Avi Kivity wrote:
On 12/14/2009 05:17 PM, Daniel P. Berrange wrote:
Yes - need to pass the encryption state. Hopefully the crypto stacks
support this.
There's no mechanism for this in the SASL libraries. With GNUTLS
there is
the ability to preserve negotiated session state from one TLS
conenection
and used it upon opening the next connection to fast-track the handshake
phase. This doesn't allow you to pass the state for an existing
connection
to a new process though and have it carry on
This sucks. But we can ask the client to reauthenticate.
Or instead of passing the socket file descriptor, pass over a socketpair
and encrypt the traffic in the server. The encryption requires no
knowledge of the protocol so it can be done easily enough in the server.
You're already paying the cost for copying the data. Adding in one copy
shouldn't be the end of the world.
Regards,
Anthony Liguori