[Help-gnutls] Re: Restore gnutls session after execvp - possible?

Simon Josefsson jas at extundo.com
Sun Dec 11 22:46:15 CET 2005 

Matthias Urlichs <smurf at smurf.noris.de> writes:

> Hi,
>
> Simon Josefsson:
>> How do you achieve that?  I thought you had to close sockets and
>> re-open them in a new process.
>> 
> If you have an open file descriptor, you can choose whether it is
> automagically closed when you execve() something. (fcntl, close-on-exec
> flag)

Oh.  I see.  Thanks for the pointer.

>> I don't know how to achieve what you want in GnuTLS, but I don't know
>> how to achieve what you already do either (exec another process and
>> inherit the open socket) so I may likely be missing something.
>> Perhaps others know more.
>> 
> The basic idea is to save the internal gnutls data structure in such a
> way that you only need to plug in the file descriptor and everything is
> back where it was.

Right.  I don't think this is possible.

The resume data that is stored is not intended for this use.  It is
intended where you create a new connection and want to re-use earlier
TLS handshakes to optimize things.

It _may_ be possible to use the resume stuff for this purpose, most of
the useful data items are present.  I think it require a new API.
E.g., gnutls_resume_connect that accept the resume data.

Further, I'm not sure I understand _why_ this is done.  Perhaps if you
describe why you want to execvpe and carry over the TLS-protected
socket to the new process, we can suggest better solutions.

Still, if someone want to make this work, I'd welcome any patches.

> Personally I'd say that
>
>> >  - global:
>> >  
>> >     gnutls_certificate_free_credentials (gnutls_xcred);
>> >     gnutls_global_deinit();
>> >
> Why are you doing that? You're execvp-ing a new process, the data
> structures will vanish anyway -- and you risk closing the sockets when you
> do this.

I agree, although those functions should not close the socket.

>> >     if (gnutls_handshake (server->gnutls_sess) < 0)
>> >         printf ("handshake failed\n");
>> >
> Does that call work when you use it *before* doing your
> save-execvp-restore dance?

Most likely not.

/Simon

More information about the Gnutls-help mailing list