[gnutls-devel] higher level session API?
nmav at gnutls.org
Sat Jan 26 11:40:58 CET 2013
On 01/25/2013 05:24 PM, Tim Rühsen wrote:
> You are right. Maybe the socket descriptor should go to gnutls_open().
> And isn't the hostname needed for host validation while handshaking ? I think
> about gnutls_x509_crt_check_hostname().
>> I like those. I'll try to add them (I think the getline is missing
>> from the current code).
> If it helps, look at my getline() implementation for file descriptors.
> The internal variables are saved at the end of buf, but you won't need this
> ugly trick since you have a session variable.
I've implemented it using gnulib's getline which in turn was based on
libc's one :)
Now only the _open/ or _init is missing. Also I have to think of a
better prefix name.
I'm thinking with the high level functions to also simplify credentials
handling, and initially support:
1. normal X.509 certificate verification (based on system certs)
2. TOFU (for people who don't want to buy a cert)
3. Insecure (for debugging)
>>> And back to your idea with queue/flush:
>>> - inspired from TCP_CORK, my idea would be something like
>>> do some writes
>>> gnutls_uncork (or calling it gnutls_flush, if you like)
>>> - or/and implementing something like the Nagle algorithm, kind of
>> Is that for the gnutls_session_t API?
> It was just an idea without thinking about that ;-)
I liked them though, because they allow the usage of buffering in the
low-level API so they are there now.
> A higher level API is always good for application programmers to have a fast
> success (and a short learning time). Later. if things become more wicked, they
> will investigate into the mid- and/or low-level API.
When I created the original low-level API I expected that there will be
middle-ware libraries that wrap over sockets and TLS. It seems that even
today they are no so widespread, so indeed a high level API makes sense.
More information about the Gnutls-devel