tce-load -i compiletc nettle39-dev p11-kit-dev libidn2-dev texinfo zstd-dev

wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.3.tar.xz

cd gnutls-3.8.3

CC="gcc -flto -march=i486 -mtune=i686 -Os -pipe" CXX="g++ -flto -march=i486 -mtune=i686 -Os -pipe" ./configure --prefix=/usr/local --disable-static --localstatedir=/var --with-default-trust-store-file=/usr/local/etc/ssl/ca-bundle.crt --with-unbound-root-key-file=/usr/local/etc/unbound/root.key --with-default-trust-store-pkcs11="pkcs11:" --with-default-trust-store-dir=/usr/local/etc/ssl/certs --without-included-libtasn1 --without-included-unistring --with-system-priority-file=/usr/local/etc/gnutls

find . -name Makefile -type f -exec sed -i 's/-g -O2//g' {} \;

make [37m 43.29s]
sudo make install

configure: summary of build options:

  version:              3.8.3 shared 67:1:37
  Host/Target system:   i686-pc-linux-gnu
  Build system:         i686-pc-linux-gnu
  Install prefix:       /usr/local
  Compiler:             gcc -flto -march=i486 -mtune=i686 -Os -pipe
  Valgrind:             no 
  CFlags:               -g -O2
  Library types:        Shared=yes, Static=no
  Local libtasn1:       no
  Local unistring:      no
  Use nettle-mini:      no
  Documentation:        yes (manpages: yes)

configure: External hardware support:

  /dev/crypto:          no
  AF_ALG support:       no
  Hardware accel:       x86
  Padlock accel:        yes
  Random gen. variant:  getrandom
  PKCS#11 support:      yes
  TPM support:          no
  TPM2 support:         auto
  KTLS support:         no

configure:
  TPM2 library:         

configure: Optional features:
(note that included applications might not compile properly
if features are disabled)

  SSL3.0 support:       no
  SSL2.0 client hello:  yes
  Allow SHA1 sign:      no
  DTLS-SRTP support:    yes
  ALPN support:         yes
  OCSP support:         yes
  SRP support:          no
  PSK support:          yes
  DHE support:          yes
  ECDHE support:        yes
  GOST support:         yes
  Anon auth support:    yes
  Heartbeat support:    no
  IDNA support:         IDNA 2008 (libidn2)
  Non-SuiteB curves:    yes
  FIPS140 mode:         no
  Strict DER time:      yes

configure: Optional libraries:

  C++ library:          yes
  DANE library:         no
  OpenSSL compat:       no

configure: System files:

  Trust store pkcs11:   pkcs11:
  Trust store dir:      /usr/local/etc/ssl/certs
  Trust store file:     /usr/local/etc/ssl/ca-bundle.crt
  Blocklist file:       
  CRL file:             
  Configuration file:   /usr/local/etc/gnutls
  DNSSEC root key file: /usr/local/etc/unbound/root.key

configure: WARNING:
***
*** The DNSSEC root key file in /usr/local/etc/unbound/root.key was not found.
*** This file is needed for the verification of DNSSEC responses.
*** Use the command: unbound-anchor -a "/usr/local/etc/unbound/root.key"
*** to generate or update it.
***