[Help-gnutls] Re: Restore gnutls session after execvp - possible?

Simon Josefsson jas at extundo.com
Mon Dec 12 12:43:49 CET 2005

Matthias Urlichs <smurf at smurf.noris.de> writes:

> Hi,
> Simon Josefsson:
>> Further, I'm not sure I understand _why_ this is done.  Perhaps if you
>> describe why you want to execvpe and carry over the TLS-protected
>> socket to the new process, we can suggest better solutions.
> One application of this idea, not related to execve()ing yourself, is to
> be able to pass the connection on to another process by way of a Unix
> socket and sendmsg().
> That'd allow you to use one applicationto accept a connection, estabish
> SSL, and thn dispatch it to another, which helps with privilege
> separation.


> The connection already is established (as far as the other side is
> concerned, anyway), the handshake has happened, so this call shouldn't
> be there. Just resume sending/receiving. (Assuming that the data
> structures are set up correctly, which they probably are not...)
> Fixing that shouldn't be *that* difficult, but I'd suggest writing a
> completely different API for this, which just marshals the full internal
> state of a connection into one area of memory / restores it from there.

I agree.  The resumption data API may be a starting pointer, that
should include most of the required internal state.  Patches to
implement this are very welcome.

I have added the following to the TODO list:

- Make it possible to extract the internal state of a session, to
  be able to execve a new process that take over the current
  living socket (using the fcntl close-on-exec flag) and
  continue the TLS session as well.


More information about the Gnutls-help mailing list