[gnutls-devel] [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Nikos Mavrogiannopoulos nmav at redhat.com
Thu Nov 28 10:10:30 CET 2013

On Wed, 2013-11-27 at 17:54 -0600, Nico Williams wrote:
> All of this is off-topic for this list.  I'll post a reply anyways, and
> I apologize to the list.
> On Tue, Nov 19, 2013 at 10:24:03PM -0800, Andy Lutomirski wrote:
> >                     [...].  gnutls_global_init is documented as being
> > unsafe if called from multiple threads, which seems silly.
> Initialization is not thread-safe in OpenSSL either.  This is a terrible
> thing.  It *can* be made thread-safe, so there's no excuse for it not
> being thread-safe.
 I don't understand why this is an issue since it is documented. If a
function (like a global initialization function) is supposed to create
the mutexes for the rest of the library functions it cannot be expected
to be thread safe; at least in a portable way since static
initialization of mutexes is not a portable thing.

Nevertheless, even if you really need to call a global initialization
function in every thread you create (I really don't see why), you can
simply call it in a locked mutex. 

> > GnuTLS has gnutls_pkcs11_init, which is rather impolite -- it
> > manipulates global state, and it sometimes causes things to
> > malfunction after forking.  [...]
> PKCS#11 is by definition fork-unsafe (see the PKCS#11 docs).

It requires some reinitialization on every fork. Again if that is
documented it can be made to work. I agree, it is a PITA to handle


More information about the Gnutls-devel mailing list