[gnutls-help] error -24 GNUTLS_E_DECRYPTION_FAILED with two possible causes

Michel Briand michelbriand at free.fr
Tue Jan 27 15:24:22 CET 2015

Nikos Mavrogiannopoulos <nmav at gnutls.org> - Mon, 26 Jan 2015 20:47:48

>On Mon, 2015-01-26 at 19:45 +0100, michelbriand at free.fr wrote:
>> waiting for your answer, very quick BTW, I've modified the logic 
>> in my program to create the child processes after all messages have 
>> been exchanged by parents. It works nicely.
>> Anyway, I think about your idea above.
>> Serialize the session data would be nice, but the hard task would
>> be to synchronize it between processes : that would go against the
>> very advantage of creating a child process (to not bother about
>> synchronization).
>> Is it possible to improve the documentation to help people 
>> not to fall into this pitfall in the future ?
>Which part is unclear and needs to be improved? If you have any
>proposed text please feel free to suggest.

There is not clear and explicit statement regarding that.

Sure, people using GnuTLS should be aware of the basics of TLS as a
stateful protocol, but a lot of people will learn TLS by
experimentation, through the way of trying a library.

I found some explicit things, though. For example in the function
gnutls_rnd clear() documentation, one could read :

 This function is thread-safe and also fork-safe.

You could help me to understand where the problem resides :
 - is the TLS state stored in gnutls_session ?
 - is the TLS state stored somewhere else ?

Then it could be explained explicitly in the documentation.

For example in §6.1.1 General idea, one could write :

  "TLS protocol is stateful. The session is used to save those values.
   The session cannot be shared by distinct processes : i.e. two
   processes cannot read/write simultaneously with the same session

   The traditional UNIX model that uses fork() to pass socket to child
   process can be used with secured sockets, but one has to ensure that
   only one process will read/write after to the socket after fork()."

This is just a try to explain what I've understood so far :) !!


More information about the Gnutls-help mailing list