Received: by 2002:a05:7412:3290:b0:fa:6e18:a558 with SMTP id ev16csp318238rdb; Thu, 25 Jan 2024 17:06:46 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyoHlyP6aTv7ziQhMbohSd8hPWVlNiEMJiuOlPMn8QhrZMCwVl3bhRu+Vym/erf5YSt1Se X-Received: by 2002:a17:902:7d93:b0:1d7:3563:88ef with SMTP id a19-20020a1709027d9300b001d7356388efmr786559plm.99.1706231206145; Thu, 25 Jan 2024 17:06:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706231206; cv=pass; d=google.com; s=arc-20160816; b=kSWKt+P9M/zpm1OACmQfus7JUpd+OuQFIZiwOoHfQWP3B2YJuHuo5xIFZ7y6tiKSUK mELOSYZ8evPurdnoQJK8K6r/6rDDhcRj2DuutU2nvKeu0DTXlnXS/WsA7LIEPvFqv9K3 QGJ7xT32F6CV1QxS297kHQKctM2T7bBxJXN9JcLZTE8VTb2T8OHVQjJ/bm4eyikMqGPo EhW3m9yukCTyjDYX/XedkSVTk6XRnaKjou/GU2ateXGg52MhQLke5zJdJi/uU7PyXtTl tV+9QZCkjn9WHeA8j3bbKHt6SMuLJAUifE4Hn/BtAScpH+cthPFnk+J/WzWi9qTEJJZc pMVQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=fkTWF/7nlW+bzEvFkOp8qCgU92UUZyrc3SYE9aayy4E=; fh=CxYEZyhmxuMoBlSaWkMKbp6EkNoI20ZS1zcQZsFZNE4=; b=CBECI6EIrp3SujDM8xGH0KDLkWN+7op7K5RjX8+N8odf11j43F4YcV1TiTV99qgqt4 EXRoSpys67SY8Z8W3M6B4UE5pCPznQIpT7kRWrg2RmNhrhsV4dJxAjaBh1JxfCdJHwWG Tbi7hKMS2I9RS/8ZM5UM+SSgW3eYkQrY7VE6izV0l5tZJsCevoM5qjJn4M5QyXRhGZqJ vT8thaA5nJlCh4a1/X/k7cAwlbtE4aAnGqFwJF4OxhfTK562HHuJcIzBJUSJJ0jBdsBK S1SW+CJDs10GNMrLV1iuobJ2mL27hQkCC5XEmmfoYNwkRd3GzdAdSGWKKYU6gMRvvykP iy4A== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dvjzlKnK; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-1449-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1449-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id p22-20020a170902b09600b001d6fb87b11csi170115plr.265.2024.01.25.17.06.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 17:06:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-1449-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dvjzlKnK; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-1449-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1449-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 822DEB229DD for ; Fri, 26 Jan 2024 01:05:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 22B3638C; Fri, 26 Jan 2024 01:05:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dvjzlKnK" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62045387 for ; Fri, 26 Jan 2024 01:05:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706231154; cv=none; b=Iz+7eXt9sJ+yaFbDWP/ZGP7hCF7xn22DUs9IJIc/7dQzo7xaYf96nTqR5WyIXdbUOrCl39/NadqaSq1NNrwmyIMxE/s+zHtvxCs7e6dbep+mvshMmKHHDzrHjsDj07ZsR+afLdPWxRwh1+zCBoXnFvtGZEpA07wQitF0mJtYc9I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706231154; c=relaxed/simple; bh=9DmY/5ilPtRdFKrXsl0XOQZwbjhlnMMXpdaHCd8JAhU=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=U4brM+doPI8vFMIp7+fDvt6USGlOyHBEwFlb3B8hzUD05WaXQVSb5tftOyS/Rp98HZ07/PrsVokAh1HViCwh9t888h6QpP4ME4M7I+PO82XqDiYAZQM1zSc7ph97NTzlJpn/YKKI27Y7E7RgCXXhxx1zE1d8LfJFlX+Fcb7pMrs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dvjzlKnK; arc=none smtp.client-ip=209.85.208.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-2cf3ea86423so11490711fa.1 for ; Thu, 25 Jan 2024 17:05:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706231150; x=1706835950; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fkTWF/7nlW+bzEvFkOp8qCgU92UUZyrc3SYE9aayy4E=; b=dvjzlKnKgaZTZ74LM5D2xsA6FUBV1hhLw9qM4AB+Uq0yvykjXC8IbTrdhW2rsNIuCt z/8cflQ5memPUdcHE01bZG+y7gcPxIi/psnt38OTW5xaWfG4+hoxTAnYRZpIgkc4fWSO TswYmGR+zv6OY2K12CsCTOgd0K1kRBIz/MUvVv24RcV2ETEhGYbEho4CNJHzx7dJ8T0V GZKAcirLcibczPQ2XFxTXpMuGWjuqWKxSxHQFNsdauKUYJIA6OmgnDRsT5cGpbXky2np 46bVNEyBoSTsfv4B23CjoTZSVZ3kaAZ4So+dWdWxFsYmEpZzWq2z3OkGY0hQ37McO/Ph isng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706231150; x=1706835950; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fkTWF/7nlW+bzEvFkOp8qCgU92UUZyrc3SYE9aayy4E=; b=xHeIBzcN4T1F2//Wtys57xE7qJ6tcT9KwKcm8I4LH7TkSH4jXDX5QHDlbd0jL3wkla VrGgt278IxUnxTYEEVVPx4U0UOs2x56IanVDNmFCECkJsyGrhKT4QXfWn1G5GtY4fzzg w0y4R9bNODmOFZO4Z0L0RUCOP51UjUorwrsXUm4l/x91Yi/IVu0GSxROU6WDWVy4hoCs GFKXfE+DvIfyTcoEDufGvw6aqKSR30yb0F+AIzaRD8xEdFfbUlheYOc7cRbEjMyDaHKL C9JodksoJ9D5oC5v9mBdD+odZ0Bkq9Yn08P8Dyt1CFeQiiqUoHJiqLmtzDVbiiSIEL85 0w0g== X-Gm-Message-State: AOJu0YzIClAoEM2bCCEJQ3QX7a3Rwd4w9nwdoOMpJOUgVl90jkOHBudw cVmnbb/8ApI9gOCshHxaZDLpfHy/TUiY22fDPqL/uFxpnNd2ZdzllqeMwNigpMzD6/8f8JVzvEf mr7JSBdrnmZxVMhTI5isxyQ7biQk= X-Received: by 2002:a2e:a715:0:b0:2ce:19d:2118 with SMTP id s21-20020a2ea715000000b002ce019d2118mr230974lje.6.1706231150142; Thu, 25 Jan 2024 17:05:50 -0800 (PST) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <96A320F4-AFC1-4DD9-8D5D-784F13DE94D4@redhat.com> In-Reply-To: <96A320F4-AFC1-4DD9-8D5D-784F13DE94D4@redhat.com> From: Dan Shelton Date: Fri, 26 Jan 2024 02:05:23 +0100 Message-ID: Subject: Re: Implement NFSv4 TLS support with /usr/bin/openssl s_client? To: Benjamin Coddington Cc: Jeff Layton , Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" On Thu, 25 Jan 2024 at 22:11, Benjamin Coddington wrote: > > On 25 Jan 2024, at 15:37, Jeff Layton wrote: > > > On Thu, 2024-01-25 at 03:21 +0100, Dan Shelton wrote: > >> Hello! > >> > >> Is it possible for a NFSv4 client to implement TLS support via > >> /usr/bin/openssl s_client? > >> > >> /usr/bin/openssl s_client would do the connection, and a normal > >> libtirpc client would connect to the other side of s_client. > >> > >> Does that work? > >> > >> Dan > > > > Doubtful. RPC over TLS requires some cleartext setup before TLS is > > negotiated. At one time Ben Coddington had a proxy based on nginx that > > could handle the TLS negotiation, but I think that might have been based > > on an earlier draft of the spec. It would probably need some work to be > > brought up to the state of the RFC. > > Yeah, its' a little bit rotted. Wasn't super fresh to begin with, but it > did help bootstrap some implementation. > > You could also modify openssl to be aware of the clear text, something like: > https://github.com/bcodding/openssl/commit/9bf2c4d66eacccd3530fb2f3a0a6c87d5878348c > > .. but I think you're definitely in "what are you really trying to do?" territory. For example legacy NFSv4 client add-on? You cannot expect that everyone can or will update to the latest and greatest version, so either you have clients without TLS, which is a security risk, or have a way to retrofit them. Dan -- Dan Shelton - Cluster Specialist Win/Lin/Bsd