[Nbd] doc/proto.md: TLS question

To: nbd-general@lists.sourceforge.net
Subject: [Nbd] doc/proto.md: TLS question
From: Alex Bligh <alex@...872...>
Date: Wed, 6 Apr 2016 14:37:07 +0100
Message-id: <AA5BB2F4-E122-4372-9121-95FA94A48AB2@...872...>

>From the proto.md:

> NBD_REP_ERR_TLS_REQD (2^31 + 5)
> 
> The server is unwilling to continue negotiation unless TLS is negotiated first. A server MUST NOT send this error if it has one or more exports that do not require TLS; not even if the client indicated interest (by way of NBD_OPT_PEEK_EXPORT) in an export which requires TLS.
> 
> If this reply is used, servers SHOULD send it in reply to each and every unencrypted NBD_OPT_* message (apart from NBD_OPT_STARTTLS).

I think the last SHOULD is wrong and should be deleted.

Firstly, this implies a server should reply with NBD_REP_ERR_TLS_REQD even before it knows the client even supports TLS. That's wrong. It even implies the server should sent it even if *it* doesn't support TLS.

Secondly, even if by magic the server somehow knows that the client supports TLS, and it supports TLS too, it makes it impossible for a server to serve both TLS and non-TLS exports as it would force the client to negotiate TLS to process (say) NBD_OPT_LIST, and there's then no way of un-negotiating TLS.

I think this should thus be deleted.

-- 
Alex Bligh

Reply to:

Follow-Ups:
- Re: [Nbd] doc/proto.md: TLS question
  - From: Eric Blake <eblake@...696...>
- Re: [Nbd] doc/proto.md: TLS question
  - From: Wouter Verhelst <w@...112...>

Prev by Date: Re: [Nbd] [Qemu-devel] Is NBD_CMD_FLAG_FUA valid during NBD_CMD_FLUSH?
Next by Date: Re: [Nbd] [Qemu-devel] Is NBD_CMD_FLAG_FUA valid during NBD_CMD_FLUSH?
Previous by thread: Re: [Nbd] [PATCH] doc/proto.md: NBD_OPT_STARTTLS cannot be used twice
Next by thread: Re: [Nbd] doc/proto.md: TLS question
Index(es):
- Date
- Thread