* Re: ktls-utils and gnutls
[not found] <878r4v6j0t.fsf-ueno@gnu.org>
@ 2024-01-12 14:06 ` Chuck Lever III
2024-01-12 14:24 ` Hannes Reinecke
0 siblings, 1 reply; 3+ messages in thread
From: Chuck Lever III @ 2024-01-12 14:06 UTC (permalink / raw)
To: Daiki Ueno; +Cc: kernel-tls-handshake
> On Jan 12, 2024, at 3:41 AM, Daiki Ueno <ueno@gnu.org> wrote:
>
> Hello Chuck,
>
> I am Daiki from the GnuTLS team; nice to meet you.
>
> We are currently collecting project ideas for GSoC[1] and I wonder if we
> could include something related to ktls-utils (tlshd), as it currently
> uses GnuTLS as the backend and I thought students may be interested in
> getting hands-on experience with both kernel and security.
>
> A couple of things that come to my mind are:
>
> 1. make use of the GnuTLS handshake API to bypass record layer
> interaction as mentioned at [2]
>
> 2. provide some experimental mechanism (kernel module?) to allow
> userspace applications to use that facility sorely with the POSIX
> networking API (as in tlssock[3]), though I know that it's explicitly
> marked as out of scope of the project
>
> Before adding those to the ideas page I would like to hear your opinion;
> any suggestions would be appreciated.
>
> Footnotes:
> [1] https://gitlab.com/gnutls/gnutls/-/wikis/Projects-for-newcomers
>
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=2182151#c61
>
> [3] https://github.com/enarx-archive/tlssock
Hello Daiki -
I've copied a mailing list with my ktls-utils collaborators.
Maybe Hans has a suggestion?
--
Chuck Lever
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ktls-utils and gnutls
2024-01-12 14:06 ` ktls-utils and gnutls Chuck Lever III
@ 2024-01-12 14:24 ` Hannes Reinecke
2024-01-12 21:22 ` Daiki Ueno
0 siblings, 1 reply; 3+ messages in thread
From: Hannes Reinecke @ 2024-01-12 14:24 UTC (permalink / raw)
To: Chuck Lever III, Daiki Ueno; +Cc: kernel-tls-handshake
On 1/12/24 15:06, Chuck Lever III wrote:
>
>
>> On Jan 12, 2024, at 3:41 AM, Daiki Ueno <ueno@gnu.org> wrote:
>>
>> Hello Chuck,
>>
>> I am Daiki from the GnuTLS team; nice to meet you.
>>
>> We are currently collecting project ideas for GSoC[1] and I wonder if we
>> could include something related to ktls-utils (tlshd), as it currently
>> uses GnuTLS as the backend and I thought students may be interested in
>> getting hands-on experience with both kernel and security.
>>
>> A couple of things that come to my mind are:
>>
>> 1. make use of the GnuTLS handshake API to bypass record layer
>> interaction as mentioned at [2]
>>
>> 2. provide some experimental mechanism (kernel module?) to allow
>> userspace applications to use that facility sorely with the POSIX
>> networking API (as in tlssock[3]), though I know that it's explicitly
>> marked as out of scope of the project
>>
>> Before adding those to the ideas page I would like to hear your opinion;
>> any suggestions would be appreciated.
>>
>> Footnotes:
>> [1] https://gitlab.com/gnutls/gnutls/-/wikis/Projects-for-newcomers
>>
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=2182151#c61
>>
>> [3] https://github.com/enarx-archive/tlssock
>
> Hello Daiki -
>
> I've copied a mailing list with my ktls-utils collaborators.
> Maybe Hans has a suggestion?
>
There are some issues which could've been addressed:
1. Multiple PSK keys per ClientHello: the RFC allows for multiple
PSKs to be sent with each ClientHello, yet gnutls implements
only support for a single PSK. This is getting interesting
when several cipher suites with different lengths or different
scopes are supported, and the server could pick the appropriate
one instead of having the client to retry a ClientHello with
every available PSK.
2. Support for SPDM device attestation certificates: SPDM has defined
the use of X.509 certificates for device attestation. But as these
certificates are not bound to a network instance SPDM makes use
of 'Subject Alternative Name' with a distinct OID. It would be
good to implement support for SPDM X.509 certificates as chances
are they will become more prevalent.
And any implementor will need to generate valid SPDM certificates
to test out the implementation ...
Cheers,
Hannes
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ktls-utils and gnutls
2024-01-12 14:24 ` Hannes Reinecke
@ 2024-01-12 21:22 ` Daiki Ueno
0 siblings, 0 replies; 3+ messages in thread
From: Daiki Ueno @ 2024-01-12 21:22 UTC (permalink / raw)
To: Hannes Reinecke; +Cc: Chuck Lever III, kernel-tls-handshake
Hannes Reinecke <hare@suse.de> writes:
> There are some issues which could've been addressed:
>
> 1. Multiple PSK keys per ClientHello: the RFC allows for multiple
> PSKs to be sent with each ClientHello, yet gnutls implements
> only support for a single PSK. This is getting interesting
> when several cipher suites with different lengths or different
> scopes are supported, and the server could pick the appropriate
> one instead of having the client to retry a ClientHello with
> every available PSK.
>
> 2. Support for SPDM device attestation certificates: SPDM has defined
> the use of X.509 certificates for device attestation. But as these
> certificates are not bound to a network instance SPDM makes use
> of 'Subject Alternative Name' with a distinct OID. It would be
> good to implement support for SPDM X.509 certificates as chances
> are they will become more prevalent.
> And any implementor will need to generate valid SPDM certificates
> to test out the implementation ...
Thank you. I've added both ideas to the list.
Regards,
--
Daiki Ueno
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-12 21:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <878r4v6j0t.fsf-ueno@gnu.org>
2024-01-12 14:06 ` ktls-utils and gnutls Chuck Lever III
2024-01-12 14:24 ` Hannes Reinecke
2024-01-12 21:22 ` Daiki Ueno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox