Beyond Linux^® From Scratch (systemd版) - Version 2018-09-05

第4章セキュリティ

GnuTLS-3.5.19

GnuTLS の概要

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:

「The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.」

GnuTLS provides support for TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.

本パッケージは LFS-8.3 において正しくビルドでき動作することが確認されています。

パッケージ情報

ダウンロード (HTTP): https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/gnutls-3.5.19.tar.xz
ダウンロード MD5 sum: 1002f4099ce11d785e9811099aaa59a6
ダウンロードサイズ: 6.9 MB
必要ディスク容量: 123 MB (add 47 MB for tests)
概算ビルド時間: 0.6 SBU (using parallelism=4; add 7.8 SBU for tests)

GnuTLS の依存パッケージ

必須

Recommended

make-ca-0.9, libunistring-0.9.10, libtasn1-4.13, and p11-kit-0.23.14

任意

Doxygen-1.8.14, GTK-Doc-1.29, Guile-2.2.4, libidn-1.35 または libidn2-2.0.5 Net-tools-CVS_20101030 (used during the test suite), texlive-20180414 or install-tl-unx, Unbound-1.7.3 (to build the DANE library), Valgrind-3.13.0 (used during the test suite), autogen, cmocka, datefudge (used during the test suite if the DANE library is built), and Trousers (Trusted Platform Module support)

[注記]

注記

libtasn1-4.13 をインストールしない場合、GnuTLS の tarball 内に含まれる旧バージョンが利用されます。

ユーザー情報: http://wiki.linuxfromscratch.org/blfs/wiki/gnutls

GnuTLS のインストール

以下のコマンドを実行して GnuTLS をビルドします。

./configure --prefix=/usr \
            --with-default-trust-store-pkcs11="pkcs11:" &&
make

ビルド結果をテストする場合は make check を実行します。 If a prior version of GnuTLS (or the same version but without all of the recommended dependencies) has been installed, some tests may fail. If /usr/lib/libgnutls.so and the target of that symlink are moved or renamed so that they cannot be found, all tests should pass and the install procedure will restore libgnutls.so and the versioned library it points to.

root ユーザーになって以下を実行します。

make install

configure スクリプトにて --enable-gtk-doc オプションを指定した場合は API ドキュメントが自動的にインストールされます。これを指定しない場合であってもドキュメントをインストールしたければ root ユーザーになって以下のコマンドを実行します。ドキュメントは /usr/share/gtk-doc/html/gnutls にインストールされます。

make -C doc/reference install-data-local

コマンド説明

--with-default-trust-store-pkcs11="pkcs11:": This switch tells gnutls to use the PKCS #11 trust store as the default trust. Omit this switch if p11-kit-0.23.14 is not installed.

--with-default-trust-store-file=/etc/ssl/ca-bundle.crt: This switch tells configure where to find the legacy CA certificate bundle and to use it instead of PKCS #11 module by default. Use this if p11-kit-0.23.14 is not installed.

--enable-gtk-doc: GTK-Doc をインストール済で API ドキュメントを再構築する場合に指定します。

--enable-openssl-compatibility: Use this switch if you wish to build the OpenSSL compatibility library.

--without-p11-kit: use this switch if you have not installed p11-kit.

--with-included-unistring: uses the bundled version of libunistring, instead of the system one. Use this switch if you have not installed libunistring-0.9.10.

パッケージ構成

インストールプログラム: certtool, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool, srptool

インストールライブラリ: libgnutls.so, libgnutls-dane.so, libgnutlsxx.so, libgnutls-openssl.so （任意ビルド）, /usr/lib/guile/2.2/guile-gnutls-v-2.so

インストールディレクトリ: /usr/{include,share/gtk-doc/html,share/guile/site/2.2}/gnutls

概略説明

certtool	is used to generate X.509 certificates, certificate requests, and private keys.
danetool	is a tool used to generate and check DNS resource records for the DANE protocol.
gnutls-cli	is a simple client program to set up a TLS connection to some other computer.
gnutls-cli-debug	is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results.
gnutls-serv	is a simple server program that listens to incoming TLS connections.
ocsptool	is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses.
p11tool	is a program that allows handling data from PKCS #11 smart cards and security modules.
psktool	is a simple program that generates random keys for use with TLS-PSK.
srptool	is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS.
`libgnutls.so`	contains the core API functions and X.509 certificate API functions.

最終更新日： 2018-08-15 11:39:38 +0900