[gnutls-devel] [Andy Lutomirski] Re: [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Stef Walter stef at thewalter.net
Wed Nov 27 15:12:03 CET 2013

p11-kit solves the concurrency issue, with multiple callers of gnutls in
the same process. Although it's still possible for someone to use a
fragile PKCS#11 module directly with gnutls, that's not the default

Secondly, I'm working actively in the PKCS#11 OASIS TC (even though such
work can be tedious), to solve the inate PKCS#11 issues with multiple
callers in a process. Progress has been made, and it's looking likely
that we'll have fixed this in a future version of the PKCS#11 standard

But until then: p11-kit does aim to fix this exact case. If there is a
specific issue, or corner case that we've missed, I would love to hear

And no, PKCS#11 is not beautiful, but working-around some of it's
inadequacies (while also fixing them for real in the TC) has been
preferable to rewriting the Linux world + all the drivers to use
something else.

All the best,


On 27.11.2013 09:12, Daniel Kahn Gillmor wrote:
> hey gnutls and p11-kit folks--
> this message came up on the IETF TLS WG list, as a particular complaint
> about the relationship between gnutls and pkcs11 making it more
> difficult to use gnutls than it should be.
> I'm not sure if there is anything concrete to address here (or if there
> is, if it would be doable without API or ABI breakage), but i just
> wanted to make sure that the developers are aware that the concern has
> been aired publicly.  If the concern can be addressed and fixed, that
> would be great.
> If you think the concern raised is a misconception, or if there is a
> particular way to avoid the implied risks with forking or
> multithreading, i would be happy to relay any relevant clarifications to
> the TLS WG.
>       --dkg


stef at thewalter.net

More information about the Gnutls-devel mailing list