On Fri, Nov 25, 2022 at 01:43:18PM +0100, Alexander Sosedkin wrote: > On Fri, Nov 25, 2022 at 1:14 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > > > Hi Daiki & Frantisek, > > > > There's a new error that is appearing in the libnbd test suite when > > testing TLS-PSK. Regular TLS (with X.509 certs) works fine. It seems > > to have started since I upgraded the kernel on my machine from 5.19.0 -> > > 6.1.0, and I think it is related to kTLS. > > > > You may be able to reproduce it fairly easily in Fedora Rawhide, or in > > Fedora 37 by upgrading the kernel, nbdkit and libnbd to Rawhide versions. > > > > $ uname -a > > Linux pick.home.annexia.org 6.1.0-0.rc6.46.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Nov 21 16:07:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > > > > $ nbdkit --version > > nbdkit 1.33.3 (nbdkit-1.33.3-1.fc38) > > $ nbdinfo --version > > nbdinfo 1.15.7 > > libnbd 1.15.7 > > > > To reproduce it: > > > > $ psktool -u bob -p keys.psk > > Generating a random key for user 'bob' > > Key stored to keys.psk > > > > $ nbdkit --tls=require --tls-psk=keys.psk null \ > > --run 'nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" ' > > nbdkit: null[1]: error: gnutls_record_recv: Error in the pull function. > > nbdkit: null[1]: error: reading option: conn->recv: Input/output error > > nbdinfo: nbd_connect_uri: gnutls_record_recv: Error in the pull function. > > > > For lots more debugging, use this command instead: > > > > $ nbdkit -fv --tls=require --tls-psk=keys.psk \ > > -D nbdkit.tls.log=99 -D nbdkit.tls.session=1 null \ > > --run 'LIBNBD_DEBUG=1 nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" ' > > > > The reason I believe it is related to kTLS is because if I do: > > > > # modprobe -r tls > > > > then the error goes away. Loading the module makes the error appear > > again. (Note that the module appears to be loaded on boot, so this > > error will happen for all Rawhide users unless they take special > > action.) > > > > Are there ways to debug kTLS? It seems like there is no kernel output > > related to the above failure. > > > > Are there ways to override GnuTLS automatic detection of kTLS, to > > temporarily disable it, even when the kernel module is loaded? > > For disabling KTLS, try putting > ``` > [global] > ktls = false > ``` > into `/etc/crypto-policies/local.d/gnutls-no-ktls.config`, > and follow up with an `update-crypto-policies --set`. Aha! Actually I already have: $ cat /etc/crypto-policies/local.d/gnutls-ktls.config [global] ktls = true which I must have added a while back and forgotten about. Removing that file disables kTLS. So in fact what I said above isn't right - this will not affect Rawhide users unless they also enable kTLS explicitly, which is good to know. Still interested in debugging the kTLS problem. I've been having a look at straces, and what's interesting is that the client sends and the server receives the cleartext message successfully (as we would expect because the kernel is doing the encryption and decryption below the socket level), but something (GnuTLS?) believes that there was a socket error, even though there isn't one. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue