From: Chuck Lever III <chuck.lever@oracle.com>
To: Jeff Layton <jlayton@kernel.org>
Cc: Olga Kornievskaia <aglo@umich.edu>,
"kernel-tls-handshake@lists.linux.dev"
<kernel-tls-handshake@lists.linux.dev>
Subject: Re: problems getting rpc over tls to work
Date: Tue, 28 Mar 2023 15:05:51 +0000 [thread overview]
Message-ID: <0B1C934F-5A3B-43F6-A6A1-F02E27BC2609@oracle.com> (raw)
In-Reply-To: <666c279c758f2d7acf6f9b82c267e91af510446b.camel@kernel.org>
> On Mar 28, 2023, at 11:03 AM, Jeff Layton <jlayton@kernel.org> wrote:
>
> On Tue, 2023-03-28 at 14:45 +0000, Chuck Lever III wrote:
>>
>>> On Mar 28, 2023, at 10:39 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
>>>
>>> On Tue, Mar 28, 2023 at 10:29 AM Jeff Layton <jlayton@kernel.org> wrote:
>>>>
>>>> It's true that it is less secure than having full chain-of-trust, but
>>>> this seems like a case of "perfect being the enemy of good". If we don't
>>>> allow for self-signed certificates, then we've created a rather large
>>>> hurdle for anyone who wants to deploy this.
>>>>
>>>> One thing we could do is reinstate the tlshd option, but still allow it
>>>> to check the signature. Then it could log something if that check fails
>>>> but still allow the connection.
>>>>
>>>> We should of course document why using that option is not ideal, but
>>>> ripping it out entirely seems rather draconian. That's just going to
>>>> drive people to not use TLS at all because of the hassle factor.
>>>
>>> I would argue that "no verification" option should only be allowed in
>>> some extreme cases. Like say having an option that explicitly says
>>> it's running in a debug mode and say on the foreground only (-d -f
>>> --noverify). Having such options might clearly state the intent is to
>>> debug only and not run for any user usage.
>>>
>>> I also don't see a real reason for "noverify" option except to remove
>>> frustrations during the setup.
>>
>> I might put it this way: we don't want to have customers installing
>> something on their clients whose out-of-the-shrinkwrap configuration
>> is less than secure. "no verification" is less than secure.
>>
>> My preference would be to have some kind of way to get self-signed
>> certs working with no client-side configuration needed. If the
>> client mounts with "xprtsec=tls" it should work. Do we need to
>> plumb that into our handshake upcall and make "anonymous"
>> handshakes explicitly allow unrecognized signers?
>>
>
> Since the client is the side that's rejecting things, having a mount
> option that allows you to relax that check seems like the right
> approach.
>
> How about a new xprtsec= option? Maybe "xprtsec=nvtls" (no verify TLS)?
> That would allow things to work out of the box, but still leave
> xprtsec=tls as the more secure method.
Nah. xprtsec=tls is supposed to be less secure: no authentication,
just encryption. The secure method is xprtsec=mtls.
IMO xprtsec=tls needs to skip the signer check. I think I can make
tlshd do that.
--
Chuck Lever
next prev parent reply other threads:[~2023-03-28 15:06 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-28 12:27 problems getting rpc over tls to work Jeff Layton
2023-03-28 12:55 ` Jeff Layton
2023-03-28 14:04 ` Chuck Lever III
2023-03-28 14:23 ` Benjamin Coddington
2023-03-28 14:29 ` Jeff Layton
2023-03-28 14:39 ` Olga Kornievskaia
2023-03-28 14:45 ` Chuck Lever III
2023-03-28 14:50 ` Olga Kornievskaia
2023-03-28 15:06 ` Jeff Layton
2023-03-28 15:03 ` Jeff Layton
2023-03-28 15:05 ` Chuck Lever III [this message]
2023-03-28 15:15 ` Jeff Layton
2023-03-28 15:19 ` Olga Kornievskaia
2023-03-28 15:30 ` Olga Kornievskaia
2023-03-28 15:48 ` Chuck Lever III
2023-03-28 14:41 ` Chuck Lever III
2023-03-28 13:29 ` Chuck Lever III
2023-03-28 13:51 ` Jeff Layton
2023-03-28 13:55 ` Chuck Lever III
2023-03-28 14:13 ` Jeff Layton
2023-03-28 14:25 ` Olga Kornievskaia
2023-03-28 14:38 ` Jeff Layton
2023-03-28 14:44 ` Olga Kornievskaia
2023-03-28 14:47 ` Chuck Lever III
2023-03-28 15:48 ` Jeff Layton
2023-03-28 16:06 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0B1C934F-5A3B-43F6-A6A1-F02E27BC2609@oracle.com \
--to=chuck.lever@oracle.com \
--cc=aglo@umich.edu \
--cc=jlayton@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).