1 基础知识
1.1 GnuTLS的简介
– GnuTLS是一个安全的通讯库
– GnuTLS使用TLS/SSL(传输层安全协议又称安全套接字层)和DTLS协议实现安全通讯
– GnuTLS提供一个简单的C语言应用程序编程接口
– GnuTLS编程接口用于访问安全通讯协议
– GnuTLS编程接口用于解析和编写X.509、PKCS#12和其他需求的API构造
1.2 GnuTLS的特点
– 支持TLS 1.3、1.2、1.1、1.0和SSL 3.0(可选)
– 支持DTLS 1.2和DTLS 1.0协议
– 支持证书路径验证以及第一次使用时的DANE和信任
– 支持在线证书状态协议(OCSP)
– 支持公钥包括RSA和Elliptic曲线以及弥合和秘钥认证方法(如SRP和PSK协议)
– 支持所有强大的加密算法,包括AES和Camellia
– 支持使用VIA挂锁和AES-NI指令集的CPU辅助加密
– 支持加密加速器驱动程序(通过/dev/crypto)
– 支持本机HSM和加密令牌(通过PKCS#11和可信平台模块,即TPM)
– 支持大多数的Unix平台和Windows平台
1.3 GnuTLS的安装要求
1.3.1 需要预先安装的依赖包
– Make
– Automake (use 1.11.3 or later)
– Autoconf
– Autogen (use 5.16 or later)
– Libtool
– Gettext
– Texinfo
– Tar
– Gzip
– Texlive & epsf (for PDF manual)
– GTK-DOC (for API manual)
– Git
– Perl
– Nettle
– Guile
– p11-kit
– gperf
– libtasn1 (optional)
– Libidn2 (optional, for internationalization of DNS, IDNA 2008)
– Libunistring (optional, for internationalization)
– AWK (for make dist, pmccabe2html)
– bison (for datetime parser in certtool)
– libunbound (for DANE support)
– libabigail (for abi comparison in make dist)
– tcsd (for TPM support; optional)
– swtpm (for TPM test; optional)
– ncat (for TPM test; optional)
– tpm-tools (for TPM test; optional)
– expect (for TPM test; optional)
关于CentOS或RHEL,请使用以下命令安装,
yum install -y dash git autoconf libtool gettext-devel automake autogen patch yum install -y nettle-devel p11-kit-devel autogen-libopts-devel libunistring-devel yum install -y trousers-devel guile22-devel libtasn1-devel libidn2-devel gawk gperf yum install -y libtasn1-tools unbound-devel bison gtk-doc texinfo texlive
1.3.2 编译需要安装的依赖包
– Valgrind(可选)
– Libasan(可选)
– datefudge(可选)
– nodejs(某些测试用例需要)
– softhsm(用于测试智能卡支持)
– dieharder(用于测试PRNG)
– lcov(代码覆盖率)
关于CentOS或RHEL,请使用以下命令安装,
yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel expect yum install -y dieharder mbedtls-utils openssl libabigail libcmocka-devel socat lockfile-progs
2 最佳实践
2.1 安装前的准备
2.1.1 安装编译工具
yum install -y gcc gcc-c++ make expat-devel yum install -y automake libtool
2.1.2 安装辅助工具
yum install -y gettext-devel yum install -y texinfo texlive tar gzip git perl gperf gawk bison libabigail
2.1.3 下载软件包
cd ~ wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.9.tar.xz
注意:其他版本请从以下目录下载,
https://www.gnupg.org/ftp/gcrypt/gnutls/
2.1.4 解压软件包
cd ~
tar -xf gnutls-3.6.9.tar.xz
2.2 编译安装
2.2.1 预编译软件库
cd ~/gnutls-3.6.9
./configure --prefix=/usr/local/gnutls-3.6.9 \
--enable-static \
--disable-guile \
--with-default-trust-store-pkcs11="pkcs11:"
cd ~ tar -xf gnutls-3.6.9.tar.xz
2.2 编译安装
2.2.1 预编译软件库
cd ~/gnutls-3.6.9 ./configure --prefix=/usr/local/gnutls-3.6.9 \ --enable-static \ --disable-guile \ --with-default-trust-store-pkcs11="pkcs11:"
另外,我们也提供符合GUN目录规划的编译方式,
cd ~/gnutls-3.6.9 ./configure --bindir=/usr/bin/ \ --sbindir=/usr/sbin/ \ --libexecdir=/usr/libexec/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --includedir=/usr/include/ \ --datarootdir=/usr/share/ \ --infodir=/usr/share/info/ \ --localedir=/usr/share/locale/ \ --mandir=/usr/share/man/ \ --docdir=/usr/share/doc/gnutls/ \ --enable-static \ --disable-guile \ --with-default-trust-store-pkcs11="pkcs11:"
另外,你也可能需要以下编译方式,
cd ~/gnutls-3.6.9 ./configure --bindir=/usr/bin/ \ --sbindir=/usr/sbin/ \ --libexecdir=/usr/libexec/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --includedir=/usr/include/ \ --datarootdir=/usr/share/ \ --infodir=/usr/share/info/ \ --localedir=/usr/share/locale/ \ --mandir=/usr/share/man/ \ --docdir=/usr/share/doc/gnutls/ \ --enable-static \ --enable-openssl-compatibility \ --with-included-libtasn1 \ --with-included-unistring \ --with-nettle-mini \ --disable-guile \ --with-default-trust-store-pkcs11="pkcs11:"
参数“–enable-static”要求编译静态库文件,如果遇到如下错误,
configure: error: *** *** Libnettle 3.4.1 was not found.
或如下错误,
configure: error: *** *** Libhogweed (nettle's companion library) was not found. Note that you must compile nettle with gmp support.
