[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos

Simon Josefsson simon at josefsson.org
Thu Oct 9 12:22:57 CEST 2008


Teddy Hogeborn <teddy at fukt.bsnet.se> writes:

> Simon Josefsson <simon at josefsson.org> writes:
>
>> Teddy Hogeborn <teddy at fukt.bsnet.se> writes:
>>
>>>> This might introduce network timeouts, but if the Mandos client is
>>>> robust about that there shouldn't be a problem.
>>>
>>> I'm not sure what you mean.  Should not a TLS connection over TCP
>>> be alive indefinitely even if no data is sent over it?
>>
>> NAT firewalls tend to drop TCP sessions without any traffic over
>> them after some time.  Possibly the client could retry after some
>> interval.  Maybe your protocol could contain a ping-function.  This
>> would add some complexity, so for simplicity might be better to
>> avoid.
>
> If this really would be a problem for somebody, should not this simply
> be solved by setting SO_KEEPALIVE?

Possibly, although I'm not certain.

> Now, the system as it is today is restricted to the local network (no
> network configured in the initrd, so we use IPv6 link-local
> addresses), so this should never happen.

Ah, that changes the model somewhat.  I guess it could be extended to
use DHCP and talk to a Mandos server somewhere else on the Internet
though.

/Simon





More information about the Gnutls-help mailing list