【介绍】
GnuTLS是一个安全通讯库,实现了SSL、TLS 和DTLS 协议和相关技术。 提供了简单的C语言编程接口用来访问这些安全通讯协议,提供解析和读写X.509、PKCS #12、OpenPGP和其他相关结构。 特点是可移植性和高效。
POODLE漏洞的出现彻底的废掉了SSLv3,之前很多地方支持SSLv3的原因是兼容性问题,GnuTLS 3.4中将默认不支持SSLv3。
【yum安装】
当前版本:3.3.29
yum install gnutls gnutls-devel
如果有通过yum/rpm安装的gnutls,可以不必卸载。
rpm -e --nodeps gnutls rpm -e --nodeps gnutls-devel
如果卸载,会导致 yum 坏掉:
There was a problem importing one of the Python modules required to run yum. The error leading to this problem was: libgnutls.so.28: cannot open shared object file: No such file or directory Please install a package which provides this module, or verify that the module is installed correctly. It's possible that the above module doesn't match the current version of Python, which is: 2.7.5 (default, Apr 9 2019, 14:30:50) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] If you cannot solve this problem yourself, please go to the yum faq at: http://yum.baseurl.org/wiki/Faq
此时可以通过 rpm 安装:
下载:https://pkgs.org/download/gnutls
下载:https://rpmfind.net/linux/rpm2html/search.php?query=gnutls(x86-64)
wget https://rpmfind.net/linux/centos/7.6.1810/updates/x86_64/Packages/gnutls-3.3.29-9.el7_6.x86_64.rpm && rpm -i gnutls-3.3.29-9.el7_6.x86_64.rpm
然后测试 yum 恢复正常。
【源码编译安装】
参考:http://linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html
参考:http://gnutls.org/manual/gnutls.html
编译安装nettle:
要求:Nettle-3.4.1
编译安装libasn1:
编译安装p11-kit:
编译安装libgmp:
新版gnutls不再需要编译安装libgmp,因此略过。
如果安装,将导致 gnutls 在 make 时报错:
libgnutls.so: undefined reference to `__gmpn_zero_p
如果需要时,需要在环境中添加:
export GMP_CFLAGS="-I/usr/local/include" GMP_LIBS="-L/usr/local/lib -lgmp"
生成 ca-bundle.crt:
最后生成文件将用于后续的gnutls的编译:
/etc/ssl/ca-bundle.crt
编译安装gnutls:
下载:http://gnutls.org/download.html
最新版本:GnuTLS 3.6.9
实证版本:GnuTLS 3.6.8
wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.8.tar.xz && xz -d gnutls-3.6.8.tar.xz && tar -xvf gnutls-3.6.8.tar && cd gnutls-3.6.8 export NETTLE_CFLAGS="-I/usr/include/nettle" NETTLE_LIBS="-L/usr/lib64 -lnettle" HOGWEED_CFLAGS="-I/usr/include/nettle" HOGWEED_LIBS="-L/usr/lib64 -lhogweed" P11_KIT_CFLAGS="-I/usr/include/p11-kit-1/p11-kit" P11_KIT_LIBS="-L/usr/lib -lp11-kit" LIBTASN1_CFLAGS="-I/usr/include" LIBTASN1_LIBS="-L/usr/lib -ltasn1" ./configure --prefix=/usr --disable-guile --with-default-trust-store-pkcs11="pkcs11:" --with-included-unistring make make install
如果 make 时报错:
./../pkcs11_int.h:27:28: fatal error: p11-kit/pkcs11.h: No such file or directory #include <p11-kit/pkcs11.h>
直接将此文件拷贝过来:
cp -R /usr/include/p11-kit-1/p11-kit /root/gnutls-3.6.8/lib/p11-kit
参考:https://www.gnutls.org/manual/html_node/gnutls_002dcli-Invocation.html
重新 make / make install ,输出:
... Libraries have been installed in: /usr/lib ... libtool: install: /usr/bin/install -c .libs/gnutls-serv /usr/bin/gnutls-serv libtool: install: /usr/bin/install -c .libs/gnutls-cli /usr/bin/gnutls-cli ...
