Re: problems getting rpc over tls to work

From: Olga Kornievskaia <aglo@umich.edu>
To: Jeff Layton <jlayton@kernel.org>
Cc: Chuck Lever III <chuck.lever@oracle.com>,
	 "kernel-tls-handshake@lists.linux.dev"
	<kernel-tls-handshake@lists.linux.dev>
Subject: Re: problems getting rpc over tls to work
Date: Tue, 28 Mar 2023 10:44:22 -0400	[thread overview]
Message-ID: <CAN-5tyHLRkhn6wiEMf-JfbSWR-ovi9GZ4THvP9bmTJxTENc8iA@mail.gmail.com> (raw)
In-Reply-To: <65bd19cbc1ac6ca1ddb7f521cd5272801cf14348.camel@kernel.org>

On Tue, Mar 28, 2023 at 10:38 AM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Tue, 2023-03-28 at 10:25 -0400, Olga Kornievskaia wrote:
> > On Tue, Mar 28, 2023 at 10:14 AM Jeff Layton <jlayton@kernel.org> wrote:
> > >
> > > On Tue, 2023-03-28 at 13:55 +0000, Chuck Lever III wrote:
> > > >
> > > > > On Mar 28, 2023, at 9:29 AM, Chuck Lever III <chuck.lever@oracle.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > > > On Mar 28, 2023, at 8:27 AM, Jeff Layton <jlayton@kernel.org> wrote:
> > > > > >
> > > > > > Hi Chuck!
> > > > > >
> > > > > > I have started the packaging work for Fedora for ktls-utils:
> > > > > >
> > > > > >   https://bugzilla.redhat.com/show_bug.cgi?id=2182151
> > > > > >
> > > > > > I also built packages for this in copr:
> > > > > >
> > > > > >   https://copr.fedorainfracloud.org/coprs/jlayton/ktls-utils/
> > > > > >
> > > > > > ...and built some interim nfs-utils packages with the requisite exportfs
> > > > > > patches:
> > > > > >
> > > > > >   https://copr.fedorainfracloud.org/coprs/jlayton/nfs-utils/
> > > > >
> > > > > Note that the nfs-utils changes aren't necessary to support
> > > > > the kernel server in "opportunistic" mode -- the server will
> > > > > use RPC-with-TLS if a client requests it, but otherwise does
> > > > > not restrict access.
> > > > >
> > > > > Client side also has no nfs-utils requirements at this time,
> > > > > since the new mount options are handled by the kernel.
> > > >
> > > > In case I wasn't clear:
> > > >
> > > > This was meant as a suggestion. If you want to simplify your
> > > > test set-up a bit, the nfs-utils piece isn't needed at this
> > > > point. But feel free to include it if you like!
> > > >
> > >
> > > Understood. I needed to build it for the server side anyway, so I
> > > figured I might as well. Eventually I'd like to set up a Fedora COPR
> > > repo that has all of the packages we need to test this, but I need to
> > > sort through the certificate handling here first.
> > >
> > > Are there docs on how to administer gnutls? For instance, I guess I'll
> > > want to set up my own CA and issue client and server certs. How do I
> > > make gnutls trust a new CA?
> >
> > Hi Jeff,
> >
> > To get self-signed certificates to work you need to (on the client's
> > machine) copy your server's cert.pem file into
> > /etc/pki/ca-trust/source/anchors and then run the “update-ca-trust
> > extract”.
> >
> >
>
> Many thanks, Olga! That got me further:
>
>     Mar 28 10:35:05 nfsclnt tlshd[1498]: Handshake with nfsd.poochiereds.net (192.168.1.140) was successful
>
> The mount still isn't working yet, but I think I'm getting closer. I'll
> keep poking at it.

I went thru several iterations before I got that working. If you are
doing mutual authentication then the client's self-cert needs to be
added to the server's CA chain in the same manner.

My next stumble which Chuck helped me was that negotiated cipher was
ChaCha20Poly which I didn't have enabled in my kernel. So look that
you have CONFIG_CRYPTO_CHACHA20POLY1305  compiled in the kernel.

>
> Thanks!
> --
> Jeff Layton <jlayton@kernel.org>