怎样编译安装GnuTLS

2016年8月23日 | 分类: 【技术】

【介绍】

GnuTLS是一个安全通讯库,实现了SSL、TLS 和DTLS 协议和相关技术。 提供了简单的C语言编程接口用来访问这些安全通讯协议,提供解析和读写X.509、PKCS #12、OpenPGP和其他相关结构。 特点是可移植性和高效。

POODLE漏洞的出现彻底的废掉了SSLv3,之前很多地方支持SSLv3的原因是兼容性问题,GnuTLS 3.4中将默认不支持SSLv3。

官网:https://www.gnutls.org/

【yum安装】

当前版本:3.3.29

yum install gnutls gnutls-devel

如果有通过yum/rpm安装的gnutls,可以不必卸载

rpm -e --nodeps gnutls
rpm -e --nodeps gnutls-devel

如果卸载,会导致 yum 坏掉:

There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   libgnutls.so.28: cannot open shared object file: No such file or directory

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Apr  9 2019, 14:30:50)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

If you cannot solve this problem yourself, please go to
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

此时可以通过 rpm 安装:

下载:https://pkgs.org/download/gnutls
下载:https://rpmfind.net/linux/rpm2html/search.php?query=gnutls(x86-64)

wget https://rpmfind.net/linux/centos/7.6.1810/updates/x86_64/Packages/gnutls-3.3.29-9.el7_6.x86_64.rpm && rpm -i gnutls-3.3.29-9.el7_6.x86_64.rpm

然后测试 yum 恢复正常。

【源码编译安装】

参考:http://linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html
参考:http://gnutls.org/manual/gnutls.html

编译安装nettle:

要求:Nettle-3.4.1

参考:http://amon.org/nettle

编译安装libasn1:

参考:http://amon.org/libtasn1

编译安装p11-kit:

参考:http://amon.org/p11-kit

编译安装libgmp:

新版gnutls不再需要编译安装libgmp,因此略过。

参考:http://amon.org/gmplib

如果安装,将导致 gnutls 在 make 时报错:

libgnutls.so: undefined reference to `__gmpn_zero_p

参考:https://stackoverflow.com/questions/25944209/nettle-3-0-and-gmp-6-0-0-undefined-symbols-gmpz-limbs-write-gmpz-limbs-read

如果需要时,需要在环境中添加:

export GMP_CFLAGS="-I/usr/local/include" GMP_LIBS="-L/usr/local/lib -lgmp"

生成 ca-bundle.crt:

参考:http://amon.org/ca-bundle

最后生成文件将用于后续的gnutls的编译:

/etc/ssl/ca-bundle.crt

编译安装gnutls:

下载:http://gnutls.org/download.html

最新版本:GnuTLS 3.6.9

实证版本:GnuTLS 3.6.8

wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.8.tar.xz && xz -d gnutls-3.6.8.tar.xz && tar -xvf gnutls-3.6.8.tar && cd gnutls-3.6.8
export NETTLE_CFLAGS="-I/usr/include/nettle" NETTLE_LIBS="-L/usr/lib64 -lnettle" HOGWEED_CFLAGS="-I/usr/include/nettle" HOGWEED_LIBS="-L/usr/lib64 -lhogweed" P11_KIT_CFLAGS="-I/usr/include/p11-kit-1/p11-kit" P11_KIT_LIBS="-L/usr/lib -lp11-kit" LIBTASN1_CFLAGS="-I/usr/include" LIBTASN1_LIBS="-L/usr/lib -ltasn1"
./configure --prefix=/usr --disable-guile --with-default-trust-store-pkcs11="pkcs11:" --with-included-unistring
make
make install

如果 make 时报错:

./../pkcs11_int.h:27:28: fatal error: p11-kit/pkcs11.h: No such file or directory
 #include <p11-kit/pkcs11.h>

直接将此文件拷贝过来:

cp -R /usr/include/p11-kit-1/p11-kit /root/gnutls-3.6.8/lib/p11-kit

参考:https://www.gnutls.org/manual/html_node/gnutls_002dcli-Invocation.html

重新 make / make install ,输出:

...
Libraries have been installed in:
   /usr/lib
...
libtool: install: /usr/bin/install -c .libs/gnutls-serv /usr/bin/gnutls-serv
libtool: install: /usr/bin/install -c .libs/gnutls-cli /usr/bin/gnutls-cli
...

