Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp711241lqt; Thu, 6 Jun 2024 16:53:55 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVK2mTRsnlmY3IOrr2WgPXark/6GXy0xBO9QzVVVTkaH5nF4oYAxTi8MtFjHIkj7p7nHehVuQnl5bIjcE2xX8yF+iFjCgyhJWRIpNzjoA== X-Google-Smtp-Source: AGHT+IEY+qBrkX5Ontp44Evspq8s9x/AS9ouBVo7z8yTRdanTfwpLoi0cqxmJ/D2v7CbtI9MEBR3 X-Received: by 2002:a17:903:24e:b0:1f4:698b:7a0b with SMTP id d9443c01a7336-1f6d02bebdfmr13702125ad.8.1717718035647; Thu, 06 Jun 2024 16:53:55 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717718035; cv=pass; d=google.com; s=arc-20160816; b=YBvlGojYTwXma85dki9VdXoQ1eNsuoxssGnPk6x+iQs6HB1HQ9FzUbACwmeksoi4Ns jn4T2460SNgkgBosZjUBg6uLKCGKpdKon8bcUuNKK4tKLCQxPT+unTBIxZus/9egtUM/ WB6TrGHSkoqaqCl1XPoAYiOsIHOhu3hr2IXBFSsW0leGXHLgb9Y1suAWYDrryfbFmy+x ImSH0oVLyTycbwFaFmaQm2n3AM8R6qJmQvprgdAz44Vva+FdeMiqWlubJaIsXvmlvrwK FzzEkU8qYHkZAi7z0YE1A7j627cCeqoujcRN/GV/MVwmyyaxuD/l+kCWK90Q5+ybdd/i k9uA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:dkim-signature; bh=axo9BzJIrL8gWIw0K7sD90OAhBGpwB5fj0TKWcQq1W0=; fh=A3pMOUK00huGibGCZBFsLekFLVbB5hHGKjUNNKwO+5E=; b=qqnqaeqmwVcsS+Iqu6XPknvkHikCEjnr+E6Oiq9kATr1tBU2GKKfLbjQ7KH7oECQXX 5Knnh4ZsLAMeNPYy4OdRr1nVUcleL+66X10YVlShaQ+AHCmUVBfoxeByPheo6YLkralS 0UlFLO7ZtrxjKJb/puDHeSaGz5ZFb/sbYomnSj3F1IDKAoUbNn00LD/Wo1d6KP9Ezy+W XhUsOSHFFoIUOJa+Uwet3oKcdKpXei8LRjssMov4sHfuOKQo3F36l0gj0tGVW0f6R9v9 r2b/kjza3dFax1oK4BqJ42qqnWWdrCJALlV+yTI/gsI+Q0YI0eFt1vxmaL46WLADDyiW zIYA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HLIrHX0A; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3575-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d9443c01a7336-1f6bd7f4d61si6868325ad.518.2024.06.06.16.53.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Jun 2024 16:53:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HLIrHX0A; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3575-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1A6BB2831C3 for ; Thu, 6 Jun 2024 23:53:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BC16371B5B; Thu, 6 Jun 2024 23:53:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HLIrHX0A" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10BA113E8BE for ; Thu, 6 Jun 2024 23:53:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717718033; cv=none; b=KfebUrMoPZRE9xWDpA65jAPB+xLt9WK78k5FF3Cb7g0HXXxcmJvLMFDiuhiJ/pZeFl/nqXEUIxa4/tVMdUMJvCpJrT2kKS4E0BnInDLa4+uj75rqCvaNn0qoqmSzhHFbcH0JHs/HWz5agtZfvQCB5kHfcaO624NPUNbvQ7SpdPk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717718033; c=relaxed/simple; bh=IZBFjgzGGNHMCkmn/RBji5sawPu6HSlQ37CwOI9JZIo=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Content-Type; b=WaAP054gHhpgXk7owvd4uexzAyaPAeEGCLjGNBGT8PI/hHeF0Lt3QDWaXvYIV3lejVBidjF0ck2aGRHvk9AB22pLXY2n9yVil9f5ib3K+EM/6sJ6ufabPnNAM9f45RUfG8saYdRfTBN79LTul7LG9npILpohToojdYT/1W0RLnc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HLIrHX0A; arc=none smtp.client-ip=209.85.167.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-52b90038cf7so2300538e87.0 for ; Thu, 06 Jun 2024 16:53:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717718030; x=1718322830; darn=vger.kernel.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=axo9BzJIrL8gWIw0K7sD90OAhBGpwB5fj0TKWcQq1W0=; b=HLIrHX0AVm5IjW7AHeO8AlO2pFTc1W/NiNcgapDoC9V2EEljSSPnoN182MNe5sBXFj w6DA4CGesYqFRAZoxbql2mOD8zn47jdvciT4P0Yift4CW5glrIsLZdEvCihpr4joJq1c CAeu3GAZdmF1jQ/COEJHKSw3GsX82sNvY/16cH/K3kWOaRaQvgsC2MPR4cch24czHD9i iX1zta/8WOcMUaeagaDTu1BBz1CaIZgN5OlcX9Q0XduTURiC7bydJZifmYquROZKReK4 olZVXQH2118wigxscVSDpUglmaPWLxcxouubIP/ZLEkAzHRbT5PT4RLVlHng0m8owCRR iJ/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717718030; x=1718322830; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=axo9BzJIrL8gWIw0K7sD90OAhBGpwB5fj0TKWcQq1W0=; b=RSf2YQ+UCMlUEZxnQW1A5GDHD6HDnmKJ4Rps9DXQzPoIt1p1RSEa1yo6g1F9zu2OII BlZHKY5aewy3yVe6ida1yWb0+7BAKbGvfh04zpG24mKyQMylNu3GwJCw/uJoiiiR4RFq emDtlE/SBrG4Wq+MnlRS+QMuBFOvDxOX+IPDZhRxqs/d4T4OXdq93pySmnrWAPnMNzUQ DbOs3OIg8SlUsRmg77Sy9IS2eP5j88kEGlaVqD+tVwIsDVv+nCyvMFQK2EFKh5Pkz3yL f96iWfMDmml98VX0DKa1dF0jSTXlJg0YUoAXjcUoOkXsNUKA4yjan2kvY/4MvafBDRKj 5Dxg== X-Gm-Message-State: AOJu0Ywyveq0Na6KMAb6XSaNhcpv5w8kvaNAgnOo90oNI43JzUFSzZEl AFW2+TYjKZq3o27OeTGUu5zXe+eg5b2kEbUkU607g/jAjTud1pFcG2kW4cns3oWbwNDPqQQHjLt p3XoWAAH5fezbULPBaeyIumeye595Z7Ma X-Received: by 2002:a05:6512:3d8f:b0:529:adb8:dfc9 with SMTP id 2adb3069b0e04-52bb9fd2a20mr694318e87.66.1717718029767; Thu, 06 Jun 2024 16:53:49 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <96A320F4-AFC1-4DD9-8D5D-784F13DE94D4@redhat.com> In-Reply-To: From: Dan Shelton Date: Fri, 7 Jun 2024 01:53:23 +0200 Message-ID: Subject: Re: Implement NFSv4 TLS support with /usr/bin/openssl s_client? To: Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" On Fri, 26 Jan 2024 at 02:05, Dan Shelton wrote: > > On Thu, 25 Jan 2024 at 22:11, Benjamin Coddington wrote: > > > > On 25 Jan 2024, at 15:37, Jeff Layton wrote: > > > > > On Thu, 2024-01-25 at 03:21 +0100, Dan Shelton wrote: > > >> Hello! > > >> > > >> Is it possible for a NFSv4 client to implement TLS support via > > >> /usr/bin/openssl s_client? > > >> > > >> /usr/bin/openssl s_client would do the connection, and a normal > > >> libtirpc client would connect to the other side of s_client. > > >> > > >> Does that work? > > >> > > >> Dan > > > > > > Doubtful. RPC over TLS requires some cleartext setup before TLS is > > > negotiated. At one time Ben Coddington had a proxy based on nginx that > > > could handle the TLS negotiation, but I think that might have been based > > > on an earlier draft of the spec. It would probably need some work to be > > > brought up to the state of the RFC. > > > > Yeah, its' a little bit rotted. Wasn't super fresh to begin with, but it > > did help bootstrap some implementation. > > > > You could also modify openssl to be aware of the clear text, something like: > > https://github.com/bcodding/openssl/commit/9bf2c4d66eacccd3530fb2f3a0a6c87d5878348c > > > > .. but I think you're definitely in "what are you really trying to do?" territory. > > For example legacy NFSv4 client add-on? You cannot expect that > everyone can or will update to the latest and greatest version, so > either you have clients without TLS, which is a security risk, or have > a way to retrofit them. Is there a public NFSv4.1 server with TLS enabled, which I can use to test whether openssl with https://github.com/bcodding/openssl/commit/9bf2c4d66eacccd3530fb2f3a0a6c87d5878348c can be used to plug in older clients? Dan -- Dan Shelton - Cluster Specialist Win/Lin/Bsd