[gnutls-help] TLS 1.3 post-handshake authentication vs. exceptions

Ludovic Courtès ludo at gnu.org
Fri Jun 7 13:03:23 CEST 2019


AIUI, TLS 1.3 post-handshake authentication requests can happen anytime,
and thus clients need to be ready to deal with GNUTLS_E_REAUTH_REQUEST
at any time.  In particular, ‘gnutls_record_recv’ might return this
error, and the client has to call ‘gnutls_reauth’ at that point.

In the Guile bindings, GnuTLS errors are mapped to Guile exceptions.
The record layer is mapped to an I/O port, which is the abstraction used
for file contents, sockets, etc. (similar to FILE* in C).

The problem here is that you could get a GNUTLS_E_REAUTH_REQUEST
exception in the middle of a read from an I/O ports.  This breaks
abstraction because the caller of that read call may not know that the
port happens to be a GnuTLS record port.

Have other language bindings developers faced this issue?

I’m thinking that we could ask users to set a GNUTLS_E_REAUTH_REQUEST
handler beforehand such that, when we get GNUTLS_E_REAUTH_REQUEST, we
directly call that handler instead of throwing an exception.



More information about the Gnutls-help mailing list