[gnutls-devel] [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Nov 28 11:42:01 CET 2013

On Thu, Nov 28, 2013 at 12:58 AM, Andy Lutomirski <luto at amacapital.net> wrote:

>> PKCS#11 is by definition fork-unsafe (see the PKCS#11 docs).
>> Any API dealing with "tokens" (in the PKCS#11 sense) is bound to be
>> fork-unsafe for at least open sessions/objects on tokens that require
>> authentication (PIN).  That's because any library using file descriptors
>> where offset is not a relevant concept will necessarily be fork-unsafe
>> by default.  And: any stateful cryptography library (e.g., an
>> implementation of TLS) will tend to be fork-unsafe (imagine a process
>> trying to use a TLS connection on both sides of a fork()!).
> I agree with all of this, except that I don't think that GnuTLS has
> any business even trying to use PKCS11 unless something explicitly
> requests it.  I've had all kinds of problems with libvmime causing
> GnuTLS to start interfacing with some mysterious GNOME PKCS11 token,
> when I don't want any of the above.

Well, I presume you don't know how gnutls works and I suggest that you
read our online manual.

We need PKCS #11 initialization because every gnutls function that
accepts a key file may be provided with a PKCS #11 URL (or even a TPM
key) and will work the way it is expected. You can of course disable
PKCS #11 support if you don't need it, but as smart cards are getting
wirespread, I prefer to have that enabled by default for all
applications using gnutls.  Otherwise we would have some gnutls
applications that work with smart cards, and others that don't, just
because someone forgot to explicitly enable smart card support.

>  It breaks fork for no good
> reason.  (I'm not even trying to do crypto in the child -- I just want
> to avoid getting all kinds of random errors.)

What do you mean it breaks fork? So far we had no issues with gnutls
and fork (and I use it on several projects like that). There could be
a bug, but I cannot find anything you reported on that.


More information about the Gnutls-devel mailing list