From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57156) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a4726-0003mu-1J for qemu-devel@nongnu.org; Wed, 02 Dec 2015 08:01:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a4721-0005En-2b for qemu-devel@nongnu.org; Wed, 02 Dec 2015 08:01:17 -0500 Date: Wed, 2 Dec 2015 13:56:30 +0100 From: Wouter Verhelst Message-ID: <20151202125630.GA9734@grep.be> References: <1448626853-27450-1-git-send-email-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1448626853-27450-1-git-send-email-berrange@redhat.com> Subject: Re: [Qemu-devel] [PATCH 00/15] Implement TLS support to QEMU NBD server & client List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Paolo Bonzini , qemu-devel@nongnu.org, qemu-block@nongnu.org Hi Daniel, Something occurred to me earlier today: On Fri, Nov 27, 2015 at 12:20:38PM +0000, Daniel P. Berrange wrote: > As is, if the client connects to a TLS enabled NBD server and then > immediately sends NBD_OPT_EXPORT_NAME, it is not possible for us > to send back NBD_REP_ERR_TLS_REQD as the spec requires that the > server close the connection :-( For this reason I have made the > qemu NBD client always send NBD_OPT_LIST as the first thing it > does, so that we can see the NBD_REP_ERR_TLS_REQD response. Why not have it send NBD_OPT_STARTTLS as the first message if you want to do TLS? That way, either the server doesn't support it because too old (and you get NBD_REP_ERR_UNSUP) or configuration (and you get NBD_REP_ERR_POLICY), or it does and you're in TLS. Did I miss something? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26