On Sun, 2015-05-10 at 00:57 +0300, Alon Bar-Lev wrote:
> http://lists.gnu.org/archive/html/gnutls-devel/2011-10/msg00058.html
That thread is interesting; thanks for the reference.
In it, Stef pointed out¹ that the behaviour of automatically calling
C_Initialize() from the atfork child handler is
On Sun, 2015-05-10 at 01:09 +0300, Alon Bar-Lev wrote:
>
> > If an application *knows* that it will never use PKCS#11 after a fork(),
> > as in this case where we *know* that we're always just going to exec
> > something else, it certainly doesn't *damage* the well-behaved providers
> > if we
On Sun, 2015-05-10 at 00:57 +0300, Alon Bar-Lev wrote:
> Are you sure you want to introduce security issues resulting of
> resource leak into the child process? Example: pcsc-lite socket that
> is leaking or USB connection? In a way for the child process thus it
> being able to access the card?
On Sat, 2015-05-09 at 12:17 +0200, Gert Doering wrote:
> Hi,
>
> On Sat, May 09, 2015 at 07:55:56AM -, David Woodhouse wrote:
> > A better approach would probably be to disable the atfork handlers in
> > OpenVPN entirely since I believe we don't need them.
>
> With the patch to #480 which
Hi,
On Sat, May 09, 2015 at 07:55:56AM -, David Woodhouse wrote:
> A better approach would probably be to disable the atfork handlers in
> OpenVPN entirely since I believe we don't need them.
With the patch to #480 which moves the only "real fork()" (daemon()) to
"before any crypto stuff
> I've spent my evening reading more about vfork() and fork(). I've based
> my trust this time in two books [1] on Linux system programming.
>
> Both books are really clear that vfork() should be avoided, and even
> claiming it was a mistake by introducing that syscall in Linux. Its
> semantic
On 02/05/15 01:37, David Woodhouse wrote:
> On Sat, 2015-05-02 at 01:54 +0300, Alon Bar-Lev wrote:
>> not sure what systemd-ask-password is, but the proper interaction
>> with openvpn process in this case is via the management interface,
>> there is an example here[1].
>
> It's a tool which
On Sat, 2015-05-02 at 01:54 +0300, Alon Bar-Lev wrote:
> what is specified explicitly in PKCS#11 spec must be applied by
> providers, there is no room for interpretation in this specific case.
>
> > From the OpenVPN point of view, actually there's a cheap trick which
> > can let us call it
On Sat, 2015-05-02 at 01:54 +0300, Alon Bar-Lev wrote:
> PKCS#11 explicitly states that C_Initialize must be called post
> fork().
Hi Alon, thanks for the quick response and the citation from the spec;
I had looked briefly and not yet found that.
It's quite clear, as I had assumed, that your
The pkcs11-helper library installs a pthread_atfork() handler which,
in the child, will call the C_Initialize() method on any PKCS#11
provider module which is active in the parent.
I'm going to assume that Alon knows what he's doing and that this is
actually the correct thing for pkcs11-helper to
10 matches
Mail list logo
