[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 00/15] Implement TLS support to QEMU NBD server
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCH 00/15] Implement TLS support to QEMU NBD server & client |
|
Date: |
Wed, 2 Dec 2015 13:37:08 +0000 |
|
User-agent: |
Mutt/1.5.23 (2015-06-09) |
On Wed, Dec 02, 2015 at 01:56:30PM +0100, Wouter Verhelst wrote:
> Hi Daniel,
>
> Something occurred to me earlier today:
>
> On Fri, Nov 27, 2015 at 12:20:38PM +0000, Daniel P. Berrange wrote:
> > As is, if the client connects to a TLS enabled NBD server and then
> > immediately sends NBD_OPT_EXPORT_NAME, it is not possible for us
> > to send back NBD_REP_ERR_TLS_REQD as the spec requires that the
> > server close the connection :-( For this reason I have made the
> > qemu NBD client always send NBD_OPT_LIST as the first thing it
> > does, so that we can see the NBD_REP_ERR_TLS_REQD response.
>
> Why not have it send NBD_OPT_STARTTLS as the first message if you want
> to do TLS? That way, either the server doesn't support it because too
> old (and you get NBD_REP_ERR_UNSUP) or configuration (and you get
> NBD_REP_ERR_POLICY), or it does and you're in TLS.
>
> Did I miss something?
Yes, if the client wants TLS, it will send NBD_OPT_STARTTLS as the
first thing it does.
My comment above was refering to the case of a client not wanting
TLS which is connecting to a server that does want TLS. In that
case sending NBD_OPT_LIST is what we need to do in order to get
a suitable error from the server about requirement for TLS.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|