Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.

To: Daniel P. Berrangé <berrange@redhat.com>
Cc: nbd@other.debian.org, w@uter.be, eblake@redhat.com, mkletzan@redhat.com
Subject: Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 10 Jun 2019 12:19:32 +0100
Message-id: <[🔎] 20190610111932.GG3888@redhat.com>
In-reply-to: <[🔎] 20190605171920.GB12691@redhat.com>
References: <20190528103537.15081-1-rjones@redhat.com> <20190528103537.15081-2-rjones@redhat.com> <[🔎] 20190605171920.GB12691@redhat.com>

On Wed, Jun 05, 2019 at 06:19:20PM +0100, Daniel P. Berrangé wrote:
> > +* `tls-verify-peer`: This optional parameter may be `0` or `1` to
> > +  control whether the client verifies the server's identity.  By
> > +  default clients SHOULD verify the server's identity if TLS is
> > +  negotiated and if a suitable Certificate Authorty is available.
> 
> I'd prefer if this is a "MUST" for the default value to be 1, if
> omitted.

"SHOULD" here means that's what implementations ought to do, and most
will do it by default, but it leaves some leeway for implementations
which cannot or choose not to verify the peer for whatever reason
(even though we know that is unsafe in some MITM cases).  I've tried
to avoid mandating implementations except when it's absolutely
necessary.

> > +### TLS certificates directory
> > +
> > +The `tls-certificates` parameter (if used) refers to a directory
> > +containing the Certificate Authority (CA) certificates bundle, client
> > +certificate, client private key, and CA Certificate Revocation List.
> > +
> > +These are all optional except for the CA certificates bundle.
> > +
> > +The files in this directory SHOULD use the following names:
> > +
> > +    Filename               Usage
> > +    --------------------------------------------------
> > +    ca-cert.pem            CA certificates bundle
> > +    client-cert.pem        Client certificate
> > +    client-key.pem         Client private key
> > +    ca-crl.pem             CA Certificate Revocation List
> 
> QEMU suports a "dh-params.pem" file for the diffie-hellman parameters.
> 
> With PSK, it uses a "tls-creds-psk" file with optional dh-params.pem
> file too.

This is really the crux of the issue that prevents me from getting a
submitting draft.

I think there are three ways forward:

(1) Mandate the QEMU-style certificates directory, as outlined above
(with Dan's amendment).  This requires a small change to libnbd.  It
is compatible with nbd-client albeit reducing the "flexibility" os
what nbd-client allows.

(2) Add tls-* parameters for each individual file.  Requires
substantial changes to QEMU and libnbd.  Flexible but you're going to
end up with very long TLS URIs.

(3) Drop all the TLS parameters related to the certificate and key
names / paths.  It's a free-for-all until someone else decides what's
best to do.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

Reply to:

Follow-Ups:
- Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
  - From: Daniel P. Berrangé <berrange@redhat.com>

References:
- Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
  - From: Daniel P. Berrangé <berrange@redhat.com>

Prev by Date: Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
Next by Date: Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
Previous by thread: Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
Next by thread: Re: [PATCH v2] doc: Define a standard URI syntax for NBD URIs.
Index(es):
- Date
- Thread