[gnutls-help] TLS 1.3 post-handshake authentication vs. exceptions

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jun 8 19:32:09 CEST 2019


On Fri, Jun 7, 2019 at 1:04 PM Ludovic Courtès <ludo at gnu.org> wrote:
>
> Hello,
>
> AIUI, TLS 1.3 post-handshake authentication requests can happen anytime,
> and thus clients need to be ready to deal with GNUTLS_E_REAUTH_REQUEST
> at any time.  In particular, ‘gnutls_record_recv’ might return this
> error, and the client has to call ‘gnutls_reauth’ at that point.

Right. A clarification, that these can happen only if the client or
server has explicitly enabled post-handshake authentication with the
corresponding gnutls_init() flag.

> In the Guile bindings, GnuTLS errors are mapped to Guile exceptions.
> The record layer is mapped to an I/O port, which is the abstraction used
> for file contents, sockets, etc. (similar to FILE* in C).
>
> The problem here is that you could get a GNUTLS_E_REAUTH_REQUEST
> exception in the middle of a read from an I/O ports.  This breaks
> abstraction because the caller of that read call may not know that the
> port happens to be a GnuTLS record port.

That should be similar to GNUTLS_E_REHANDSHAKE error. I'm not sure if
that can be the right solution but there is the option of
GNUTLS_AUTO_REAUTH.

regards,
Nikos



More information about the Gnutls-help mailing list