[gnutls-help] TLS 1.3 post-handshake authentication vs. exceptions
Ludovic Courtès
ludo at gnu.org
Fri Jun 7 13:03:23 CEST 2019
Hello,
AIUI, TLS 1.3 post-handshake authentication requests can happen anytime,
and thus clients need to be ready to deal with GNUTLS_E_REAUTH_REQUEST
at any time. In particular, ‘gnutls_record_recv’ might return this
error, and the client has to call ‘gnutls_reauth’ at that point.
In the Guile bindings, GnuTLS errors are mapped to Guile exceptions.
The record layer is mapped to an I/O port, which is the abstraction used
for file contents, sockets, etc. (similar to FILE* in C).
The problem here is that you could get a GNUTLS_E_REAUTH_REQUEST
exception in the middle of a read from an I/O ports. This breaks
abstraction because the caller of that read call may not know that the
port happens to be a GnuTLS record port.
Have other language bindings developers faced this issue?
I’m thinking that we could ask users to set a GNUTLS_E_REAUTH_REQUEST
handler beforehand such that, when we get GNUTLS_E_REAUTH_REQUEST, we
directly call that handler instead of throwing an exception.
Thoughts?
Ludo’.
More information about the Gnutls-help
mailing list