To allow all GnuTLS applications to transparently access smart cards
and tokens, PKCS #11 is automatically initialized during the first
call of a PKCS #11 related function, in a thread safe way.
The default initialization process, utilizes p11-kit configuration, and loads any
appropriate PKCS #11 modules. The p11-kit configuration
files10 are typically stored in
For example a file that will instruct GnuTLS to load the OpenSC module,
could be named
/etc/pkcs11/modules/opensc.module and contain the following:
If you use these configuration files, then there is no need for other initialization in GnuTLS, except for the PIN and token callbacks (see next section). In several cases, however, it is desirable to limit badly behaving modules (e.g., modules that add an unacceptable delay on initialization) to single applications. That can be done using the “enable-in:” option followed by the base name of applications that this module should be used.
It is also possible to manually initialize or even disable the PKCS #11 subsystem if the default settings are not desirable or not available (see PKCS11 Manual Initialization for more information).
Note that, PKCS #11 modules behave in a peculiar way after a fork; they require a reinitialization of all the used PKCS #11 resources. While GnuTLS automates that process, there are corner cases where it is not possible to handle it correctly in an automated way11. For that, it is recommended not to mix fork() and PKCS #11 module usage. It is recommended to initialize and use any PKCS #11 resources in a single process.
Older versions of GnuTLS required to call gnutls_pkcs11_reinit after a fork() call; since 3.3.0 this is no longer required.
For example when an open session is to be reinitialized, but the PIN is not available to GnuTLS (e.g., it was entered at a pinpad).