gnuTLS issues

Simon Josefsson simon at
Fri Aug 29 11:39:53 CEST 2008

Simon Josefsson <simon at> writes:

>> Is GnuTLS usually compiled with ENABLE_PKI set to 1?  When Amir imported the 
>> GnuTLS code, he made sure that this flag was always set -- what does it do?
> Yes, ENABLE_PKI is normally always 1 in GnuTLS, but there is
> --disable-extra-pki to set it to 0.  I'm not sure the code even builds
> with ENABLE_PKI set to 0 any more, I don't check for that.  Originally
> the symbol was likely intended to strip GnuTLS of the larger X.509 parts
> which are normally not needed.  But it is an old symbol, so Nikos will
> know what it was intended for.

I looked into this more, and you should be able to compile with
EXTRA_PKI set to 0 if you want to reduce code size.

Setting EXTRA_PKI to 0 disables features such as:

* PKCS#7
* PKCS#12
* X.509 certificate generation including signing
* Certificate requests

However the code necessary to verify X.509 signature remains, so you
shouldn't be vulnerable to many more problem compared to before.  Except
that CRLs won't be verified, of course, but practically nobody uses CRLs
anyway so....  your choice.

Note that the command line tools and many self-tests won't build because
they need this extra functions.  The libraries should build fine, at
least it does here.


More information about the Gnutls-devel mailing list