* Re: ktls-utils and gnutls [not found] <878r4v6j0t.fsf-ueno@gnu.org> @ 2024-01-12 14:06 ` Chuck Lever III 2024-01-12 14:24 ` Hannes Reinecke 0 siblings, 1 reply; 3+ messages in thread From: Chuck Lever III @ 2024-01-12 14:06 UTC (permalink / raw) To: Daiki Ueno; +Cc: kernel-tls-handshake > On Jan 12, 2024, at 3:41 AM, Daiki Ueno <ueno@gnu.org> wrote: > > Hello Chuck, > > I am Daiki from the GnuTLS team; nice to meet you. > > We are currently collecting project ideas for GSoC[1] and I wonder if we > could include something related to ktls-utils (tlshd), as it currently > uses GnuTLS as the backend and I thought students may be interested in > getting hands-on experience with both kernel and security. > > A couple of things that come to my mind are: > > 1. make use of the GnuTLS handshake API to bypass record layer > interaction as mentioned at [2] > > 2. provide some experimental mechanism (kernel module?) to allow > userspace applications to use that facility sorely with the POSIX > networking API (as in tlssock[3]), though I know that it's explicitly > marked as out of scope of the project > > Before adding those to the ideas page I would like to hear your opinion; > any suggestions would be appreciated. > > Footnotes: > [1] https://gitlab.com/gnutls/gnutls/-/wikis/Projects-for-newcomers > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2182151#c61 > > [3] https://github.com/enarx-archive/tlssock Hello Daiki - I've copied a mailing list with my ktls-utils collaborators. Maybe Hans has a suggestion? -- Chuck Lever ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ktls-utils and gnutls 2024-01-12 14:06 ` ktls-utils and gnutls Chuck Lever III @ 2024-01-12 14:24 ` Hannes Reinecke 2024-01-12 21:22 ` Daiki Ueno 0 siblings, 1 reply; 3+ messages in thread From: Hannes Reinecke @ 2024-01-12 14:24 UTC (permalink / raw) To: Chuck Lever III, Daiki Ueno; +Cc: kernel-tls-handshake On 1/12/24 15:06, Chuck Lever III wrote: > > >> On Jan 12, 2024, at 3:41 AM, Daiki Ueno <ueno@gnu.org> wrote: >> >> Hello Chuck, >> >> I am Daiki from the GnuTLS team; nice to meet you. >> >> We are currently collecting project ideas for GSoC[1] and I wonder if we >> could include something related to ktls-utils (tlshd), as it currently >> uses GnuTLS as the backend and I thought students may be interested in >> getting hands-on experience with both kernel and security. >> >> A couple of things that come to my mind are: >> >> 1. make use of the GnuTLS handshake API to bypass record layer >> interaction as mentioned at [2] >> >> 2. provide some experimental mechanism (kernel module?) to allow >> userspace applications to use that facility sorely with the POSIX >> networking API (as in tlssock[3]), though I know that it's explicitly >> marked as out of scope of the project >> >> Before adding those to the ideas page I would like to hear your opinion; >> any suggestions would be appreciated. >> >> Footnotes: >> [1] https://gitlab.com/gnutls/gnutls/-/wikis/Projects-for-newcomers >> >> [2] https://bugzilla.redhat.com/show_bug.cgi?id=2182151#c61 >> >> [3] https://github.com/enarx-archive/tlssock > > Hello Daiki - > > I've copied a mailing list with my ktls-utils collaborators. > Maybe Hans has a suggestion? > There are some issues which could've been addressed: 1. Multiple PSK keys per ClientHello: the RFC allows for multiple PSKs to be sent with each ClientHello, yet gnutls implements only support for a single PSK. This is getting interesting when several cipher suites with different lengths or different scopes are supported, and the server could pick the appropriate one instead of having the client to retry a ClientHello with every available PSK. 2. Support for SPDM device attestation certificates: SPDM has defined the use of X.509 certificates for device attestation. But as these certificates are not bound to a network instance SPDM makes use of 'Subject Alternative Name' with a distinct OID. It would be good to implement support for SPDM X.509 certificates as chances are they will become more prevalent. And any implementor will need to generate valid SPDM certificates to test out the implementation ... Cheers, Hannes ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ktls-utils and gnutls 2024-01-12 14:24 ` Hannes Reinecke @ 2024-01-12 21:22 ` Daiki Ueno 0 siblings, 0 replies; 3+ messages in thread From: Daiki Ueno @ 2024-01-12 21:22 UTC (permalink / raw) To: Hannes Reinecke; +Cc: Chuck Lever III, kernel-tls-handshake Hannes Reinecke <hare@suse.de> writes: > There are some issues which could've been addressed: > > 1. Multiple PSK keys per ClientHello: the RFC allows for multiple > PSKs to be sent with each ClientHello, yet gnutls implements > only support for a single PSK. This is getting interesting > when several cipher suites with different lengths or different > scopes are supported, and the server could pick the appropriate > one instead of having the client to retry a ClientHello with > every available PSK. > > 2. Support for SPDM device attestation certificates: SPDM has defined > the use of X.509 certificates for device attestation. But as these > certificates are not bound to a network instance SPDM makes use > of 'Subject Alternative Name' with a distinct OID. It would be > good to implement support for SPDM X.509 certificates as chances > are they will become more prevalent. > And any implementor will need to generate valid SPDM certificates > to test out the implementation ... Thank you. I've added both ideas to the list. Regards, -- Daiki Ueno ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-12 21:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <878r4v6j0t.fsf-ueno@gnu.org>
2024-01-12 14:06 ` ktls-utils and gnutls Chuck Lever III
2024-01-12 14:24 ` Hannes Reinecke
2024-01-12 21:22 ` Daiki Ueno
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox