On Fri, Feb 7, 2020 at 2:45 PM Jeremy Harris <[email protected]> wrote: > > gnutls_session_get_desc() seems to not be usefully > callable immediately after gnutls_handshake() returns, > with False Start in play, which is reasonable. > However it also isn't returning useful info when called > during a handshake-done callback set up with > > gnutls_handshake_set_hook_function(state->session, > GNUTLS_HANDSHAKE_FINISHED, GNUTLS_HOOK_POST, ... > > I suspect the cause is the obvious flag > "initial_negotiation_completed", set in handshake_client() > only after the state-machine has terminated. > > Lacking the access via callback, I assume I have to > check on every data read to see if I've acquired the > info yet - which is ugly. > > Could the info be made accessible earlier? How early?
Out of curiosity what is the reason you would like to know whether parameters in relation to false start are acceptable early? There is very little you can do at this point. The existing tests are in _gnutls_kx_allows_false_start() function which pretty much checks the prime size suitability or the curve size. It may be easy to replicate those tests, or even better if you have control of the server, ensure that only good parameters are offered. > Are other API call limited in when they are callable? > Specifically > gnutls_certificate_get_peers() > gnutls_certificate_verify_peers2() I believe these are only limited to having received the certificate, and they are expected to be called asynchronously at the certificate verification callback. > gnutls_alert_send() That can be called at any time. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
