From: "Daniel P. Berrange" <berrange@redhat.com>
To: Alex Bligh <alex@alex.org.uk>
Cc: "nbd-general@lists.sourceforge.net"
<nbd-general@lists.sourceforge.net>, Wouter Verhelst <w@uter.be>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] Improve documentation for TLS
Date: Thu, 7 Apr 2016 12:51:59 +0100 [thread overview]
Message-ID: <20160407115159.GE19932@redhat.com> (raw)
In-Reply-To: <1460028959-59091-1-git-send-email-alex@alex.org.uk>
On Thu, Apr 07, 2016 at 12:35:59PM +0100, Alex Bligh wrote:
> * Call out TLS into a separate section
>
> * Add details of the TLS protocol itself
>
> * Emphasise that actual TLS session initiation (i.e. the TLS handshake) can
> be initiated from either side (as required by the TLS standard I believe
> and as actually works in practice)
>
> * Clarify what is a requirement on servers, and what is a requirement on
> clients, separately, specifying their behaviour in a single place
> in the document.
>
> * Document the four possible modes of operation of a server.
>
> Signed-off-by: Alex Bligh <alex@alex.org.uk>
> ---
> doc/proto.md | 267 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
> 1 file changed, 234 insertions(+), 33 deletions(-)
> +### Server-side requirements
> +
> +There are four modes of operation for a server. The
> +server MUST support one of these modes.
> +
> +* The server operates entirely without TLS ('NOTLS'); OR
> +
> +* The server makes TLS available (for all exports) and
> + it is available at the option of the client ('OPTIONALTLS'); OR
> +
> +* The server insists upon TLS, and forces the client to
> + upgrade by erroring any NBD options other than `NBD_OPT_STARTTLS`
> + with `NBD_REP_ERR_TLS_REQD` ('FORCEDTLS'); this in practice means
> + that all option negotiation (apart from the `NBD_OPT_STARTTLS`
> + itself) is carried out with TLS; OR
> +
> +* The server provides TLS, and it is mandatory on zero or more
> + exports, and is available at the client's option on all
> + other exports ('SELECTIVETLS'). The server does not force
> + the client to upgrade to TLS during option haggling (as
> + if the client ultimately chose a non-TLS-only export,
> + stopping TLS is not possible). Instead it permits the client
> + to upgrade as and when it chooses, but unless an upgrade to
> + TLS has already taken place, the server errors attempts
> + to enter transmission mode on TLS-only exports, MAY
> + refuse to provide information about TLS-only exports
> + via `NBD_OPT_INFO`, and MAY refuse to provide information
> + about non-existent exports via `NBD_OPT_INFO`.
IMHO, we should not permit what you call OPTIONALTLS or SELECTIVETLS,
because these open possibilities for a MITM to perform downgrade
attacks, where the MITM runs TLS to the real server, but runs no-TLS
to the real client.
Both the QEMU NBD server and NBD clients only implement FORCEDTLS.
ie you tell the client to use TLS and it will refuse to talk to a
server which doesn't support TLS, and you tell the server to use
TLS and it will refuse to talk to a client which does not request
TLS
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-04-07 11:52 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 11:35 [Qemu-devel] [PATCH] Improve documentation for TLS Alex Bligh
2016-04-07 11:51 ` Daniel P. Berrange [this message]
2016-04-07 12:13 ` Alex Bligh
2016-04-07 12:36 ` Alex Bligh
2016-04-07 15:35 ` Eric Blake
2016-04-07 15:52 ` Alex Bligh
2016-04-07 13:56 ` Daniel P. Berrange
2016-04-07 14:08 ` Alex Bligh
2016-04-09 9:50 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2016-04-09 10:05 ` Alex Bligh
2016-04-09 10:29 ` Wouter Verhelst
2016-04-07 14:33 ` [Qemu-devel] " Eric Blake
2016-04-07 14:31 ` Eric Blake
2016-04-07 14:57 ` Alex Bligh
2016-04-09 9:55 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2016-04-09 10:06 ` Alex Bligh
2016-04-09 9:36 ` Wouter Verhelst
2016-04-09 10:04 ` Alex Bligh
2016-04-09 10:33 ` Wouter Verhelst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160407115159.GE19932@redhat.com \
--to=berrange@redhat.com \
--cc=alex@alex.org.uk \
--cc=nbd-general@lists.sourceforge.net \
--cc=qemu-devel@nongnu.org \
--cc=w@uter.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).