Received: by 2002:a05:7412:3290:b0:fa:6e18:a558 with SMTP id ev16csp448799rdb; Thu, 25 Jan 2024 23:47:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IHXWVpksoqhqQF6HjKowdam2MgiPXV8ZlzyXoYAdgNeGYmcbQIrMO76Z0hDIQWId68+VtwU X-Received: by 2002:a05:620a:2994:b0:783:980d:277 with SMTP id r20-20020a05620a299400b00783980d0277mr1188128qkp.25.1706255245578; Thu, 25 Jan 2024 23:47:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706255245; cv=pass; d=google.com; s=arc-20160816; b=G9Yi6wF7fpSnAuOTUxj6mDgr3XMq6TY/ZvJJFXq053DwHIol07q1hizlMKVgK2lbQC irJrdfFrr++gpe6KX/6Vhgw0L+XEGGPxkzmeysLq6CzPLa18kFbm7AJVrdEByWqJS/Bm SU0TMRXQa2v4qY9IDva8zHpSlTfg6VmdwMrohzewn0lnXbgoYVWnAbwAyadJH7tWqotH qKhIKQEYizfwybwkMQhM4pXxT+IrTHEVX1IK8IrNWS6XFzOL54lLGfl9pCwg2+525KEr W4OrYM4FyY1ykYrs0dNiurpgLVon8iUBitDI0GL1TQyCIBPPJgYlZEDIntqanRjILMg0 f7vg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=p+vQy8sjcnFuJ8qhftZfWkpq4aMUKfN5Bi7z8UTJ/IA=; fh=b65Zw3cBIGJz7Ptg7fW7SJaRtuLjlRwQHO7GEiynQ/g=; b=MpNRzg6sV8V9AMtlHgcEqNJ4PmvEVuN78SGBN/sUU+LbXA9JmVlFN70nmnIh/Ozr9l QnG1Aur7xekJQ1pF9gFqeYcA3QYQaLHtDeHPP1KyFkue07U6FiLdfrWWIslrQxOHRR7m SnZE2GlWIftkrOV7+8SM6qiQhycC69FqnH5BY+WENFf5zvBchRdtcxo2QDhVPul0wWXZ 03HThk95paoZIOuKwq4xF8B3JcqkiY2SFyBx+tnvlmUbh423aHznGHlH9Zn8IxE8e0Ay zN8v/7IRPnrDkIi1na43HioH7H2OEzClrhzl2FSOx8t7pFurGZA82OkGILJDisjm0qiW DmCg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=GfDBuEWB; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-1453-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1453-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id bn13-20020a05620a2acd00b007838dfe7853si757117qkb.307.2024.01.25.23.47.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 23:47:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-1453-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=GfDBuEWB; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-1453-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1453-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3D6411C2441E for ; Fri, 26 Jan 2024 07:47:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 36D5F10A19; Fri, 26 Jan 2024 07:23:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GfDBuEWB" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91F07D29B for ; Fri, 26 Jan 2024 07:23:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706253803; cv=none; b=gpd7uS+/SkPZnc34pkM5/3tIGJhBNlhWK+/nT19+lGQzPZSKUG6DYHSDBq83uxfJ/I3do1MTzC+D79DUcd6O8wLUEZYJlx/X5uruA67Y+f0e/uVr+JLLKBgajLhWuKbA68rbYeyrVCj2SIVD7g0YzclVqaYAD3q8R8II93Sxku4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706253803; c=relaxed/simple; bh=N/eFqOZCaa4Z7nKlUG4H7qIYSL+ZspQhb1Djh8GhIXM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=HJ6eC4h5MdphUjCkP8yTPepxckACXhSU1t9E64dRoEFJOyTioZogZOYcHQa6Gl3zPyLP4uP9mTDAp5/h4e0U4zp4ZHQ8as6Mzr5Lo3NnmnWiBpzh0XpHJZOe6mo2EkTiPQDp2lnJ7k1B+Py9Geuso/C/mAJZAbyrh7ZoREN3vEc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GfDBuEWB; arc=none smtp.client-ip=209.85.208.