From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38343)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1a47av-00020l-Mu
	for qemu-devel@nongnu.org; Wed, 02 Dec 2015 08:37:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1a47au-0000Cg-LT
	for qemu-devel@nongnu.org; Wed, 02 Dec 2015 08:37:17 -0500
Date: Wed, 2 Dec 2015 13:37:08 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20151202133707.GC17715@redhat.com>
References: <1448626853-27450-1-git-send-email-berrange@redhat.com>
	<20151202125630.GA9734@grep.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20151202125630.GA9734@grep.be>
Subject: Re: [Qemu-devel] [PATCH 00/15] Implement TLS support to QEMU NBD
	server & client
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Wouter Verhelst <w@uter.be>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org, qemu-block@nongnu.org

On Wed, Dec 02, 2015 at 01:56:30PM +0100, Wouter Verhelst wrote:
> Hi Daniel,
> 
> Something occurred to me earlier today:
> 
> On Fri, Nov 27, 2015 at 12:20:38PM +0000, Daniel P. Berrange wrote:
> > As is, if the client connects to a TLS enabled NBD server and then
> > immediately sends NBD_OPT_EXPORT_NAME, it is not possible for us
> > to send back NBD_REP_ERR_TLS_REQD as the spec requires that the
> > server close the connection :-(  For this reason I have made the
> > qemu NBD client always send NBD_OPT_LIST as the first thing it
> > does, so that we can see the NBD_REP_ERR_TLS_REQD response.
> 
> Why not have it send NBD_OPT_STARTTLS as the first message if you want
> to do TLS? That way, either the server doesn't support it because too
> old (and you get NBD_REP_ERR_UNSUP) or configuration (and you get
> NBD_REP_ERR_POLICY), or it does and you're in TLS.
> 
> Did I miss something?

Yes, if the client wants TLS, it will send NBD_OPT_STARTTLS as the
first thing it does.

My comment above was refering to the case of a client not wanting
TLS which is connecting to a server that does want TLS. In that
case sending NBD_OPT_LIST is what we need to do in order to get
a suitable error from the server about requirement for TLS.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|