLS协议实现安全通讯
– GnuTLS提供一个简单的C语言应用程序编程接口
– GnuTLS编程接口用于访问安全通讯协议
– GnuTLS编程接口用于解析和编写X.509、PKCS#12和其他需求的API构造

1.2 GnuTLS的特点

– 支持TLS 1.3、1.2、1.1、1.0和SSL 3.0(可选)
– 支持DTLS 1.2和DTLS 1.0协议
– 支持证书路径验证以及第一次使用时的DANE和信任
– 支持在线证书状态协议(OCSP)
– 支持公钥包括RSA和Elliptic曲线以及弥合和秘钥认证方法(如SRP和PSK协议)
– 支持所有强大的加密算法,包括AES和Camellia
– 支持使用VIA挂锁和AES-NI指令集的CPU辅助加密
– 支持加密加速器驱动程序(通过/dev/crypto)
– 支持本机HSM和加密令牌(通过PKCS#11和可信平台模块,即TPM)
– 支持大多数的Unix平台和Windows平台

1.3 GnuTLS的安装要求

1.3.1 需要预先安装的依赖包

– Make
– Automake (use 1.11.3 or later)
– Autoconf
– Autogen (use 5.16 or later)
– Libtool
– Gettext
– Texinfo
– Tar
– Gzip
– Texlive & epsf (for PDF manual)
– GTK-DOC (for API manual)
– Git
– Perl
– Nettle
– Guile
– p11-kit
– gperf
– libtasn1 (optional)
– Libidn2 (optional, for internationalization of DNS, IDNA 2008)
– Libunistring (optional, for internationalization)
– AWK (for make dist, pmccabe2html)
– bison (for datetime parser in certtool)
– libunbound (for DANE support)
– libabigail (for abi comparison in make dist)
– tcsd (for TPM support; optional)
– swtpm (for TPM test; optional)
– ncat (for TPM test; optional)
– tpm-tools (for TPM test; optional)
– expect (for TPM test; optional)
关于CentOS或RHEL,请使用以下命令安装,

yum install -y dash git autoconf libtool gettext-devel automake autogen patch
yum install -y nettle-devel p11-kit-devel autogen-libopts-devel libunistring-devel
yum install -y trousers-devel guile22-devel libtasn1-devel libidn2-devel gawk gperf
yum install -y libtasn1-tools unbound-devel bison gtk-doc texinfo texlive

1.3.2 编译需要安装的依赖包

– Valgrind(可选)
– Libasan(可选)
– datefudge(可选)
– nodejs(某些测试用例需要)
– softhsm(用于测试智能卡支持)
– dieharder(用于测试PRNG)
– lcov(代码覆盖率)
关于CentOS或RHEL,请使用以下命令安装,

yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel expect
yum install -y dieharder mbedtls-utils openssl libabigail libcmocka-devel socat lockfile-progs

2 最佳实践

2.1 安装前的准备

2.1.1 安装编译工具

yum install -y gcc gcc-c++ make expat-devel
yum install -y automake libtool 

2.1.2 安装辅助工具

yum install -y gettext-devel 
yum install -y texinfo texlive tar gzip git perl gperf gawk bison libabigail

2.1.3 下载软件包

cd ~
wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.9.tar.xz

注意:其他版本请从以下目录下载,
https://www.gnupg.org/ftp/gcrypt/gnutls/

2.1.4 解压软件包

cd ~
tar -xf gnutls-3.6.9.tar.xz

2.2 编译安装

2.2.1 预编译软件库

cd ~/gnutls-3.6.9
./configure --prefix=/usr/local/gnutls-3.6.9 \
            --enable-static \
            --disable-guile \
            --with-default-trust-store-pkcs11="pkcs11:"

另外,我们也提供符合GUN目录规划的编译方式,

cd ~/gnutls-3.6.9
./configure --bindir=/usr/bin/ \
            --sbindir=/usr/sbin/ \
            --libexecdir=/usr/libexec/ \
            --sysconfdir=/etc/ \
            --libdir=/usr/lib64/ \
            --includedir=/usr/include/ \
            --datarootdir=/usr/share/ \
            --infodir=/usr/share/info/ \
            --localedir=/usr/share/locale/ \
            --mandir=/usr/share/man/ \
            --docdir=/usr/share/doc/gnutls/ \
            --enable-static \
            --disable-guile \
            --with-default-trust-store-pkcs11="pkcs11:"

另外,你也可能需要以下编译方式,

cd ~/gnutls-3.6.9
./configure --bindir=/usr/bin/ \
            --sbindir=/usr/sbin/ \
            --libexecdir=/usr/libexec/ \
            --sysconfdir=/etc/ \
            --libdir=/usr/lib64/ \
            --includedir=/usr/include/ \
            --datarootdir=/usr/share/ \
            --infodir=/usr/share/info/ \
            --localedir=/usr/share/locale/ \
            --mandir=/usr/share/man/ \
            --docdir=/usr/share/doc/gnutls/ \
            --enable-static \
            --enable-openssl-compatibility \
            --with-included-libtasn1 \
            --with-included-unistring \
            --with-nettle-mini \
            --disable-guile \
            --with-default-trust-store-pkcs11="pkcs11:"

参数“–enable-static”要求编译静态库文件,如果遇到如下错误,

configure: error:
  ***
  *** Libnettle 3.4.1 was not found.

或如下错误,

configure: error:
  ***
  *** Libhogweed (nettle's companion library) was not found. Note that you must compile nettle with gmp support.

你可能需要参阅如下链接编译并解决此依关系,
https://www.cmdschool.org/archives/6670
如果遇到如下错误,

configure: error:
***
*** gmp was not found.

你可能需要通过如下命令解决此依关系,

yum install -y gmp-devel

如果遇到如下错误,

configure: error:
  ***
  *** Libtasn1 4.9 was not found. To use the included one, use --with-included-libtasn1

你可能需要通过如下命令解决此依关系,

yum install -y libtasn1-devel

如果遇到如下错误,

configure: error:
  ***
  *** Libunistring was not found. To use the included one, use --with-included-unistring

你可能需要通过如下命令解决此依关系,

yum install -y libunistring-devel

如果遇到如下错误,

configure: error:
***
*** p11-kit >= 0.23.1 was not found. To disable PKCS #11 support
*** use --without-p11-kit, otherwise you may get p11-kit from
*** http://p11-glue.freedesktop.org/p11-kit.html
***

你可能需要通过如下命令解决此依关系,

yum install -y p11-kit-devel

或者,你也可以参阅如下链接编译并解决此依关系,
https://www.cmdschool.org/archives/6743
如果遇到如下警告,

configure: WARNING:
***
*** libunbound was not found. Libdane will not be built.
***

你可能需要通过如下命令解决此依关系,

yum install -y unbound-devel

如果遇到如下警告,

checking for autogen... no
configure: WARNING:
***
*** autogen not found. Will not link against system libopts.
***

你可能需要通过如下命令解决此依关系,

yum install -y autogen

如果遇到如下警告,

configure: WARNING:
  You will not be able to create source packages with 'make dist'
  because gtk-doc >= 1.14 is not found.

你可能需要通过如下命令解决此依关系,

yum install -y gtk-doc

如果遇到如下警告,

configure: WARNING:
***
*** trousers was not found. TPM support will be disabled.
***

你可能需要通过如下命令解决此依关系,

yum install -y trousers-devel

如果遇到如下警告,

configure: WARNING: `guile-snarf' from Guile not found.  Guile bindings not built.

你可能需要通过如下命令解决此依关系,

yum install -y guile-devel

如果遇到如下警告,

configure: WARNING: *** LIBIDN2 was not found. You will not be able to use IDN2008 support

你可能需要通过如下命令解决此依关系,

yum install -y epel-release
yum install -y libidn2-devel

最后,你会看到如下提示,

configure: summary of build options:

  version:              3.6.9 shared 55:0:25
  Host/Target system:   x86_64-pc-linux-gnu
  Build system:         x86_64-pc-linux-gnu
  Install prefix:       /usr/local/gnutls-3.6.9
  Compiler:             gcc -std=gnu99
  Valgrind:             no
  CFlags:               -g -O2
  Library types:        Shared=yes, Static=yes
  Local libopts:        yes
  Local libtasn1:       yes
  Local unistring:      yes
  Use nettle-mini:      yes
  Documentation:        yes (manpages: yes)

configure: External hardware support:

