2. The Library

In brief GnuTLS can be described as a library which offers an API to access secure communication protocols. These protocols provide privacy over insecure lines, and were designed to prevent eavesdropping, tampering, or message forgery.

Technically GnuTLS is a portable ANSI C based library which implements the TLS 1.1 and SSL 3.0 protocols (See section Introduction to TLS, for a more detailed description of the protocols), accompanied with the required framework for authentication and public key infrastructure. Important features of the GnuTLS library include:

• Support for TLS 1.0, TLS 1.1, and SSL 3.0 protocols.
• Support for both X.509 and OpenPGP certificates.
• Support for handling and verification of certificates.
• Support for SRP for TLS authentication.
• Support for PSK for TLS authentication.
• Support for TLS Extension mechanism.
• Support for TLS Compression Methods.

Additionally GnuTLS provides a limited emulation API for the widely used OpenSSL(1) library, to ease integration with existing applications.

GnuTLS consists of three independent parts, namely the “TLS protocol part”, the “Certificate part”, and the “Cryptographic backend” part. The `TLS protocol part' is the actual protocol implementation, and is entirely implemented within the GnuTLS library. The `Certificate part' consists of the certificate parsing, and verification functions which is partially implemented in the GnuTLS library. The Libtasn1(2), a library which offers ASN.1 parsing capabilities, is used for the X.509 certificate parsing functions. A smaller version of OpenCDK(3) is used for the OpenPGP key support in GnuTLS. The “Cryptographic backend” is provided by the Libgcrypt(4) library(5).

In order to ease integration in embedded systems, parts of the GnuTLS library can be disabled at compile time. That way a small library, with the required features, can be generated.