[gnutls-help] TLS-Server with Let’s Encrypt

Sam Varshavchik mrsam at courier-mta.com
Fri Aug 3 12:59:26 CEST 2018

Mario Lombardo writes:

> Hi Sam,
> thank you for your message. What about the existing sessions  
> (gnutls_session_t)? Can I call gnutls_credentials_clear() once the handshake  
> is finished and keep the connection for this session established? I believe  
> it is not safe to gnutls_certificate_free_credentials() as long as there are  
> sessions bound to this store, is it?

Presuming there are no multiple thread-related issues, I would expect it to  
be safe. If the library needs it, for some reason, I expect it to make its  
own copy. I find nothing in the public documentation that requires  
credential to exist as long as some session that used them, initially, is  
still around.

> Or is there any other best practice? Can I set other credentials on an  
> existing session (after handshake)?

You can also take the approach of creating a new context for all new  
sessions, and keep the old context, with the old credentials, until all  
existing session which use it go away. I don't believe this is necessary,  
but this is also one possible way to do it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20180803/a14cf164/attachment-0001.sig>

More information about the Gnutls-help mailing list