Re: [Nbd] doc/proto.md: TLS question
- To: Wouter Verhelst <w@...112...>
- Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Subject: Re: [Nbd] doc/proto.md: TLS question
- From: Alex Bligh <alex@...872...>
- Date: Wed, 6 Apr 2016 22:04:52 +0100
- Message-id: <5C45717D-1736-4F35-8EF5-649CD6737EFE@...872...>
- In-reply-to: <20160406194941.GA22415@...3...>
- References: <AA5BB2F4-E122-4372-9121-95FA94A48AB2@...872...> <20160406183201.GA14152@...3...> <AC38E144-1D9E-48C3-822F-AE25CF0296AC@...872...> <20160406194941.GA22415@...3...>
Wouter,
>>>
>>>> I think this should thus be deleted.
>>>
>>> No, it must stay.
>>>
>>> There's currently no way to detect whether a particular export supports
>>> TLS. If the client wants to connect to an export that the server only
>>> exports through TLS, then the server must drop the connection upon
>>> NBD_OPT_EXPORT_NAME. This is part of why we need INFO/GO.
>>>
>>> INFO/GO modifies TLS_REQD in that it makes it legal for TLS_REQD to be
>>> sent as an error reply *for those two requests* if a particular export
>>> requires TLS but another one does not. Once the INFO extension is no
>>> longer experimental, the above-quoted language will indeed need to be
>>> changed, but for now a server can only send it in the "I don't do no
>>> steenking cleartext" case, and then that language is correct.
>>
>> Mmmm... I think it could be 'improved' then :-)
>
> That isn't something I'm opposed to :-)
OK I'll have a go. Something there also mentions NBD_PEEK_EXPORT
I think so I'll fix that too.
--
Alex Bligh
Reply to: