From: Olga Kornievskaia <aglo@umich.edu>
To: Jeff Layton <jlayton@kernel.org>
Cc: Chuck Lever III <chuck.lever@oracle.com>,
"kernel-tls-handshake@lists.linux.dev"
<kernel-tls-handshake@lists.linux.dev>
Subject: Re: problems getting rpc over tls to work
Date: Tue, 28 Mar 2023 10:44:22 -0400 [thread overview]
Message-ID: <CAN-5tyHLRkhn6wiEMf-JfbSWR-ovi9GZ4THvP9bmTJxTENc8iA@mail.gmail.com> (raw)
In-Reply-To: <65bd19cbc1ac6ca1ddb7f521cd5272801cf14348.camel@kernel.org>
On Tue, Mar 28, 2023 at 10:38 AM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Tue, 2023-03-28 at 10:25 -0400, Olga Kornievskaia wrote:
> > On Tue, Mar 28, 2023 at 10:14 AM Jeff Layton <jlayton@kernel.org> wrote:
> > >
> > > On Tue, 2023-03-28 at 13:55 +0000, Chuck Lever III wrote:
> > > >
> > > > > On Mar 28, 2023, at 9:29 AM, Chuck Lever III <chuck.lever@oracle.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > > > On Mar 28, 2023, at 8:27 AM, Jeff Layton <jlayton@kernel.org> wrote:
> > > > > >
> > > > > > Hi Chuck!
> > > > > >
> > > > > > I have started the packaging work for Fedora for ktls-utils:
> > > > > >
> > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2182151
> > > > > >
> > > > > > I also built packages for this in copr:
> > > > > >
> > > > > > https://copr.fedorainfracloud.org/coprs/jlayton/ktls-utils/
> > > > > >
> > > > > > ...and built some interim nfs-utils packages with the requisite exportfs
> > > > > > patches:
> > > > > >
> > > > > > https://copr.fedorainfracloud.org/coprs/jlayton/nfs-utils/
> > > > >
> > > > > Note that the nfs-utils changes aren't necessary to support
> > > > > the kernel server in "opportunistic" mode -- the server will
> > > > > use RPC-with-TLS if a client requests it, but otherwise does
> > > > > not restrict access.
> > > > >
> > > > > Client side also has no nfs-utils requirements at this time,
> > > > > since the new mount options are handled by the kernel.
> > > >
> > > > In case I wasn't clear:
> > > >
> > > > This was meant as a suggestion. If you want to simplify your
> > > > test set-up a bit, the nfs-utils piece isn't needed at this
> > > > point. But feel free to include it if you like!
> > > >
> > >
> > > Understood. I needed to build it for the server side anyway, so I
> > > figured I might as well. Eventually I'd like to set up a Fedora COPR
> > > repo that has all of the packages we need to test this, but I need to
> > > sort through the certificate handling here first.
> > >
> > > Are there docs on how to administer gnutls? For instance, I guess I'll
> > > want to set up my own CA and issue client and server certs. How do I
> > > make gnutls trust a new CA?
> >
> > Hi Jeff,
> >
> > To get self-signed certificates to work you need to (on the client's
> > machine) copy your server's cert.pem file into
> > /etc/pki/ca-trust/source/anchors and then run the “update-ca-trust
> > extract”.
> >
> >
>
> Many thanks, Olga! That got me further:
>
> Mar 28 10:35:05 nfsclnt tlshd[1498]: Handshake with nfsd.poochiereds.net (192.168.1.140) was successful
>
> The mount still isn't working yet, but I think I'm getting closer. I'll
> keep poking at it.
I went thru several iterations before I got that working. If you are
doing mutual authentication then the client's self-cert needs to be
added to the server's CA chain in the same manner.
My next stumble which Chuck helped me was that negotiated cipher was
ChaCha20Poly which I didn't have enabled in my kernel. So look that
you have CONFIG_CRYPTO_CHACHA20POLY1305 compiled in the kernel.
>
> Thanks!
> --
> Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2023-03-28 14:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-28 12:27 problems getting rpc over tls to work Jeff Layton
2023-03-28 12:55 ` Jeff Layton
2023-03-28 14:04 ` Chuck Lever III
2023-03-28 14:23 ` Benjamin Coddington
2023-03-28 14:29 ` Jeff Layton
2023-03-28 14:39 ` Olga Kornievskaia
2023-03-28 14:45 ` Chuck Lever III
2023-03-28 14:50 ` Olga Kornievskaia
2023-03-28 15:06 ` Jeff Layton
2023-03-28 15:03 ` Jeff Layton
2023-03-28 15:05 ` Chuck Lever III
2023-03-28 15:15 ` Jeff Layton
2023-03-28 15:19 ` Olga Kornievskaia
2023-03-28 15:30 ` Olga Kornievskaia
2023-03-28 15:48 ` Chuck Lever III
2023-03-28 14:41 ` Chuck Lever III
2023-03-28 13:29 ` Chuck Lever III
2023-03-28 13:51 ` Jeff Layton
2023-03-28 13:55 ` Chuck Lever III
2023-03-28 14:13 ` Jeff Layton
2023-03-28 14:25 ` Olga Kornievskaia
2023-03-28 14:38 ` Jeff Layton
2023-03-28 14:44 ` Olga Kornievskaia [this message]
2023-03-28 14:47 ` Chuck Lever III
2023-03-28 15:48 ` Jeff Layton
2023-03-28 16:06 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAN-5tyHLRkhn6wiEMf-JfbSWR-ovi9GZ4THvP9bmTJxTENc8iA@mail.gmail.com \
--to=aglo@umich.edu \
--cc=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).