From: Eric Blake <eblake@redhat.com>
To: Max Reitz <mreitz@redhat.com>, qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, alex@alex.org.uk
Subject: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS
Date: Thu, 14 Apr 2016 15:46:42 -0600 [thread overview]
Message-ID: <57100FC2.5070703@redhat.com> (raw)
In-Reply-To: <571006BC.3070603@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2109 bytes --]
On 04/14/2016 03:08 PM, Max Reitz wrote:
> On 07.04.2016 22:29, Eric Blake wrote:
>> Upstream NBD is documenting that servers MAY choose to operate
>> in a conditional mode, where it is up to the client whether to
>> use TLS. For qemu's case, we want to always be in FORCEDTLS
>> mode, because of the risk of man-in-the-middle attacks, and since
>> we never export more than one device; likewise, the qemu client
>> will ALWAYS send NBD_OPT_STARTTLS as its first option. But now
>> that SELECTIVETLS servers exist, it is feasible to encounter a
>> (non-qemu) client that does not do NBD_OPT_STARTTLS first, but
>> rather wants to take advantage of the conditional modes it might
>> find elsewhere.
>>
>> Since we require TLS, we are within our rights to drop connections
>> on any client that doesn't negotiate it right away, or which
>> attempts to negotiate it incorrectly, without violating the intent
>> of the NBD Protocol. However, it's better to allow the client to
>> continue trying, on the grounds that maybe the client will get the
>> hint to send NBD_OPT_STARTTLS.
>>
>> Signed-off-by: Eric Blake <eblake@redhat.com>
>> ---
>> +++ b/nbd/server.c
>> @@ -450,9 +450,12 @@ static int nbd_negotiate_options(NBDClient *client)
>>
>> default:
>> TRACE("Option 0x%x not permitted before TLS", clientflags);
>> + if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
>> + return -EIO;
>> + }
>> nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
>> clientflags);
>> - return -EINVAL;
>> + break;
>> }
>
> What about NBD_OPT_EXPORTNAME? The specification says that this option
> does not allow for errors, and so the session must be terminated if this
> option is sent in FORCEDTLS mode without TLS having been negotiated.
Oh, good catch. v2 coming up.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
prev parent reply other threads:[~2016-04-14 21:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 20:29 [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS Eric Blake
2016-04-07 22:32 ` Alex Bligh
2016-04-14 15:25 ` Eric Blake
2016-04-14 15:43 ` Alex Bligh
2016-04-14 21:08 ` Max Reitz
2016-04-14 21:46 ` Eric Blake [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57100FC2.5070703@redhat.com \
--to=eblake@redhat.com \
--cc=alex@alex.org.uk \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).