[gnutls-devel] [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Nico Williams nico at cryptonector.com
Sat Nov 30 01:03:31 CET 2013


On Thu, Nov 28, 2013 at 4:42 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Thu, Nov 28, 2013 at 12:58 AM, Andy Lutomirski <luto at amacapital.net> wrote:
>>> PKCS#11 is by definition fork-unsafe (see the PKCS#11 docs).
>>>
>>  It breaks fork for no good
>> reason.  (I'm not even trying to do crypto in the child -- I just want
>> to avoid getting all kinds of random errors.)
>
> What do you mean it breaks fork? So far we had no issues with gnutls
> and fork (and I use it on several projects like that). There could be
> a bug, but I cannot find anything you reported on that.

It is not safe to use PKCS#11 on the child-side of fork() without
first either a) calling C_Initialize() to re-initialize PKCS#11, or b)
exec*() first.  Now, children of fork() are supposed to only call
async-signal-safe functions, therefore PKCS#11 is out on the
child-side of fork() anyways, but, the PKCS#11 docs also specifically
describe PKCS#11 as fork-unsafe.

Nico
--



More information about the Gnutls-devel mailing list