[gnutls-dev]Re: GnuTLS support in Anubis
Nikos Mavroyanopoulos
nmav@gnutls.org
Mon Oct 21 10:27:02 2002
On Mon, Oct 21, 2002 at 09:18:15AM +0200, Wojciech Polak wrote:
> Hi,
> I have a problem with the gnutls_record_send() function.
> My problem is that I have a big buffer (>16384 bytes),
> and I would like to send this buffer with gnutls_record_send(),
> but this function accepts maximum 16384 bytes. How can I send
> my buffer in a one time? Do you know any good implementation?
> OpenSSL's SSL_write() accepts ~50kB.
You cannot. You have to call gnutls_record_send() multiple times, this
has the same semantics with write(2) system call, so the recipes in
Steven's book (Unix Network programming) should apply.
For the history, there was a time in the early versions of gnutls the
send function accepted an unlimited number of bytes. When non blocking
support was introduced, this was dropped, and gnutls_record_send() only
allowed the minimum number of bytes that this call would be atomic.
(this might be smaller than 16384 if the max_record_extension is used)
I might add be some higher level functions, that have buffering support,
in a later version of gnutls --I'll add it in my todo list, but I cannot
promise anything for the near future.
> > In any case, gnutls is not in early beta. I know several projects that
> > currently use gnutls as a primary SSL and TLS library, and there are
> > also some projects in the debian distribution that use gnutls' openssl
> > compatibility layer.
> At the beginning I wanted to make a GnuTLS support via the OpenSSL
> emulation layer, but there are missing several functions from OpenSSL.
This is not necessarily a bad thing :)
It is really difficult and sometimes inefficient to map openssl's functions
to gnutls' ones, so the recomended way is to use the native api (which should
be well documented -- or bug us!).
The openssl compatibility layer is for small programs that include
very basic SSL and TLS support.
> Now my program Anubis supports the full GnuTLS native code. The only
> problem is with this gnutls_record_send() above. Another issue from
> what I have noticed is that GnuTLS is much slower that OpenSSL,
> especially when a code makes two independent SSL connections
> (both client and server) such as my Anubis.
You must be using Ephemeral Diffie Hellman with a large key. You may
use an 768 bit key, or don't use the DHE cipher suites at all. In some
testings I've done, I've found that the fastest cipher suite is the one
that uses: KX_RSA, CIPHER_ARCFOUR and MAC_MD5.
However if you are making several connections to one server, you will
probably want to use session resuming, which is much faster than
renegotiating a new ciphersuite.
> Kind regards,
> Wojciech Polak
--
Nikos Mavroyanopoulos
Email: nmav at gnutls org