[gnutls-devel] [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Andy Lutomirski luto at amacapital.net
Sat Nov 30 00:50:54 CET 2013 

On Thu, Nov 28, 2013 at 2:42 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Thu, Nov 28, 2013 at 12:58 AM, Andy Lutomirski <luto at amacapital.net> wrote:
>
>>> PKCS#11 is by definition fork-unsafe (see the PKCS#11 docs).
>>>
>>> Any API dealing with "tokens" (in the PKCS#11 sense) is bound to be
>>> fork-unsafe for at least open sessions/objects on tokens that require
>>> authentication (PIN).  That's because any library using file descriptors
>>> where offset is not a relevant concept will necessarily be fork-unsafe
>>> by default.  And: any stateful cryptography library (e.g., an
>>> implementation of TLS) will tend to be fork-unsafe (imagine a process
>>> trying to use a TLS connection on both sides of a fork()!).
>>
>> I agree with all of this, except that I don't think that GnuTLS has
>> any business even trying to use PKCS11 unless something explicitly
>> requests it.  I've had all kinds of problems with libvmime causing
>> GnuTLS to start interfacing with some mysterious GNOME PKCS11 token,
>> when I don't want any of the above.
>
> Well, I presume you don't know how gnutls works and I suggest that you
> read our online manual.

Nope.  I'm not a GnuTLS user.  I do, however, use libvmime, and I get
annoyed when GnuTLS does ridiculous things that get in the way.

>
> We need PKCS #11 initialization because every gnutls function that
> accepts a key file may be provided with a PKCS #11 URL (or even a TPM
> key) and will work the way it is expected. You can of course disable
> PKCS #11 support if you don't need it, but as smart cards are getting
> wirespread, I prefer to have that enabled by default for all
> applications using gnutls.  Otherwise we would have some gnutls
> applications that work with smart cards, and others that don't, just
> because someone forgot to explicitly enable smart card support.

...so initialize PKCS11 the first time someone tries to use it.  I bet
that a large fraction of GnuTLS users are TLS clients that will never
use a client certificate, so there's no reason at all to attempt any
kind of fancy key handling.

The fact that this:

#include <stdio.h>
#include <vmime/vmime.hpp>
#include <vmime/platforms/posix/posixHandler.hpp>

int main()
{
    vmime::platform::setHandler<vmime::platforms::posix::posixHandler>();
    return 0;
}

connects to gnome-keyring-daemon is, IMO, ridiculous.

PKCS11 sucks.  That doesn't mean that GnuTLS shouldn't try to avoid
exposing that suckage to use users.

--Andy

More information about the Gnutls-devel mailing list