Rainer Gerhards wrote, On 2008-04-04 05:54: > Hi there, > > I hope I don't bother you too much with a very basic question. I am > the author or rsyslog - http://www.rsyslog.com - a syslogd replacement > aimed, among others, at security. I am about to implement native TLS > support for it. I was referred to either NSS or GnuTLS and have so far > settled on NSS based on the good arguments in Red Hat's crypto > consolidation. > > I have now spent some time on the doc (granted, not enough yet for > sure) and the samples. What scares me a bit is that the samples > contain lots of references to the portable runtime. Rsyslog itself is > heavily threaded (via posix threads) and I can/will not modify it to > rely on portable runtime features. I hope that's possible ;) > > So what I am looking for is a simple sample / intro / howto on how to > make a tls client talk to a tls server via NSS with the least amount > of portable runtime support. Most importantly, for my use case, NSS > must work when the threading is provided via posix threads. > > Can someone point me to such a sample or doc? And maybe comment on > using NSS together with a heavily pthread'ed application. > > Any feedback is deeply appreciated.
NSS depends on NSPR, and attempting to divorce NSS from NSPR is way more work than (I think) you want to attempt to do. (Quite a few have tried that and failed.) But the good news is that on systems that support POSIX threads, NSPR uses POSIX threads under the hood. In a process that uses POSIX threads, threads that run code that knows about and uses NSPR can coexist quite nicely with threads that do not. IIRC, it's not necessary for a thread to be created by NSPR to be usable by NSPR. IIRC, NSPR can figure out that it's running on a previously unseen POSIX thread and setup the necessary bookkeeping info for that thread, on the fly. So, I would say that, for you, the issue concerning the use of NSS+NSPR is not POSIX threading (should be no problem), but rather is NSPR's sockets. NSS requires NSPR sockets. The application that calls NSS to do SSL on sockets must give NSS NSPR socket handles, not native OS FDs. Fortunately, it's not too difficult to make NSPR socket handles out of OS FDs. I'd say that the conversion of a Unix/Linux/POSIX app to NSS & NSPR is not heavy lifting. But different folks have different thresholds of "heavy". :) Maybe someone from Red Hat can suggest some sample converted code from their consolidation project for you to use as an example /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
