hangs with active p11-kit modules

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Aug 14 18:11:56 CEST 2012

On Tue, Aug 14, 2012 at 4:12 PM, Sven Geggus <sven at gegg.us> wrote:

>> Your pkcs11 module. You can disable it if you don't use it.
> I really do not want to disable it as I need it for VPN.
> What would probably be needed then is some kind of application blacklist or
> whitelist in p11-kit - right?

Yes (as you say in your next e-mail).

> It simply does not make sence for any application to query a smartcard which
> has not even been unlocked as this will never succeed.

There is no such notion as an unlocked smart card. A key may be
protected by PIN in the smart card but it is not mandatory.
Nevertheless, the gnutls initialization only initializes the pkcs11
driver, which reports the number of slots available etc, it doesn't
access any smart card. I wouldn't expect a long delay on that, unless
there is some issue in the driver you're using.

> I still do not completely undestand why stuff like "lpq" and "mutt" query
> the pkcs11-module at all. Well it would be nice if mutt could handle S/MIME
> encrypted emails using pkcs11, but it doesn't.

As I told you any application using gnutls may accept pkcs11 URLs in
addition to files to specify private keys (e.g. your key to login to
your smtp server). For that to work any pkcs11 module/driver has to be
initialized when gnutls starts. If a pin is required, then this can be
read from a file (using the pin-source directive), or the user may be
prompted for a password using a callback.

About lpq, I have no idea why it uses gnutls.


More information about the Gnutls-devel mailing list