[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH libnbd 1/2] api: Add new API to read whether TLS was negotiated.



On 9/17/19 5:02 AM, Richard W.M. Jones wrote:
> When LIBNBD_TLS_ALLOW is used we don't have a way to find out if TLS
> was really negotiated.  This adds a flag and a way to read it back.
> 
> Unfortunately there is no test yet, because LIBNBD_TLS_ALLOW is not
> tested -- it really should be but requires quite a complicated set of
> tests because ideally we'd like to find out whether it falls back
> correctly for all supported servers.

qemu doesn't support fallback - if the server is configured for TLS, the
client must supply it.

nbdkit DOES support fallback, so yes, our existing tests/*tls.sh can be
a starting point for a setup where we test ALLOW.  But leaving it as a
separate patch via your TODO addition is fine for now.

>    "get_tls", {
>      default_call with
>      args = []; ret = RInt;
>      may_set_error = false;
> -    shortdesc = "get the current TLS setting";
> +    shortdesc = "get the TLS request setting";
>      longdesc = "\
> -Get the current TLS setting.";
> -    see_also = ["L<nbd_set_tls(3)>"];
> +Get the TLS request setting.
> +
> +B<Note:> If you want to find out if TLS was actually negotiated
> +on a particular connection use L<nbd_get_tls_negotiated(3)> instead.";
> +    see_also = ["L<nbd_set_tls(3)>"; "L<nbd_get_tls_negotiated(3)>"];
> +  };
> +
> +  "get_tls_negotiated", {
> +    default_call with
> +    args = []; ret = RBool;
> +    permitted_states = [ Connected; Closed ];
> +    shortdesc = "find out if TLS was negotiated on a connection";
> +    longdesc = "\
> +After connecting you may call this to find out if the
> +connection is using TLS.

Seeing this makes me think I should probably add
"get_structured_replies", since "get_request_structured_replies" has the
same issue of reporting only what was requested, not what actually
happened.  I'll propose that on top of your patches.

ACK that we need this (for 1.1, but not backported to stable-1.0).

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]