* p11-kit >= 0.22.1 for PKCS #11 URI handling
* libdb >= 4.0 for key->value lookup with BerkeleyDB transactions/replication
* libtasn1 for parsing of BER and DER data structures
- * NOT-YET: libldns for DNS lookups
+ * libldns for DNS lookups
+ * libunbound for more DNS lookups
+ * Quick-DER >= 1.2.3 for DER manipulation
+ * libkrb5 for Kerberos support
* NOT-YET: libldap for LDAP lookups
* NOT-YET: libmemcached for caching of intermediate results
* NOT-YET: libradius to do additional authn / authz [/acct]
sort of maturity that this project has not reached yet.
-First-time setup
+Build Packages
+--------------
+
+As a **sugestion** only, here are packages you should have installed
+before trying to build TLSPOOL.
+
+ - Debian
+ - libdb-dev libldns-dev libunbound-dev libkrb5-dev
+ - libgnutls-dev (you'll need one with DANE support)
+
+First-time build
----------------
Create a user and group "tlspool" if you wish to drop privileges to a
separate account.
-Run the script bootstrap.sh to initiate the autotools environment::
-
- sh bootstrap.sh
-
-Then, continue as always::
+Use the common building approach:
./configure
make
private keys. Then you can fill PKCS #11 and the databases.
-Building
---------
+Build details
+-------------
There are three sub-targets with their own Makefiles:
The source package includes a "testdata" directory that can be filled
with databases that you can use for a quick and dirty test. You will
-need to setup a PKCS #11 repository; we suggest to use SoftHSM from the
+need to setup a PKCS #11 repository; we suggest to use SoftHSMv2 from the
OpenDNSSEC project to get started, you can always try hardware-based
tokens later on. The idea of PKCS #11 is that such choices are pluggable.
-To create a SoftHSMv2 token, you can use the following command::
+To create a SoftHSM token, you can use the following command::
softhsm2-util --init-token --free --label 'TLS_Pool_dev_data'
chown -R tlspool:tlspool /var/lib/softhsm/tokens/XXX
+To setup Kerberos authentication, you need to install the basic package,
+usually named `krb5-user` or `krb5-client`, depending on your distro.
+In `/etc/krb5.conf`, be sure to have this entry to guide the test
+domain names to our KDC::
+
+ [domain_realm]
+ # ...other entries...
+ tlspool.arpa2.lab = ARPA2.NET
+
The following test demonstrates proper working of the TLS Pool based on
the testdata and under the warnings above:
errors.
+Trusting well-known CAs
+-----------------------
+
+By default, the testdata is not setup to trust any well-known CA certificate.
+We did however sample a Debian distribution of CA certificates, and installed
+it under testdata -- where it will NOT BE KEPT UP-TO-DATE.
+
+If you choose to rely on these CA's and need it for testing purposes, you can
+import them with
+
+ cd testdata
+ make anchors
+
+Once more, TRUST THIS ONLY FOR TESTING PURPOSES -- use a proper distrubution
+mechanism such as your OS or perhaps ARPA2 SteamWorks for anything that should
+withstand the pressure of an Internet whose intent is in part criminal.
+
+This is the reason why it must be installed as an explicit choice. We made it
+really easy to install, but also won't keep the set secure.
+
+
Running
-------
The TLS pool also handles teardown in all its forms with grace; that
is, it will detect it immediately and notify the other side.
+
+Language Wrappers
+-----------------
+
+The TLS Pool protocol is published and can be implemented in any language
+that prefers to work at that level. It is important to understand that the
+format may change with future versions however, and that would cause some
+dismay related to versioning. We promise to confine API changes to major
+versions only to make this somewhat bearable.
+
+The golden way is to instead rely on the C library, built in lib/* and
+installed for linking with a "-ltlspool" argument. We also provide a
+.pc file for use with pkg-config.
+
+Based on this C library, we build wrappers for other languages, usually
+going through SWIG. If you desire a library, please build it separately
+with:
+
+ make -C lib/python all install
+ make -C lib/go all install
+
+and so on. Some of the libraries may not have been completed yet, in that
+case you will run into difficulties. These libraries are neither built
+nor installed as part of the normal (main directory) builds! Only the
+C library is made and/or installed by default.
+