[gnutls-help] false start

[Nikos Mavrogiannopoulos]

On Fri, Feb 7, 2020 at 2:45 PM Jeremy Harris <jgh at wizmail.org> wrote:
>
> gnutls_session_get_desc() seems to not be usefully
> callable immediately after gnutls_handshake() returns,
> with False Start in play, which is reasonable.
> However it also isn't returning useful info when called
> during a handshake-done callback set up with
>
>   gnutls_handshake_set_hook_function(state->session,
>       GNUTLS_HANDSHAKE_FINISHED, GNUTLS_HOOK_POST, ...
>
> I suspect the cause is the obvious flag
> "initial_negotiation_completed", set in handshake_client()
> only after the state-machine has terminated.
>
> Lacking the access via callback, I assume I have to
> check on every data read to see if I've acquired the
> info yet - which is ugly.
>
> Could the info be made accessible earlier?  How early?

Out of curiosity what is the reason you would like to know whether
parameters in relation to false start are acceptable early? There is
very little you can do at this point. The existing tests are in
_gnutls_kx_allows_false_start() function which pretty much checks the
prime size suitability or the curve size. It may be easy to replicate
those tests, or even better if you have control of the server, ensure
that only good parameters are offered.

> Are other API call limited in when they are callable?
> Specifically
>  gnutls_certificate_get_peers()
>  gnutls_certificate_verify_peers2()

I believe these are only limited to having received the certificate,
and they are expected to be called asynchronously at the certificate
verification callback.

>  gnutls_alert_send()

That can be called at any time.

regards,
Nikos