@node Introduction to GnuTLS @chapter Introduction to GnuTLS In brief @acronym{GnuTLS} can be described as a library which offers an API to access secure communication protocols. These protocols provide privacy over insecure lines, and were designed to prevent eavesdropping, tampering, or message forgery. Technically @acronym{GnuTLS} is a portable ANSI C based library which implements the protocols ranging from SSL 3.0 to TLS 1.2 (see @ref{Introduction to TLS}, for a detailed description of the protocols), accompanied with the required framework for authentication and public key infrastructure. Important features of the @acronym{GnuTLS} library include: @itemize @item Support for TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0 protocols. @item Support for Datagram TLS 1.0 and 1.2. @item Support for handling and verification of @acronym{X.509} and @acronym{OpenPGP} certificates. @item Support for password authentication using @acronym{TLS-SRP}. @item Support for keyed authentication using @acronym{TLS-PSK}. @item Support for TPM, @acronym{PKCS} #11 tokens and smart-cards. @end itemize The @acronym{GnuTLS} library consists of three independent parts, namely the ``TLS protocol part'', the ``Certificate part'', and the ``Cryptographic back-end'' part. The ``TLS protocol part'' is the actual protocol implementation, and is entirely implemented within the @acronym{GnuTLS} library. The ``Certificate part'' consists of the certificate parsing, and verification functions and it uses functionality from the libtasn1 library. The ``Cryptographic back-end'' is provided by the nettle and gmplib libraries. @menu * Downloading and installing:: * Document overview:: @end menu @node Downloading and installing @section Downloading and installing @cindex installation @cindex download GnuTLS is available for download at: @url{http://www.gnutls.org/download.html} GnuTLS uses a development cycle where even minor version numbers indicate a stable release and a odd minor version number indicate a development release. For example, GnuTLS 1.6.3 denote a stable release since 6 is even, and GnuTLS 1.7.11 denote a development release since 7 is odd. GnuTLS depends on @code{nettle} and @code{gmplib}, and you will need to install it before installing GnuTLS. The @code{nettle} library is available from @url{http://www.lysator.liu.se/~nisse/nettle/}, while @code{gmplib} is available from @url{http://www.gmplib.org/}. Don't forget to verify the cryptographic signature after downloading source code packages. The package is then extracted, configured and built like many other packages that use Autoconf. For detailed information on configuring and building it, refer to the @file{INSTALL} file that is part of the distribution archive. Typically you invoke @code{./configure} and then @code{make check install}. There are a number of compile-time parameters, as discussed below. Several parts of GnuTLS require ASN.1 functionality, which is provided by a library called libtasn1. A copy of libtasn1 is included in GnuTLS. If you want to install it separately (e.g., to make it possibly to use libtasn1 in other programs), you can get it from @url{http://www.gnu.org/software/libtasn1/}. The compression library, @code{libz}, the PKCS #11 helper library @code{p11-kit}, as well as the TPM library @code{trousers}, are optional dependencies. You may get libz from @url{http://www.zlib.net/}, p11-kit from @url{http://p11-glue.freedesktop.org/} and trousers from @url{http://trousers.sourceforge.net/}. A few @code{configure} options may be relevant, summarized below. They disable or enable particular features, to create a smaller library with only the required features. Note however, that although a smaller library is generated, the included programs are not guaranteed to compile if some of these options are given. @verbatim --disable-srp-authentication --disable-psk-authentication --disable-anon-authentication --disable-openpgp-authentication --disable-dhe --disable-ecdhe --disable-openssl-compatibility --disable-dtls-srtp-support --disable-alpn-support --disable-heartbeat-support --disable-libdane --without-p11-kit --without-tpm --without-zlib @end verbatim For the complete list, refer to the output from @code{configure --help}. @node Document overview @section Overview In this document we present an overview of the supported security protocols in @ref{Introduction to TLS}, and continue by providing more information on the certificate authentication in @ref{Certificate authentication}, and shared-key as well anonymous authentication in @ref{Shared-key and anonymous authentication}. We elaborate on certificate authentication by demonstrating advanced usage of the API in @ref{More on certificate authentication}. The core of the TLS library is presented in @ref{How to use GnuTLS in applications} and example applications are listed in @ref{GnuTLS application examples}. In @ref{Other included programs} the usage of few included programs that may assist debugging is presented. The last chapter is @ref{Internal architecture of GnuTLS} that provides a short introduction to GnuTLS' internal architecture.