Re: [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)
Nico Williams <nico@cryptonector.com> Wed, 27 November 2013 23:54 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797161ADFD7 for <tls@ietfa.amsl.com>; Wed, 27 Nov 2013 15:54:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwRxVegLEm3L for <tls@ietfa.amsl.com>; Wed, 27 Nov 2013 15:54:56 -0800 (PST)
Received: from homiemail-a26.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 32F281ADF7C for <tls@ietf.org>; Wed, 27 Nov 2013 15:54:56 -0800 (PST)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id 9C70BB8058; Wed, 27 Nov 2013 15:54:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=2LsVkCHudUjwLS v4RG9xLytiku8=; b=d7KQgw2NGf0sVtWvCk+8ukYvgXVq9FE/3u0EslvXeAoPT0 anmrtNiTJTBu6XEsABEm0mtrSOtPiB38oV15KJ05dir1iGK2t0XZMFpp9d1JyFr2 Nig4uUz8IP2GfsALLvvFtapf0qNKURevnuj9KrhUySlkgxgIduCpRJT4epaUM=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPA id 37C2EB8057; Wed, 27 Nov 2013 15:54:55 -0800 (PST)
Date: Wed, 27 Nov 2013 17:54:54 -0600
From: Nico Williams <nico@cryptonector.com>
To: Andy Lutomirski <luto@amacapital.net>
Message-ID: <20131127235451.GW21240@localhost>
References: <CAPMEXDbgp5+Gg6mkMWNrcOzmAbSpv3kjftGV0cjpqvMnRxpw=A@mail.gmail.com> <44D7624E-75D8-47D3-93BF-97427206E800@iki.fi> <CACsn0c=9GrO21ECZczB2zft3bVODcc=1ZRp3pG22c-rrDfTPXQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE373@USMBX1.msg.corp.akamai.com> <528AD194.9060003@amacapital.net> <528AD326.8080908@kirils.com> <CAM_a8Jy_x-qZFdpxsLMnFjuYeAJBwqNqQLrnsAcf05GU5PuJfw@mail.gmail.com> <528BBD84.60700@amacapital.net> <528C4332.9060806@funwithsoftware.org> <CALCETrU0sN+dUGQ60v96hndKx_=7xUpgmxATtDVPJ3DqyGnbqA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CALCETrU0sN+dUGQ60v96hndKx_=7xUpgmxATtDVPJ3DqyGnbqA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>, GnuTLS development list <gnutls-devel@lists.gnutls.org>
Subject: Re: [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 23:54:57 -0000
All of this is off-topic for this list. I'll post a reply anyways, and I apologize to the list. On Tue, Nov 19, 2013 at 10:24:03PM -0800, Andy Lutomirski wrote: > [...]. gnutls_global_init is documented as being > unsafe if called from multiple threads, which seems silly. Initialization is not thread-safe in OpenSSL either. This is a terrible thing. It *can* be made thread-safe, so there's no excuse for it not being thread-safe. > GnuTLS has gnutls_pkcs11_init, which is rather impolite -- it > manipulates global state, and it sometimes causes things to > malfunction after forking. [...] PKCS#11 is by definition fork-unsafe (see the PKCS#11 docs). Any API dealing with "tokens" (in the PKCS#11 sense) is bound to be fork-unsafe for at least open sessions/objects on tokens that require authentication (PIN). That's because any library using file descriptors where offset is not a relevant concept will necessarily be fork-unsafe by default. And: any stateful cryptography library (e.g., an implementation of TLS) will tend to be fork-unsafe (imagine a process trying to use a TLS connection on both sides of a fork()!). Of course, that's all rather POSIX-specific, but the problem is inherent to any fork()-like interface. Use posix_spawn() or similar, then you won't have to worry about fork-safety at all. Long ago I used to think fork+exec superior to spawn since spawn was easy to implement in terms of fork+exec, but in truth fork() is a dangerous and difficult-to-use interface -- the only safe things to do on the child side of fork() are: async-signal-safe things, culminating in _exit() or exec*() ASAP. > (As an even more off-topic aside, how is there nothing better than > pkcs11 for interfacing with abstract keys?) Not really, not portably, not to my knowledge :( Something better is badly needed, yes. In particular we need: a) decent APIs for software crypto (even if it uses specialized HW under the covers), b) decent APIs for talking to smartcards (tokens), including softtokens, c) decent APIs for cryptographic protocols, d) decent APIs for PKIX naming, ... Nico --
- [TLS] This working group has failed Watson Ladd
- [TLS] Deployment ... Re: This working group has f… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Taylor Hornby
- Re: [TLS] This working group has failed SM
- Re: [TLS] This working group has failed Ralph Holz
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Yoav Nir
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] This working group has failed Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Mark Nottingham
- Re: [TLS] Deployment ... Re: This working group h… Kyle Hamilton
- Re: [TLS] Deployment ... Re: This working group h… Juho Vähä-Herttua
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Andrei Popov
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Geoffrey Keating
- Re: [TLS] Deployment ... Re: This working group h… Michael Staubermann
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Joshua Davies
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Kirils Solovjovs
- Re: [TLS] Deployment ... Re: This working group h… Andy Wilson
- Re: [TLS] Deployment ... Re: This working group h… Marsh Ray
- Re: [TLS] Deployment ... Re: This working group h… Ralf Skyper Kaiser
- Re: [TLS] Deployment ... Re: This working group h… Ben Laurie
- [TLS] TLS protocol version intolerance [Was: Re: … Ivan Ristić
- Re: [TLS] Deployment ... Re: This working group h… Zooko Wilcox-OHearn
- Re: [TLS] TLS protocol version intolerance [Was: … Michael Sweet
- Re: [TLS] TLS protocol version intolerance [Was: … Eric Rescorla
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- [TLS] multiple clients in one process (was: Re: D… Patrick Pelletier
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski
- Re: [TLS] multiple clients in one process (was: R… Daniel Kahn Gillmor
- Re: [TLS] multiple clients in one process (was: R… Nico Williams
- Re: [TLS] multiple clients in one process (was: R… Nikos Mavrogiannopoulos
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski