ktls-utils PR needs review

ktls-utils PR needs review

[Chuck Lever III]

https://github.com/oracle/ktls-utils/pull/54

I seem to recall a similar command line option that we
removed because it was insecure.

At the very least this needs a man page update, but I'm
not convinced this setting should be allowed.

--
Chuck Lever

Re: ktls-utils PR needs review

[Olga Kornievskaia]

On Mon, Apr 22, 2024 at 11:16 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
>
> https://github.com/oracle/ktls-utils/pull/54
>
> I seem to recall a similar command line option that we
> removed because it was insecure.
>
> At the very least this needs a man page update, but I'm
> not convinced this setting should be allowed.

I agree.

Can we have this only available under some strict usage? Like it can
only work started in the foreground (with some -d flag) and it’ll only
run for 10mins and then it will exit… something like that would
prevent somebody from using it on a permanent basis.

>
> --
> Chuck Lever
>
>
>

Re: ktls-utils PR needs review

[Chuck Lever III]

> On Apr 22, 2024, at 11:55 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
> 
> On Mon, Apr 22, 2024 at 11:16 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
>> 
>> https://github.com/oracle/ktls-utils/pull/54
>> 
>> I seem to recall a similar command line option that we
>> removed because it was insecure.
>> 
>> At the very least this needs a man page update, but I'm
>> not convinced this setting should be allowed.
> 
> I agree.
> 
> Can we have this only available under some strict usage? Like it can
> only work started in the foreground (with some -d flag) and it’ll only
> run for 10mins and then it will exit… something like that would
> prevent somebody from using it on a permanent basis.

Interesting idea, that would ensure it could be used only
for debugging.

Reuben closed the PR because he is having trouble with the
OCA signing. But you could add that suggestion to the PR
and see what he thinks.


--
Chuck Lever

Re: ktls-utils PR needs review

[Hannes Reinecke]

On 4/22/24 17:59, Chuck Lever III wrote:
> 
> 
>> On Apr 22, 2024, at 11:55 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
>>
>> On Mon, Apr 22, 2024 at 11:16 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
>>>
>>> https://github.com/oracle/ktls-utils/pull/54
>>>
>>> I seem to recall a similar command line option that we
>>> removed because it was insecure.
>>>
>>> At the very least this needs a man page update, but I'm
>>> not convinced this setting should be allowed.
>>
>> I agree.
>>
>> Can we have this only available under some strict usage? Like it can
>> only work started in the foreground (with some -d flag) and it’ll only
>> run for 10mins and then it will exit… something like that would
>> prevent somebody from using it on a permanent basis.
> 
> Interesting idea, that would ensure it could be used only
> for debugging.
> 
> Reuben closed the PR because he is having trouble with the
> OCA signing. But you could add that suggestion to the PR
> and see what he thinks.
> 
I am not sure if I agree with the argument; after all, openssl and 
gnutls both have a standard option disabling the certificate check, too.
And you might be needing it under certain circumstances (Self-signed 
certificates? Initial deployment?).

What we could do is to delegate the functionality to be command-line
only (and not via the config file). That way it'll be immediately
obvious that this option is enabled, and we would avoid proliferation
via a forgotten config option setting.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: ktls-utils PR needs review

[Chuck Lever III]

> On Apr 23, 2024, at 2:53 AM, Hannes Reinecke <hare@suse.de> wrote:
> 
> On 4/22/24 17:59, Chuck Lever III wrote:
>>> On Apr 22, 2024, at 11:55 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
>>> 
>>> On Mon, Apr 22, 2024 at 11:16 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
>>>> 
>>>> https://github.com/oracle/ktls-utils/pull/54
>>>> 
>>>> I seem to recall a similar command line option that we
>>>> removed because it was insecure.
>>>> 
>>>> At the very least this needs a man page update, but I'm
>>>> not convinced this setting should be allowed.
>>> 
>>> I agree.
>>> 
>>> Can we have this only available under some strict usage? Like it can
>>> only work started in the foreground (with some -d flag) and it’ll only
>>> run for 10mins and then it will exit… something like that would
>>> prevent somebody from using it on a permanent basis.
>> Interesting idea, that would ensure it could be used only
>> for debugging.
>> Reuben closed the PR because he is having trouble with the
>> OCA signing. But you could add that suggestion to the PR
>> and see what he thinks.
> I am not sure if I agree with the argument; after all, openssl and gnutls both have a standard option disabling the certificate check, too.
> And you might be needing it under certain circumstances (Self-signed certificates? Initial deployment?).

What is missing on Reuben's clients is a CA bundle.

I would rather have one or two fully-described use
cases in hand before we decide to (re)introduce
something that is as risky as this.


> What we could do is to delegate the functionality to be command-line
> only (and not via the config file). That way it'll be immediately
> obvious that this option is enabled, and we would avoid proliferation
> via a forgotten config option setting.

As I mentioned, we had such a command line option
and removed it.

A step backwards here requires some very strong
justification, IMO.


--
Chuck Lever

Re: ktls-utils PR needs review

[Olga Kornievskaia]

On Tue, Apr 23, 2024 at 2:53 AM Hannes Reinecke <hare@suse.de> wrote:
>
> On 4/22/24 17:59, Chuck Lever III wrote:
> >
> >
> >> On Apr 22, 2024, at 11:55 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
> >>
> >> On Mon, Apr 22, 2024 at 11:16 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
> >>>
> >>> https://github.com/oracle/ktls-utils/pull/54
> >>>
> >>> I seem to recall a similar command line option that we
> >>> removed because it was insecure.
> >>>
> >>> At the very least this needs a man page update, but I'm
> >>> not convinced this setting should be allowed.
> >>
> >> I agree.
> >>
> >> Can we have this only available under some strict usage? Like it can
> >> only work started in the foreground (with some -d flag) and it’ll only
> >> run for 10mins and then it will exit… something like that would
> >> prevent somebody from using it on a permanent basis.
> >
> > Interesting idea, that would ensure it could be used only
> > for debugging.
> >
> > Reuben closed the PR because he is having trouble with the
> > OCA signing. But you could add that suggestion to the PR
> > and see what he thinks.
> >
> I am not sure if I agree with the argument; after all, openssl and
> gnutls both have a standard option disabling the certificate check, too.
> And you might be needing it under certain circumstances (Self-signed
> certificates? Initial deployment?).

But do browsers have an option to not verify certificates for https? I
think we need to look for real world applications that use TLS and see
if they have options to do no verification.

> What we could do is to delegate the functionality to be command-line
> only (and not via the config file). That way it'll be immediately
> obvious that this option is enabled, and we would avoid proliferation
> via a forgotten config option setting.
>
> Cheers,
>
> Hannes
> --
> Dr. Hannes Reinecke                  Kernel Storage Architect
> hare@suse.de                                +49 911 74053 688
> SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
>