Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that d

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that d

From:	Eric Blake
Subject:	Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS
Date:	Thu, 14 Apr 2016 15:46:42 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1

On 04/14/2016 03:08 PM, Max Reitz wrote:
> On 07.04.2016 22:29, Eric Blake wrote:
>> Upstream NBD is documenting that servers MAY choose to operate
>> in a conditional mode, where it is up to the client whether to
>> use TLS.  For qemu's case, we want to always be in FORCEDTLS
>> mode, because of the risk of man-in-the-middle attacks, and since
>> we never export more than one device; likewise, the qemu client
>> will ALWAYS send NBD_OPT_STARTTLS as its first option.  But now
>> that SELECTIVETLS servers exist, it is feasible to encounter a
>> (non-qemu) client that does not do NBD_OPT_STARTTLS first, but
>> rather wants to take advantage of the conditional modes it might
>> find elsewhere.
>>
>> Since we require TLS, we are within our rights to drop connections
>> on any client that doesn't negotiate it right away, or which
>> attempts to negotiate it incorrectly, without violating the intent
>> of the NBD Protocol.  However, it's better to allow the client to
>> continue trying, on the grounds that maybe the client will get the
>> hint to send NBD_OPT_STARTTLS.
>>
>> Signed-off-by: Eric Blake <address@hidden>
>> ---

>> +++ b/nbd/server.c
>> @@ -450,9 +450,12 @@ static int nbd_negotiate_options(NBDClient *client)
>>
>>              default:
>>                  TRACE("Option 0x%x not permitted before TLS", clientflags);
>> +                if (nbd_negotiate_drop_sync(client->ioc, length) != length) 
>> {
>> +                    return -EIO;
>> +                }
>>                  nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
>>                                         clientflags);
>> -                return -EINVAL;
>> +                break;
>>              }
> 
> What about NBD_OPT_EXPORTNAME? The specification says that this option
> does not allow for errors, and so the session must be terminated if this
> option is sent in FORCEDTLS mode without TLS having been negotiated.

Oh, good catch. v2 coming up.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Eric Blake, 2016/04/07
- Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Alex Bligh, 2016/04/07
- Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Eric Blake, 2016/04/14
  - Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Alex Bligh, 2016/04/14
- Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Max Reitz, 2016/04/14
  - Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS, Eric Blake <=

Prev by Date: Re: [Qemu-devel] [PATCH for 2.6 1/1] nbd: fix assert() on qemu-nbd stop
Next by Date: [Qemu-devel] [PATCH v2 for-2.6] nbd: Don't kill server on client that doesn't request TLS
Previous by thread: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't kill server on client that doesn't request TLS
Next by thread: Re: [Qemu-devel] [PATCHv3] Improve documentation for TLS
Index(es):
- Date
- Thread