[gnutls-dev]Erasing private certificate key from memory

Timo Sirainen tss@iki.fi
Tue Mar 4 01:41:01 2003


Would it be possible to add support for it? I don't know much about SSL
protocol, but I'm hoping it wouldn't be needed after initial handshake.
This would be useful as a way to prevent attacker from getting hands on
it too easily.

Hmm. Didn't SSL protocol support re-handshaking in the middle of the
connection? Does that require the private key?

This brings to my mind other problem with async I/O. If I send alert
message but it doesn't get fully sent, how do I know that I should call
gnutls_record_send() again to finish it? And can there be some reasons
for gnutls_record_send() to actually want to read something or
gnutls_record_recv() to send something (eg. automatic handshaking)?
OpenSSL API has WANT_READ and WANT_WRITE errors which can occur with
either command.