Re: [Nbd] [PATCH 00/15] Implement TLS support to QEMU NBD server & client
- To: "Daniel P. Berrange" <berrange@...696...>
- Cc: Paolo Bonzini <pbonzini@...696...>, qemu-devel@...530..., qemu-block@...530...
- Subject: Re: [Nbd] [PATCH 00/15] Implement TLS support to QEMU NBD server & client
- From: Wouter Verhelst <w@...112...>
- Date: Wed, 2 Dec 2015 13:56:30 +0100
- Message-id: <20151202125630.GA9734@...3...>
- In-reply-to: <1448626853-27450-1-git-send-email-berrange@...696...>
- References: <1448626853-27450-1-git-send-email-berrange@...696...>
Hi Daniel,
Something occurred to me earlier today:
On Fri, Nov 27, 2015 at 12:20:38PM +0000, Daniel P. Berrange wrote:
> As is, if the client connects to a TLS enabled NBD server and then
> immediately sends NBD_OPT_EXPORT_NAME, it is not possible for us
> to send back NBD_REP_ERR_TLS_REQD as the spec requires that the
> server close the connection :-( For this reason I have made the
> qemu NBD client always send NBD_OPT_LIST as the first thing it
> does, so that we can see the NBD_REP_ERR_TLS_REQD response.
Why not have it send NBD_OPT_STARTTLS as the first message if you want
to do TLS? That way, either the server doesn't support it because too
old (and you get NBD_REP_ERR_UNSUP) or configuration (and you get
NBD_REP_ERR_POLICY), or it does and you're in TLS.
Did I miss something?
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: