[Help-gnutls] Re: Restore gnutls session after execvp - possible?

[Matthias Urlichs]

Hi,

Simon Josefsson:
> Further, I'm not sure I understand _why_ this is done.  Perhaps if you
> describe why you want to execvpe and carry over the TLS-protected
> socket to the new process, we can suggest better solutions.
> 
One application of this idea, not related to execve()ing yourself, is to
be able to pass the connection on to another process by way of a Unix
socket and sendmsg().

That'd allow you to use one applicationto accept a connection, estabish
SSL, and thn dispatch it to another, which helps with privilege
separation.

> >> >     if (gnutls_handshake (server->gnutls_sess) < 0)
> >> >         printf ("handshake failed\n");
> >> >
> > Does that call work when you use it *before* doing your
> > save-execvp-restore dance?
> 
> Most likely not.

Thought so.

The connection already is established (as far as the other side is
concerned, anyway), the handshake has happened, so this call shouldn't
be there. Just resume sending/receiving. (Assuming that the data
structures are set up correctly, which they probably are not...)

Fixing that shouldn't be *that* difficult, but I'd suggest writing a
completely different API for this, which just marshals the full internal
state of a connection into one area of memory / restores it from there.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  address@hidden
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
Her attitude to music was purely ballistic - just point your voice at the end 
of the verse and go for it.
                -- Terry Pratchett (Maskerade)

signature.asc
Description: Digital signature