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-55d314c1cb7so156643a12.0 for ; Thu, 25 Jan 2024 23:23:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706253800; x=1706858600; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=p+vQy8sjcnFuJ8qhftZfWkpq4aMUKfN5Bi7z8UTJ/IA=; b=GfDBuEWByPgLwygZ9lvkn7BnKvDDAn7418qpPrPJDW9xfoB0vgNutl9cjGYoVPFoS8 9To7S4JWcqbU2AXPG4nVX9r+VQKRcui5TImhoPhm26YP11C26D0oxc987XqMkNL6Ju6I UIJ6pDCFVNijEixFjarkZxwg1uJGO6jla+NqgE9DRd5LKI/ZOgUYkUdWsqVdVNedWofs fOpscwuENifrsamnGD3Vz6vcoNBqPsYYsE9SXmluAO5IZYjlk/NvjWaREzyrk+vmWIwI 4SeD/6MyqmAzQJl+qO6K8joKpOKiaDhlZYr1ew4Sh5hlpXihLiS0QQCntB+gghx5TElq CbAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706253800; x=1706858600; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=p+vQy8sjcnFuJ8qhftZfWkpq4aMUKfN5Bi7z8UTJ/IA=; b=MwJBoWqFMTfFcjmejwTSVKwjz/A/kj+YyXjvQu3EuoHJ+Niv4GGZRh0RSVL6fSi5iC K+mNMEHVx5U9Fq6BYjGKvLv9QMwG9U8faUqwIRMtaE98xOEh59UNNV+ztBF9+M7SCM9p uDAzB3xxpdIURBHt1LfqIqJUiKdEQXUzZLTLp6sfVqcNBmJSAJfQTmoDtAKr9snmH7s8 g/2zdb77c2/YXO7wMwui09/RyNIfvdjzFWNQJdnr8vfvePLjL5ihYVyrnyoyFQT/2OQ4 KF9gykyFD8vCoTvkLs73Dba0+OrLLMaSZR3/3aOGOO8uMdy0d1dmkVilbqZ+qXPXBsgR iatw== X-Gm-Message-State: AOJu0YxnD/Vx9aAH6hbdY1LFoafm4ks7jL44FxV9OL7qlKZFsqjEyWIr ks1qcQHjQ7FLVRa499v+/SqFph0QyUNulNmLLRzWq5FbVnAprb+AbCJZj5ftjaWCeSs9xdCCqoS nLKL5Vt42X4IMekkhIw/1rYkIgxo= X-Received: by 2002:a05:6402:f89:b0:559:b411:fa87 with SMTP id eh9-20020a0564020f8900b00559b411fa87mr549694edb.20.1706253799637; Thu, 25 Jan 2024 23:23:19 -0800 (PST) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: In-Reply-To: From: Cedric Blancher Date: Fri, 26 Jan 2024 08:22:00 +0100 Message-ID: Subject: Re: Implement NFSv4 TLS support with /usr/bin/openssl s_client? To: Jeff Layton Cc: Dan Shelton , Linux NFS Mailing List , Benjamin Coddington Content-Type: text/plain; charset="UTF-8" On Thu, 25 Jan 2024 at 21:44, Jeff Layton wrote: > > On Thu, 2024-01-25 at 03:21 +0100, Dan Shelton wrote: > > Hello! > > > > Is it possible for a NFSv4 client to implement TLS support via > > /usr/bin/openssl s_client? > > > > /usr/bin/openssl s_client would do the connection, and a normal > > libtirpc client would connect to the other side of s_client. > > > > Does that work? > > > > Dan > > Doubtful. RPC over TLS requires some cleartext setup before TLS is > negotiated. At one time Ben Coddington had a proxy based on nginx that > could handle the TLS negotiation, but I think that might have been based > on an earlier draft of the spec. It would probably need some work to be > brought up to the state of the RFC. What about libtirpc-based apps? Is anyone going to add TLS support to libtirpc? Ced -- Cedric Blancher [https://plus.google.com/u/0/+CedricBlancher/] Institute Pasteur