  /dev/crypto:          no
  Hardware accel:       x86-64
  Padlock accel:        yes
  Random gen. variant:  auto-detect
  PKCS#11 support:      yes
  TPM support:          yes

configure:
  TPM library:          /usr/lib64/libtspi.so.1

configure: Optional features:
(note that included applications might not compile properly
if features are disabled)

  SSL3.0 support:       no
  SSL2.0 client hello:  yes
  Allow SHA1 sign:      no
  DTLS-SRTP support:    yes
  ALPN support:         yes
  OCSP support:         yes
  SRP support:          yes
  PSK support:          yes
  DHE support:          yes
  ECDHE support:        yes
  GOST support:         yes
  Anon auth support:    yes
  Heartbeat support:    yes
  IDNA support:         IDNA 2008 (libidn2)
  Non-SuiteB curves:    yes
  FIPS140 mode:         no

configure: Optional libraries:

  Guile wrappers:       yes
  C++ library:          yes
  DANE library:         yes
  OpenSSL compat:       yes

configure: System files:

  Trust store pkcs11:   pkcs11:
  Trust store dir:
  Trust store file:
  Blacklist file:
  CRL file:
  Configuration file:   /etc/gnutls/config
  DNSSEC root key file: /var/lib/unbound/root.key

configure: WARNING:
*** GnuTLS will be build as a static library. That means that library
*** constructors for gnutls_global_init will not be made available to
*** linking applications. If you are building that library for arbitrary
*** applications to link, do not enable static linking.

2.2.2 编译并安装软件库

cd ~/gnutls-3.6.9
make

如果你遇到如下错误,

  CC       pkcs11_privkey.lo
pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign':
pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known
  struct ck_rsa_pkcs_pss_params rsa_pss_params;
                                ^
pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-var                                                                 iable]
make[4]: *** [pkcs11_privkey.lo] Error 1
make[4]: Leaving directory `/root/gnutls-3.6.9/lib'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/gnutls-3.6.9/lib'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/gnutls-3.6.9/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/gnutls-3.6.9'
make: *** [all] Error 2

你可以参照以下链接解决此问题,
https://gitlab.com/gnutls/gnutls/issues/812
另外,如果实在无法配置,可使用“–without-p11-kit”参数禁用p11-kit,

cd ~/gnutls-3.6.9
./configure --bindir=/usr/bin/ \
            --sbindir=/usr/sbin/ \
            --libexecdir=/usr/libexec/ \
            --sysconfdir=/etc/ \
            --libdir=/usr/lib64/ \
            --includedir=/usr/include/ \
            --datarootdir=/usr/share/ \
            --infodir=/usr/share/info/ \
            --localedir=/usr/share/locale/ \
            --mandir=/usr/share/man/ \
            --docdir=/usr/share/doc/gnutls/ \
            --enable-static \
            --disable-guile \
            --without-p11-kit

2.2.3 安装软件库

cd ~/gnutls-3.6.9
make install

参阅文档
===========================

编译安装的方法
———————
http://linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html

官方首页
———————-
https://gitlab.com/gnutls/gnutls
https://www.gnutls.org/index.html

GitHub首页
—————-
https://www.gnupg.org/ftp/gcrypt/gnutls/
https://github.com/gnutls/gnutls

软件下载
—————–
https://github.com/gnutls/gnutls/releases

错误处理
————
https://lists.gnutls.org/pipermail/gnutls-help/2016-February/004085.html

非官方的参考
————
https://amon.org/gnutls

没有评论

发表回复

PHP
如何编译安装php-fpm的模块?

1 前言 一个问题,一篇文章,一出故事。 笔者最新部署了一个PHP-FPM的环境,本章将整理如何部署 …

PHP
如何基于Oracle Linux 9.x编译安装PHP-FPM 8.x?

1 前言 一个问题,一篇文章,一出故事。 PHP-FPM可以跟Nginx配合使Nginx环境具备运行 …

Tomcat
如何编译安装Tomcat的Native库?

1 基础知识 Tomcat的Native库允许Tomcat使用OpenSSL作为JSSE的替代品来支 …