[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Restore gnutls session after execvp - possible?
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Restore gnutls session after execvp - possible? |
Date: |
Mon, 12 Dec 2005 12:43:49 +0100 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Matthias Urlichs <address@hidden> writes:
> Hi,
>
> Simon Josefsson:
>> Further, I'm not sure I understand _why_ this is done. Perhaps if you
>> describe why you want to execvpe and carry over the TLS-protected
>> socket to the new process, we can suggest better solutions.
>>
> One application of this idea, not related to execve()ing yourself, is to
> be able to pass the connection on to another process by way of a Unix
> socket and sendmsg().
>
> That'd allow you to use one applicationto accept a connection, estabish
> SSL, and thn dispatch it to another, which helps with privilege
> separation.
Right.
> The connection already is established (as far as the other side is
> concerned, anyway), the handshake has happened, so this call shouldn't
> be there. Just resume sending/receiving. (Assuming that the data
> structures are set up correctly, which they probably are not...)
>
> Fixing that shouldn't be *that* difficult, but I'd suggest writing a
> completely different API for this, which just marshals the full internal
> state of a connection into one area of memory / restores it from there.
I agree. The resumption data API may be a starting pointer, that
should include most of the required internal state. Patches to
implement this are very welcome.
I have added the following to the TODO list:
- Make it possible to extract the internal state of a session, to
be able to execve a new process that take over the current
living socket (using the fcntl close-on-exec flag) and
continue the TLS session as well.
Thanks,
Simon