[Help-gnutls] Re: Restore gnutls session after execvp - possible?
Matthias Urlichs
smurf at smurf.noris.de
Mon Dec 12 04:40:45 CET 2005
Hi,
Simon Josefsson:
> Further, I'm not sure I understand _why_ this is done. Perhaps if you
> describe why you want to execvpe and carry over the TLS-protected
> socket to the new process, we can suggest better solutions.
>
One application of this idea, not related to execve()ing yourself, is to
be able to pass the connection on to another process by way of a Unix
socket and sendmsg().
That'd allow you to use one applicationto accept a connection, estabish
SSL, and thn dispatch it to another, which helps with privilege
separation.
> >> > if (gnutls_handshake (server->gnutls_sess) < 0)
> >> > printf ("handshake failed\n");
> >> >
> > Does that call work when you use it *before* doing your
> > save-execvp-restore dance?
>
> Most likely not.
Thought so.
The connection already is established (as far as the other side is
concerned, anyway), the handshake has happened, so this call shouldn't
be there. Just resume sending/receiving. (Assuming that the data
structures are set up correctly, which they probably are not...)
Fixing that shouldn't be *that* difficult, but I'd suggest writing a
completely different API for this, which just marshals the full internal
state of a connection into one area of memory / restores it from there.
--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
- -
Her attitude to music was purely ballistic - just point your voice at the end of the verse and go for it.
-- Terry Pratchett (Maskerade)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: </pipermail/attachments/20051212/2a266b5e/attachment.pgp>
More information about the Gnutls-help
mailing list