cURL / Mailing Lists / curl-library / Single Mail


GnuTLS initialization thread safety

From: Dan Fandrich <>
Date: Sat, 14 Feb 2009 01:40:36 -0800

The main initialization entry point Curl_gtls_init() is called by
curl_global_init(), which is guaranteed to be executed before any threads
have started in the system. However, it has this comment:

/* Unfortunately we can not init here, things like curl --version will
 * fail to work if there is no egd socket available because libgcrypt
 * will EXIT the application!!
 * By doing the actual init later (before actually trying to use GnuTLS),
 * we can at least provide basic info etc.

and the function itself is empty. Sure enough, the GnuTLS init function
gnutls_global_init() is actually called as a TLS session is created,
which would ultimately be within curl_easy_perform(). That init code
uses a global variable which is suspiciously thread-unsafe; it could
only be safe if gnutls_global_init() is itself thread safe, but the GnuTLS
documentation says explicitly the opposite--that it is not.

I don't see any solution other than moving the call to gnutls_global_init()
back into the only safe place, namely curl_global_init(). The problem
with curl --version failing would have to be dealt with some other way,
perhaps by making --version a special case and skipping the global init
when it is given.

>>> Dan

--              The web change of address service
          Let webmasters know that your web site has moved
Received on 2009-02-14