编译安装完成。

相关路径:

/usr/include/gnutls/gnutls.h
/usr/lib/libgnutls.so.30.8.1

更新系统环境:

echo /usr/lib >> /etc/ld.so.conf
ldconfig

查看版本:

gnutls-cli -v

输出:

gnutls-cli 3.6.8
Copyright (C) 2000-2019 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>

注意:需要重新编译mod_gnutls才能在Apache中使新版本生效。

参考:http://amon.org/mod_gnutls

【排错】

报错:genshell.c:68:13: warning: initializer-string for array of chars is too long

当编译 gnutls 3.6.9时,报错:

In file included from libopts.c:30:0:
genshell.c:68:13: warning: initializer-string for array of chars is too long [en                                                                                                                                                             abled by default]
 /*     0 */ "genshellopt 1\n"
             ^
  CCLD     libopts.la
make[5]: Leaving directory `/root/gnutls-3.6.9/src/libopts'
make[4]: Leaving directory `/root/gnutls-3.6.9/src/libopts'
make[4]: Entering directory `/root/gnutls-3.6.9/src'
  CC       psk.o
  CC       psktool-args.lo
psktool-args.c:502:5: warning: suggest parentheses around arithmetic in operand                                                                                                                                                              of '|' [-Wparentheses]
     + OPTPROC_MISUSE ),

参考:https://github.com/openwrt/packages/issues/8129

autogen版本导致?

报错:gnutls-cli: error while loading shared libraries: libgnutls.so.30

gnutls-cli: error while loading shared libraries: libgnutls.so.30: cannot open shared object file: No such file or directory

请务必如上更新系统动态连接库配置,然后执行命令,错误消失。

更新系统动态连接库配置(重要):

echo /usr/lib >> /etc/ld.so.conf
ldconfig

参考:https://lists.gnutls.org/pipermail/gnutls-help/2013-November/003268.html

报错:p11_kit_uri_get_pin_value

../lib/.libs/libgnutls.so: undefined reference to `p11_kit_uri_get_pin_value'

You are compiling with a newer library than the one you are linking with.
Most likely you have both versions of the libraries available but your
flags to linker are not correct.

因为系统中存在2个版本的p11-kit,而并不支持高版本gnutls的低版本p11-kit被使用。所以,需要移除低版本,然后编译安装高版本p11-kit。

参考:http://amon.org/p11-kit

报错:asn1_der_decoding2

In file included from common.c:34:0:
./common.h: In function '_asn1_strict_der_decode':
./common.h:259:2: warning: implicit declaration of function 'asn1_der_decoding2' [-Wimplicit-function-declaration]

重新编译libtasn1。

参考:http://amon.org/libtasn1

报错:sha256_ctx

struct sha256_ctx' has no member named 'count'

参考:https://dev.openwrt.org/changeset/41263

重新编译nettle。

参考:http://amon.org/nettle

报错:gnutls_pkcs11_privkey_sign

GnuTLS 3.6.6 在 make 时报错:

...
pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign':
pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known
  struct ck_rsa_pkcs_pss_params rsa_pss_params;
                                ^
pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-variable]
make[4]: *** [pkcs11_privkey.lo] Error 1
...

暂不知如何解决。暂时使用 GnuTLS 3.6.5 。
然鹅在另外一台机器上编译 GnuTLS 3.6.6 通过,因此可能是未知的依赖包配置导致。

参考:PKCS 11 API (GnuTLS 3.6.6)
网址:https://www.gnutls.org/manual/html_node/PKCS-11-API.html

make 时报错:ftello.c: In function ‘rpl_ftello’:

当编译安装GnuTLS 3.6.7.1,make 时报错:

ftello.c: In function 'rpl_ftello':
ftello.c:53:7: error: 'fp_' undeclared (first use in this function); did you mean 'fp'?
   if (fp_->_flag & _IOWRT)
       ^~~
       fp
ftello.c:53:7: note: each undeclared identifier is reported only once for each function it appears in
ftello.c:53:20: error: '_IOWRT' undeclared (first use in this function)
   if (fp_->_flag & _IOWRT)
                    ^~~~~~
make[4]: *** [ftello.lo] Error 1

参考:https://savannah.gnu.org/bugs/?37789

因为 GCC 4.8.5编译无误,问题出现在升级到 GCC 8.3.0 之后发生。

因此可能问题GCC版本升级导致,在必须尝试多版本GCC共存。

参考:http://amon.org/gcc

【参考】

参考:https://www.painso.com/ocserv-install-usage
参考:http://zkxtom365.blogspot.com/2015/02/centos-65ocservcisco-anyconnect

参考:https://www.cnblogs.com/siikee/p/4272104.html
参考:http://blog.csdn.net/tanogut/article/details/7836545
参考:http://www.cnblogs.com/siikee/p/4272104
参考:http://lists.gnutls.org/pipermail/gnutls-help/2013-May/003136
参考:http://linux.debian.bugs.rc.narkive.com/9Z5rQcJT/bug-782078-info-received-additional-info-probably-caused-by-evolution-mapi
参考:https://github.com/rdp/ffmpeg-windows-build-helpers/issues/513573192551