编译安装完成。
相关路径:
/usr/include/gnutls/gnutls.h /usr/lib/libgnutls.so.30.8.1
更新系统环境:
echo /usr/lib >> /etc/ld.so.conf ldconfig
查看版本:
gnutls-cli -v
输出:
gnutls-cli 3.6.8 Copyright (C) 2000-2019 Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later <http://gnu.org/licenses/gpl.html> Please send bug reports to: <[email protected]>
注意:需要重新编译mod_gnutls才能在Apache中使新版本生效。
参考:https://amon.org/mod_gnutls
【排错】
报错:genshell.c:68:13: warning: initializer-string for array of chars is too long
当编译 gnutls 3.6.9时,报错:
In file included from libopts.c:30:0:
genshell.c:68:13: warning: initializer-string for array of chars is too long [en abled by default]
/* 0 */ "genshellopt 1\n"
^
CCLD libopts.la
make[5]: Leaving directory `/root/gnutls-3.6.9/src/libopts'
make[4]: Leaving directory `/root/gnutls-3.6.9/src/libopts'
make[4]: Entering directory `/root/gnutls-3.6.9/src'
CC psk.o
CC psktool-args.lo
psktool-args.c:502:5: warning: suggest parentheses around arithmetic in operand of '|' [-Wparentheses]
+ OPTPROC_MISUSE ),
参考:https://github.com/openwrt/packages/issues/8129
autogen版本导致?
报错:gnutls-cli: error while loading shared libraries: libgnutls.so.30
gnutls-cli: error while loading shared libraries: libgnutls.so.30: cannot open shared object file: No such file or directory
请务必如上更新系统动态连接库配置,然后执行命令,错误消失。
更新系统动态连接库配置(重要):
echo /usr/lib >> /etc/ld.so.conf ldconfig
参考:https://lists.gnutls.org/pipermail/gnutls-help/2013-November/003268.html
报错:p11_kit_uri_get_pin_value
../lib/.libs/libgnutls.so: undefined reference to `p11_kit_uri_get_pin_value'
You are compiling with a newer library than the one you are linking with.
Most likely you have both versions of the libraries available but your
flags to linker are not correct.
因为系统中存在2个版本的p11-kit,而并不支持高版本gnutls的低版本p11-kit被使用。所以,需要移除低版本,然后编译安装高版本p11-kit。
报错:asn1_der_decoding2
In file included from common.c:34:0: ./common.h: In function '_asn1_strict_der_decode': ./common.h:259:2: warning: implicit declaration of function 'asn1_der_decoding2' [-Wimplicit-function-declaration]
重新编译libtasn1。
报错:sha256_ctx
struct sha256_ctx' has no member named 'count'
参考:https://dev.openwrt.org/changeset/41263
重新编译nettle。
报错:gnutls_pkcs11_privkey_sign
GnuTLS 3.6.6 在 make 时报错:
...
pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign':
pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known
struct ck_rsa_pkcs_pss_params rsa_pss_params;
^
pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-variable]
make[4]: *** [pkcs11_privkey.lo] Error 1
...
暂不知如何解决。暂时使用 GnuTLS 3.6.5 。
然鹅在另外一台机器上编译 GnuTLS 3.6.6 通过,因此可能是未知的依赖包配置导致。
参考:PKCS 11 API (GnuTLS 3.6.6)
网址:https://www.gnutls.org/manual/html_node/PKCS-11-API.html
make 时报错:ftello.c: In function ‘rpl_ftello’:
当编译安装GnuTLS 3.6.7.1,make 时报错:
ftello.c: In function 'rpl_ftello':
ftello.c:53:7: error: 'fp_' undeclared (first use in this function); did you mean 'fp'?
if (fp_->_flag & _IOWRT)
^~~
fp
ftello.c:53:7: note: each undeclared identifier is reported only once for each function it appears in
ftello.c:53:20: error: '_IOWRT' undeclared (first use in this function)
if (fp_->_flag & _IOWRT)
^~~~~~
make[4]: *** [ftello.lo] Error 1
参考:https://savannah.gnu.org/bugs/?37789
因为 GCC 4.8.5编译无误,问题出现在升级到 GCC 8.3.0 之后发生。
因此可能问题GCC版本升级导致,在必须尝试多版本GCC共存。
【参考】
参考:https://www.painso.com/ocserv-install-usage
参考:http://zkxtom365.blogspot.com/2015/02/centos-65ocservcisco-anyconnect
参考:https://www.cnblogs.com/siikee/p/4272104.html
参考:http://blog.csdn.net/tanogut/article/details/7836545
参考:http://www.cnblogs.com/siikee/p/4272104
参考:http://lists.gnutls.org/pipermail/gnutls-help/2013-May/003136
参考:http://linux.debian.bugs.rc.narkive.com/9Z5rQcJT/bug-782078-info-received-additional-info-probably-caused-by-evolution-mapi
参考:https://github.com/rdp/ffmpeg-windows-build-helpers/issues/513573192551