On Oct 23, 2014, at 3:07 PM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > On Wed, Oct 22, 2014 at 12:59 PM, David Frank <bitinn at gmail.com> wrote: >> Hello, >> >> I wanted to try out this particular setting for ocserv >> >> tls-priorities = "NONE:%SERVER_PRECEDENCE:PFS" >> >> PFS is only available on 3.3.x, but ubuntu only have GnuTLS 3.2.x package, so I build 3.3.9 from source, and during ./configure I saw this output: >> configure: External hardware support: >> >> /dev/crypto: no >> Hardware accel: x86-64 >> Padlock accel: yes >> PKCS#11 support: no >> TPM support: no >> >> With GnuTLS installed, I try to configure and make ocserv, but saw this error: >> sec-mod.o: In function `sec_mod_server': >> /home/dev/tools/ocserv-0.8.6/src/sec-mod.c:458: undefined reference to `gnutls_pkcs11_reinit' >> collect2: error: ld returned 1 exit status > > It seems that the OS installed library is queried in the ocserv's > configure step, PKCS #11 is detected, and thus the error you see, as > you don't have PKCS #11 in your compiled library. One option is to > enable PKCS #11 support in your compiled library by installing > p11-kit, the other is to somehow force configure to use your compiled > library. > Sorry but could you explain how are PKCS support checked? As far as I can see it only check whether GnuTLS supports PKCS #11, not the environment or hardware right? Doesn?t compiling GnuTLS with --without-p11-kit already tell ocserv to not invoke PKCS #11 related functions? If not, could you point me in the right direction to enable p11? because with both p11-kit and libp11-kit-dev package installed, I still can?t get GnuTLS 3.3.9 to return ?PKCS#11 support: yes? during configure. I am on Ubuntu 14.04 LTS x64 Thanks a lot, David