你可能需要参阅如下链接编译并解决此依关系,
https://www.cmdschool.org/archives/6670
如果遇到如下错误,
configure: error: *** *** gmp was not found.
你可能需要通过如下命令解决此依关系,
yum install -y gmp-devel
如果遇到如下错误,
configure: error: *** *** Libtasn1 4.9 was not found. To use the included one, use --with-included-libtasn1
你可能需要通过如下命令解决此依关系,
yum install -y libtasn1-devel
如果遇到如下错误,
configure: error: *** *** Libunistring was not found. To use the included one, use --with-included-unistring
你可能需要通过如下命令解决此依关系,
yum install -y libunistring-devel
如果遇到如下错误,
configure: error: *** *** p11-kit >= 0.23.1 was not found. To disable PKCS #11 support *** use --without-p11-kit, otherwise you may get p11-kit from *** http://p11-glue.freedesktop.org/p11-kit.html ***
你可能需要通过如下命令解决此依关系,
yum install -y p11-kit-devel
或者,你也可以参阅如下链接编译并解决此依关系,
https://www.cmdschool.org/archives/6743
如果遇到如下警告,
configure: WARNING: *** *** libunbound was not found. Libdane will not be built. ***
你可能需要通过如下命令解决此依关系,
yum install -y unbound-devel
如果遇到如下警告,
checking for autogen... no configure: WARNING: *** *** autogen not found. Will not link against system libopts. ***
你可能需要通过如下命令解决此依关系,
yum install -y autogen
如果遇到如下警告,
configure: WARNING: You will not be able to create source packages with 'make dist' because gtk-doc >= 1.14 is not found.
你可能需要通过如下命令解决此依关系,
yum install -y gtk-doc
如果遇到如下警告,
configure: WARNING: *** *** trousers was not found. TPM support will be disabled. ***
你可能需要通过如下命令解决此依关系,
yum install -y trousers-devel
如果遇到如下警告,
configure: WARNING: `guile-snarf' from Guile not found. Guile bindings not built.
你可能需要通过如下命令解决此依关系,
yum install -y guile-devel
如果遇到如下警告,
configure: WARNING: *** LIBIDN2 was not found. You will not be able to use IDN2008 support
你可能需要通过如下命令解决此依关系,
yum install -y epel-release yum install -y libidn2-devel
最后,你会看到如下提示,
configure: summary of build options: version: 3.6.9 shared 55:0:25 Host/Target system: x86_64-pc-linux-gnu Build system: x86_64-pc-linux-gnu Install prefix: /usr/local/gnutls-3.6.9 Compiler: gcc -std=gnu99 Valgrind: no CFlags: -g -O2 Library types: Shared=yes, Static=yes Local libopts: yes Local libtasn1: yes Local unistring: yes Use nettle-mini: yes Documentation: yes (manpages: yes) configure: External hardware support: /dev/crypto: no Hardware accel: x86-64 Padlock accel: yes Random gen. variant: auto-detect PKCS#11 support: yes TPM support: yes configure: TPM library: /usr/lib64/libtspi.so.1 configure: Optional features: (note that included applications might not compile properly if features are disabled) SSL3.0 support: no SSL2.0 client hello: yes Allow SHA1 sign: no DTLS-SRTP support: yes ALPN support: yes OCSP support: yes SRP support: yes PSK support: yes DHE support: yes ECDHE support: yes GOST support: yes Anon auth support: yes Heartbeat support: yes IDNA support: IDNA 2008 (libidn2) Non-SuiteB curves: yes FIPS140 mode: no configure: Optional libraries: Guile wrappers: yes C++ library: yes DANE library: yes OpenSSL compat: yes configure: System files: Trust store pkcs11: pkcs11: Trust store dir: Trust store file: Blacklist file: CRL file: Configuration file: /etc/gnutls/config DNSSEC root key file: /var/lib/unbound/root.key configure: WARNING: *** GnuTLS will be build as a static library. That means that library *** constructors for gnutls_global_init will not be made available to *** linking applications. If you are building that library for arbitrary *** applications to link, do not enable static linking.
2.2.2 编译并安装软件库
cd ~/gnutls-3.6.9 make
如果你遇到如下错误,
CC pkcs11_privkey.lo pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known struct ck_rsa_pkcs_pss_params rsa_pss_params; ^ pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-var iable] make[4]: *** [pkcs11_privkey.lo] Error 1 make[4]: Leaving directory `/root/gnutls-3.6.9/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.9/lib' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.9/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.9' make: *** [all] Error 2
你可以参照以下链接解决此问题,
https://gitlab.com/gnutls/gnutls/issues/812
另外,如果实在无法配置,可使用“–without-p11-kit”参数禁用p11-kit,
cd ~/gnutls-3.6.9 ./configure --bindir=/usr/bin/ \ --sbindir=/usr/sbin/ \ --libexecdir=/usr/libexec/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --includedir=/usr/include/ \ --datarootdir=/usr/share/ \ --infodir=/usr/share/info/ \ --localedir=/usr/share/locale/ \ --mandir=/usr/share/man/ \ --docdir=/usr/share/doc/gnutls/ \ --enable-static \ --disable-guile \ --without-p11-kit
2.2.3 安装软件库
cd ~/gnutls-3.6.9 make install
参阅文档
===========================
编译安装的方法
———————
http://linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html
官方首页
———————-
https://gitlab.com/gnutls/gnutls
https://www.gnutls.org/index.html
GitHub首页
—————-
https://www.gnupg.org/ftp/gcrypt/gnutls/
https://github.com/gnutls/gnutls
软件下载
—————–
https://github.com/gnutls/gnutls/releases
错误处理
————
https://lists.gnutls.org/pipermail/gnutls-help/2016-February/004085.html
非官方的参考
————
https://amon.org/gnutls
没有评论