From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82BF11DD525 for ; Sat, 2 May 2026 03:08:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777691319; cv=none; b=rKcGO2Rt6fyOqpUB7FB08BuXuifVjSqYtwfBYHrNP6mwd5G0BA4WW7VVjSCvXZnKxNQYUglqZxZdUWiJLu+0DMfZDiF90iSuK4FS5NEf19JEki0scXS6CAF13kkSCrO9Mt9xvtu3XxesMWB9wES60WKgMw4WQ7Rir5ySWr3ZJ2U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777691319; c=relaxed/simple; bh=sFyrLC9upT0uJJdxa+5HzcrCgFXbBVeGIvPFfFdxypc=; h=MIME-Version:Date:From:To:Cc:Message-Id:In-Reply-To:References: Subject:Content-Type; b=XYBXxxTcECIIGZSnz//I4+OpURMK3y6mOubqTg6QvLt+IAKbeOZBVJmCdc2FFDLaVugk54tZ3TvjrALo8+e4/mVBSF8nP9MDQJkxIdVT2oi/XtxvuFcv/ICTMgFTORG55kvvSA0PQw9XqxsGVm6n7JrfuKnxHRe78CVwVKmWoUs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fJqBkoC0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fJqBkoC0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FCE2C2BCB4; Sat, 2 May 2026 03:08:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777691319; bh=sFyrLC9upT0uJJdxa+5HzcrCgFXbBVeGIvPFfFdxypc=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=fJqBkoC0ndlpbtg+JF4MbJdw4W1RfoJ1DtFmLtR9HyX0u6RwuP8q787tziZdVIaER xjSyOk6QC4BBbV61sV1y+EnPefALBldU/6ibHEfiWCtbxdVi0Om1kPjFuKz+yJAhN7 N9Oh18aDZG1uf+KyZXrhiV/tS1m66eLsOiD0P1VJCPc9fYc9clYmYQRX37yOVNfc2a 92nWrnRS9/DeBkA1MWK9WzGr1or7LWL6KBoiw2h1Oeg0flJoZWmAX89Eh+hf1D2yR2 rxHN+g6FmwHndsLBQwA/A/cGfejk1ERaEDrW8Rh3aX4HhJbOYhjW0mpKj6LhCKHrnU ubbFjQGZt2FvA== Received: from phl-compute-10.internal (phl-compute-10.internal [10.202.2.50]) by mailfauth.phl.internal (Postfix) with ESMTP id 09971F4006C; Fri, 1 May 2026 23:08:38 -0400 (EDT) Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-10.internal (MEProxy); Fri, 01 May 2026 23:08:38 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgdeludeliecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefoggffhffvvefkjghfufgtgfesthhqredtredtjeenucfhrhhomhepfdevhhhutghk ucfnvghvvghrfdcuoegtvghlsehkvghrnhgvlhdrohhrgheqnecuggftrfgrthhtvghrnh epgffhgeeutdeiieevuefgvedtjeefudekvefggefguefgtefgledtteeuleelleetnecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptghhuhgtkh hlvghvvghrodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduieefgeelleel heelqdefvdelkeeggedvfedqtggvlheppehkvghrnhgvlhdrohhrghesfhgrshhtmhgrih hlrdgtohhmpdhnsggprhgtphhtthhopeehpdhmohguvgepshhmthhpohhuthdprhgtphht thhopehsrghgihesghhrihhmsggvrhhgrdhmvgdprhgtphhtthhopehkvghrnhgvlhdqth hlshdqhhgrnhgushhhrghkvgeslhhishhtshdrlhhinhhugidruggvvhdprhgtphhtthho pegthhhutghkrdhlvghvvghrsehorhgrtghlvgdrtghomhdprhgtphhtthhopehsmhgrhi hhvgifsehrvgguhhgrthdrtghomhdprhgtphhtthhopehlihhnuhigqdhnfhhssehvghgv rhdrkhgvrhhnvghlrdhorhhg X-ME-Proxy: Feedback-ID: ifa6e4810:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id CCD52780070; Fri, 1 May 2026 23:08:37 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ThreadId: Ak5ktnwSWV1c Date: Fri, 01 May 2026 23:08:15 -0400 From: "Chuck Lever" To: "Scott Mayhew" Cc: "Sagi Grimberg" , "Chuck Lever" , "Linux NFS Mailing List" , kernel-tls-handshake@lists.linux.dev Message-Id: <7c6516be-adb9-4d0d-ba7c-fa107fd4a865@app.fastmail.com> In-Reply-To: References: <92a53963-1e4b-42eb-af81-6be9f63f9e43@app.fastmail.com> Subject: Re: Breakage in ktls-utils with nfs keyring? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Fri, May 1, 2026, at 4:19 PM, Scott Mayhew wrote: > On Thu, 30 Apr 2026, Chuck Lever wrote: > >> Cc'ing the ktls-utils development list. >>=20 >> On Thu, Apr 30, 2026, at 9:32 AM, Sagi Grimberg wrote: >> > Hey Chuck, >> > >> > Upstream ktls-utils fails passing client certificate and private ke= y=20 >> > using the .nfs keyring. >> > Bisecting leads commit facd084e43fc ("tlshd: Client-side dual=20 >> > certificate support"). >> > >> > I manually apply this (probably wrong) change and keyring works: >> > -- >> > diff --git a/src/tlshd/client.c b/src/tlshd/client.c >> > index 2664ffb..a946797 100644 >> > --- a/src/tlshd/client.c >> > +++ b/src/tlshd/client.c >> > @@ -327,7 +327,7 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t ses= sion, >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 } else { >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 tlshd_log_= debug("%s: Selecting x509.certificate from=20 >> > conf file", __func__); >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *pcert_len= gth =3D tlshd_certs_len; >> > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*pcert =3D = tlshd_certs + tlshd_pq_certs_len; >> > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*pcert =3D = tlshd_certs; >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *privkey =3D= tlshd_privkey; >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 } >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 return 0; >> > -- >> > >> > But, I have a feeling its not the correct change... >>=20 >>=20 >> Scott, can you triage this? > > So when I added the dual certificate support, I didn't touch any of the > keyring code. Frankly, I'm not entirely sure what is the right way to > set it up and the docs are pretty much nonexistent. As far as I can > tell: > > - you need to load nfs.ko first so that the .nfs keyring gets created > via nfs_init_keyring() > - you need to restart tlshd so that it links the .nfs keyring into its > session keyring (I tried loading nfs.ko at boot via modules-load.d, > but tlshd still reported an error saying it couldn't find the .nfs > keyring) > - you need to convert the cert and key to DER format > - you need to add the cert and key to the .nfs keyring, e.g. > > keyctl padd user "nfs_cert" %:.nfs < smayhew-rawhide.crt.der > keyctl padd user "nfs_key" %:.nfs < smayhew-rawhide.key.der > > - then you mount w/ '-o xprtsec=3Dmtls,cert_serial=3D...,privkey_seria= l=3D...' > > Is that somewhat accurate? Is there a better way to do it? It seems > like a lot more work than just using the config file. It is more work because keyring support for the NFS consumers is still aspirational/experimental. I've pushed your patch to a "fixes" branch for folks to try out. I'm not sure yet whether we want a 1.4.1 release with this fix, since keyring support for NFS is "not finished". > At any rate, I was able to reproduce the reported bug and the patch I > just sent fixes it, but I think we probably want to make dual > certificate support work with keyrings too. Yes, and clearly there are some questions to be answered. --=20 Chuck Lever