On Fri, Nov 25, 2022 at 1:14 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > Hi Daiki & Frantisek, > > There's a new error that is appearing in the libnbd test suite when > testing TLS-PSK. Regular TLS (with X.509 certs) works fine. It seems > to have started since I upgraded the kernel on my machine from 5.19.0 -> > 6.1.0, and I think it is related to kTLS. > > You may be able to reproduce it fairly easily in Fedora Rawhide, or in > Fedora 37 by upgrading the kernel, nbdkit and libnbd to Rawhide versions. > > $ uname -a > Linux pick.home.annexia.org 6.1.0-0.rc6.46.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Nov 21 16:07:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > > $ nbdkit --version > nbdkit 1.33.3 (nbdkit-1.33.3-1.fc38) > $ nbdinfo --version > nbdinfo 1.15.7 > libnbd 1.15.7 > > To reproduce it: > > $ psktool -u bob -p keys.psk > Generating a random key for user 'bob' > Key stored to keys.psk > > $ nbdkit --tls=require --tls-psk=keys.psk null \ > --run 'nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" ' > nbdkit: null[1]: error: gnutls_record_recv: Error in the pull function. > nbdkit: null[1]: error: reading option: conn->recv: Input/output error > nbdinfo: nbd_connect_uri: gnutls_record_recv: Error in the pull function. > > For lots more debugging, use this command instead: > > $ nbdkit -fv --tls=require --tls-psk=keys.psk \ > -D nbdkit.tls.log=99 -D nbdkit.tls.session=1 null \ > --run 'LIBNBD_DEBUG=1 nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" ' > > The reason I believe it is related to kTLS is because if I do: > > # modprobe -r tls > > then the error goes away. Loading the module makes the error appear > again. (Note that the module appears to be loaded on boot, so this > error will happen for all Rawhide users unless they take special > action.) > > Are there ways to debug kTLS? It seems like there is no kernel output > related to the above failure. > > Are there ways to override GnuTLS automatic detection of kTLS, to > temporarily disable it, even when the kernel module is loaded? For disabling KTLS, try putting ``` [global] ktls = false ``` into `/etc/crypto-policies/local.d/gnutls-no-ktls.config`, and follow up with an `update-crypto-policies --set`. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
