[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] Generating/regenerating params
|
From: |
Stephen Frost |
|
Subject: |
[gnutls-dev] Generating/regenerating params |
|
Date: |
Sat, 6 Mar 2004 02:19:31 -0500 |
|
User-agent: |
Mutt/1.5.5.1+cvs20040105i |
Greetings,
I've run into a very difficult problem when trying to safely
regenerate dh/rsa parameters. The setup is like this:
There's a global context which has creds
(gnutls_certificate_credentials) and all of the CA certs and whatnot
are loaded into it.
We then have a local (per thread) context which copies the cred from
the global context, but just the pointer (there isn't a function to
copy the whole thing...).
We then set params in creds in each thread, cacheing the params in a
file and regenerating the params whenever the file disappears, which
we plan to make happen periodically as is recommended in various
comments in the example GNU TLS server.
There's a couple problems here though: The params are shared across
all threads because of the single global context with creds. I worry
about regenerating them because I don't want to break existing
connections or ones which are in the process of setting up. I don't
see any way (beyond re-reading all the certs which I expect would kill
performance) to make the creds be local though.
What's the right way to do this? Have multiple threads going and
still periodically regenerate the rsa/dh params without breaking
anything or leaking memory or anything? Is it safe to just init the
rsa/dh params and then just change them with generate2 or import_raw?
Will that break existing connections or other threads which are
setting up their connections? Do I still need to call set_XX_params?
Thanks,
Stephen
signature.asc
Description: Digital signature
- [gnutls-dev] Generating/regenerating params,
Stephen Frost <=