[gnutls-help] Truly non-blocking example of gnutls usage

Alex Bligh alex at alex.org.uk
Thu Apr 14 11:00:15 CEST 2016


On 14 Apr 2016, at 09:49, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

>> I do now:
>>  https://github.com/abligh/tlsproxy
> Thank you. That seems quite a nice and concise example,


> although it is
> not as small (1-3 pages) to include in the manual. I've added a
> reference instead and included it in gnutls as a submodule under
> doc/examples/tlsproxy.   Do you plan to keep/update that repository?

Yes I do, though hopefully it won't change too often.

I've submitted tlsproxy.c to nbd (network block device), so it
should have at least one user.

> PS. Few comments:
> I would not use select() any more. It is hard to get right and under
> glibc it causes stack overflow if any of the fds is over 1024.

I agree. But determining whether poll / ppoll etc. is available
is a pain, and in this instance there are only two FDs. I
can't remember how prevalent poll is (as opposed to ppoll);
perhaps I convert it to use poll().

> You could further simplify the example by using
> gnutls_certificate_verification_status_print() instead of checking
> statuses manually (that would introduce dependency to gnutls over
> 3.1.4, but it is future proof with regards to message reporting).

Again I agree, but I wanted this to compile on LTS Ubuntu
(currently 14.04) which ships with 2.12.23-12ubuntu2.4 (unfortunately).

> You seem to call gnutls_bye() unconditionally. It may be better to
> send gnutls_alert_send_appropriate() on error condition, and
> gnutls_bye() with _WR only, since you are not interested in properly
> closing the channel at this point. RDWR is suitable for the cases that
> you want to close the channel and re-use it (send unencrypted data).

OK I should probably look at that one, thanks.

Alex Bligh

More information about the Gnutls-help mailing list