On 04/06/2016 07:37 AM, Alex Bligh wrote: >>From the proto.md: > >> NBD_REP_ERR_TLS_REQD (2^31 + 5) >> >> The server is unwilling to continue negotiation unless TLS is negotiated first. A server MUST NOT send this error if it has one or more exports that do not require TLS; not even if the client indicated interest (by way of NBD_OPT_PEEK_EXPORT) in an export which requires TLS. >> >> If this reply is used, servers SHOULD send it in reply to each and every unencrypted NBD_OPT_* message (apart from NBD_OPT_STARTTLS). > > I think the last SHOULD is wrong and should be deleted. > > Firstly, this implies a server should reply with NBD_REP_ERR_TLS_REQD even before it knows the client even supports TLS. That's wrong. It even implies the server should sent it even if *it* doesn't support TLS. > > Secondly, even if by magic the server somehow knows that the client supports TLS, and it supports TLS too, it makes it impossible for a server to serve both TLS and non-TLS exports as it would force the client to negotiate TLS to process (say) NBD_OPT_LIST, and there's then no way of un-negotiating TLS. > > I think this should thus be deleted. Or at least modified; the earlier sentence is nicer ("A server MUST NOT send this error if it has one or more exports that do not require TLS"). My understanding of the situation: there are three server configurations (no TLS support, mixed, and only TLS support), and two guest configurations (plaintext, TLS): - Server has no exports that require TLS: - server MUST NOT use NBD_REP_ERR_TLS_REQD on any option request - server MUST send failure (NBD_REP_ERR_UNSUP or NBD_REP_ERR_POLICY) if client sends NBD_OPT_STARTTLS - client is forced to use plaintext, even if it knows TLS - Server has mixed setup (some exports require TLS, some do not) - server MUST NOT use NBD_REP_ERR_TLS_REQD on any option request except for NBD_OPT_INFO or NBD_OPT_GO on an export that requires TLS (or rather, if the export name is not plaintext) - server MUST NOT use NBD_REP_ERR_TLS_REQD after successful NBD_OPT_STARTTLS - client MAY use plaintext for an export that does not require TLS - client MAY use NBD_OPT_STARTTLS to switch to TLS to be able to access remaining exports - server SHOULD NOT make an export be plaintext-only (but maybe there's a corner case where it happens, so I did not use MUST NOT) - Server requires TLS support - server MUST use NBD_REP_ERR_TLS_REQD on any option request except NBD_OPT_STARTTLS, if TLS is not negotiated yet - server MUST NOT use NBD_REP_ERR_TLS_REQD after successful NBD_OPT_STARTTLS - client that does not know TLS will be unable to connect - client that knows TLS MUST negotiate TLS before doing anything else useful -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature