[gnutls-devel] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Andy Lutomirski luto at amacapital.net
Wed Nov 20 07:24:03 CET 2013

On Tue, Nov 19, 2013 at 9:05 PM, Patrick Pelletier
<code at funwithsoftware.org> wrote:
> On 11/19/13, 11:35 AM, Andy Lutomirski wrote:
>>   - Support multiple clients in the same process linked against the same
>> library without causing those clients to interfere with each other
>> (hello, GnuTLS).
> What's the issue that GnuTLS has with this?  I'm more familiar with the
> issue OpenSSL has, namely that it requires threading callbacks to be set, so
> each client in the same process is going to be stomping on the same set of
> global callbacks.  I'd thought GnuTLS was better about global state, but
> maybe there's something I've missed.

GnuTLS has gnutls_pkcs11_init, which is rather impolite -- it
manipulates global state, and it sometimes causes things to
malfunction after forking.  gnutls_global_init is documented as being
unsafe if called from multiple threads, which seems silly.

(As an even more off-topic aside, how is there nothing better than
pkcs11 for interfacing with abstract keys?)

> Also, I thought Botan wasn't good on this point either, since it requires a
> LibraryInitializer object to be created, and (I thought) it doesn't support
> more than one LibraryInitializer existing at once.

No clue -- I've never used it.


Andy Lutomirski
AMA Capital Management, LLC

More information about the Gnutls-devel mailing list