[gnutls-help] Multi-tenancy and PKCS #11

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jul 19 06:00:18 CEST 2017

On Tue, Jul 18, 2017 at 3:22 PM, Rick van Rein <rick at openfortress.nl> wrote:
> Hello Nikos,
> As you know, I am building a TLS Pool which separates applications from
> TLS security.  I have requests to make this into a multi-tenant process,
> so it could run on a client machine and service each client without
> interference.
> https://github.com/arpa2/tlspool/issues/36
> This is a nettly request, but most things are now starting to resolve.
> One thing that may be blocking it, is the fact that GnuTLS has a global
> setup for PKCS #11, including the available tokens and their PINs.  Is
> that correct, or is there a way to get around this?

Could you describe the ideal situation of handling smart cards for the
use case above? The situation in gnutls is that pkcs11 shared modules
are loaded globally, pins etc are cached/used per private key,

> I do realise that GnuTLS is a library, and was not design with a
> multi-tenant mindset.  So if this is the stopper of the multi-tenancy
> show than that does not indicate to me that GnuTLS is bad :) just that a
> multi-tenant TLS Pool would be stretching it too far.

Note that PKCS#11 utilizes global state per process and it may not be
possible to have various modules loaded by different parts of the
process without co-ordination.


More information about the Gnutls-help mailing list