Wouter, > On 8 Nov 2016, at 23:39, Wouter Verhelst <w@...112...> wrote: > > Hi folks, > > The STARTTLS implementation in nbd-server is almost ready. Still TODO: > > - Interoperability testing against qemu (yes, yes, I said I'd do that > earlier, but hey) > - Client certificate validation > - Enforcing TLS1.2 by default > - Allowing versions of GnuTLS older than 3.3 I think we should do at least the last of those prior to release because it will stop nbd compiling on several distros otherwise. The change is pretty simple I think - and even if it's not it's already done for you in my proxy code. Not sure whether you are suggesting the release should wait for that or not (as "Other than that I think we're good" implies yes, "I think it's time to release" implies no"). My preference would be to wait until the above are fixed (and I need to apologise as I said I'd do qemu interop testing too and didn't), but if not, we should at least fix the last and mark TLS support as beta. I have one bug filed against my proxy code (obscure error handling issue) I have been procrastinating looking at. I will copy that over if it needs fixing. > Other than that, I think we're good. > > Alex: I pulled the nbd-client and nbd-tester-client implementation from > your 'add-tls-support' branch, and it seems to work well; at the very > least, the current implementation passes the test suite. Man page > updates have been written too. I've had to make a few small changes to > make it work on current git HEAD, but most of it is pretty much > unchanged from your code. Yup. On the server side, there is still one reference to tls_dir in the man page (whereas the remainder shows it has similar parameters to the client). The man page also refers to client certificate checking (which is correct - it just needs implementing and testing). > In total, there's 80 commits since 3.14 up to current master, a number > of new features (multiple connections, STARTTLS, splice), and a few bug > fixes. > > I think it's time to release. TLS bits aside, I agree, though https://github.com/NetworkBlockDevice/nbd/issues/35 is a bit annoying. -- Alex Bligh
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail