Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver

[Alex Bligh <alex@...872...>]

Wouter,

I had a bit more of a think about this.

On 11 Apr 2016, at 07:07, Wouter Verhelst <w@...112...> wrote:

> I'm going to reply to this series in more detail later (have to go to
> work soon), but some quick notes for now:
> 
> - I'm not sure I like the idea of having a proxy to do TLS *at the
>  server side*, although I do agree that there's an upside of "more
>  shared code with client". To be discussed (and I have some more
>  thoughts on this that I don't currently have the time to write down).

Doing it without a proxy server side is actually going to be a
pretty extensive change. It's not only wrapping read() etc., but
being aware of the different semantics of the TLS library.
GnuTLS is (fortunately) far less difficult than openssl here,
but this is a large task. It could be done, but isn't for the
faint hearted. The advantage of the (very symmetrical) proxy
is we only have one bit of code to debug.

Anyway, happy to discuss. Perhaps this is a first step.

> - The check for GnuTLS in configure.ac should probably be done after the
>  AC_PROG_* checks (you shouldn't check for a library before you've
>  checked for the compiler etc),

I've moved it to later in v2.

> and should probably use
>  PKG_CHECK_MODULES rather than AC_CHECK_LIB.

Not sure that's a great idea. This introduces a dependency
on pkg-config which (as far as I can tell) doesn't currently
exist. I'm not sure what pkg-config would buy us here, and
a quick google suggests there's plenty of use of
GnuTLS in configure.ac without PKG_CHECK_MODULES. I haven't
done this one.

> - I prefer using an AM_CONDITIONAL to compile certain features
>  conditionally over using an #ifdef for an entire file.

Done in v2

-- 
Alex Bligh