[gnutls-dev] Generating/regenerating params
Stephen Frost
sfrost at snowman.net
Sat Mar 6 02:19:31 CET 2004
Greetings,
I've run into a very difficult problem when trying to safely
regenerate dh/rsa parameters. The setup is like this:
There's a global context which has creds
(gnutls_certificate_credentials) and all of the CA certs and whatnot
are loaded into it.
We then have a local (per thread) context which copies the cred from
the global context, but just the pointer (there isn't a function to
copy the whole thing...).
We then set params in creds in each thread, cacheing the params in a
file and regenerating the params whenever the file disappears, which
we plan to make happen periodically as is recommended in various
comments in the example GNU TLS server.
There's a couple problems here though: The params are shared across
all threads because of the single global context with creds. I worry
about regenerating them because I don't want to break existing
connections or ones which are in the process of setting up. I don't
see any way (beyond re-reading all the certs which I expect would kill
performance) to make the creds be local though.
What's the right way to do this? Have multiple threads going and
still periodically regenerate the rsa/dh params without breaking
anything or leaking memory or anything? Is it safe to just init the
rsa/dh params and then just change them with generate2 or import_raw?
Will that break existing connections or other threads which are
setting up their connections? Do I still need to call set_XX_params?
Thanks,
Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20040306/55a1e47d/attachment.bin
More information about the Gnutls-dev
mailing list