[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] NBD TLS support in QEMU
|
From: |
Wouter Verhelst |
|
Subject: |
Re: [Qemu-devel] NBD TLS support in QEMU |
|
Date: |
Fri, 5 Sep 2014 10:42:18 +0200 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Sep 05, 2014 at 12:54:45AM +0200, Benoît Canet wrote:
> The Friday 05 Sep 2014 à 00:07:04 (+0200), Wouter Verhelst wrote :
> > On Thu, Sep 04, 2014 at 04:19:17PM +0200, Benoît Canet wrote:
> > > Prenegociating TLS look like we will accidentaly introduce some security
> > > hole.
>
> I was thinking of the fallback to cleartext case.
>
> As a regular developper I am afraid of doing something creative with
> cryptography.
STARTTLS-like schemes is not being "creative with cryptography", it's an
accepted way of doing things. Yes, there are pitfalls, but those always
exist; that doesn't mean you should fall into the trap of remaking the
errors HTTP made with HTTPS. It's taken years for HTTPS to be able to
deal with the fact that you couldn't have multiple HTTPS sites on the
same IP; I don't want to go there.
"fallback to cleartext" is a problem, but it should not be too hard to
have crypto be enabled by way of a tri-state variable ("disabled",
"available if client wants it", "required").
--
<Lo-lan-do> Home is where you have to wash the dishes.
-- #debian-devel, Freenode, 2004-09-22
Re: [Qemu-devel] NBD TLS support in QEMU, Wouter Verhelst, 2014/09/04
Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU, Michal Privoznik, 2014/09/05
Re: [Qemu-devel] NBD TLS support in QEMU, Hani Benhabiles, 2014/09/05