As I already posted to Jeff, I can put the server up for a day or two at any time anyone would like to test against it. It now does TLS1.3 and I'll note the one thing the server did that caught the FreeBSD client "off guard" was it sends a couple of post handshake handshake records. (The FreeBSD client now just tosses these away.) Just email if/when you'd like to test, rick ________________________________________ From: Chuck Lever III <chuck.lever@xxxxxxxxxx> Sent: Tuesday, July 12, 2022 9:48 AM To: Jeff Layton Cc: Linux NFS Mailing List; trondmy@xxxxxxxxxxxxxxx Subject: Re: [PATCH v2 00/15] RPC-with-TLS client side CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@xxxxxxxxxxx > On Jul 12, 2022, at 8:36 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: >> Now that the initial v5.19 merge window has closed, it's time for >> another round of review for RPC-with-TLS support in the Linux NFS >> client. This is just the RPC-specific portions. The full series is >> available in the "topic-rpc-with-tls-upcall" branch here: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git >> >> I've taken two or three steps towards implementing the architecture >> Trond requested during the last review. There is now a two-stage >> connection establishment process so that the upper level can use >> XPRT_CONNECTED to determine when a TLS session is ready to use. >> There are probably additional changes and simplifications that can >> be made. Please review and provide feedback. >> >> I wanted to make more progress on client-side authentication (ie, >> passing an x.509 cert from the client to the server) but NFSD bugs >> have taken all my time for the past few weeks. >> >> >> Changes since v1: >> - Rebased on v5.18 >> - Re-ordered so generic fixes come first >> - Addressed some of Trond's review comments >> >> --- >> >> Chuck Lever (15): >> SUNRPC: Fail faster on bad verifier >> SUNRPC: Widen rpc_task::tk_flags >> SUNRPC: Replace dprintk() call site in xs_data_ready >> NFS: Replace fs_context-related dprintk() call sites with tracepoints >> SUNRPC: Plumb an API for setting transport layer security >> SUNRPC: Trace the rpc_create_args >> SUNRPC: Refactor rpc_call_null_helper() >> SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor >> SUNRPC: Ignore data_ready callbacks during TLS handshakes >> SUNRPC: Capture cmsg metadata on client-side receive >> SUNRPC: Add a connect worker function for TLS >> SUNRPC: Add RPC-with-TLS support to xprtsock.c >> SUNRPC: Add RPC-with-TLS tracepoints >> NFS: Have struct nfs_client carry a TLS policy field >> NFS: Add an "xprtsec=" NFS mount option >> >> >> fs/nfs/client.c | 14 ++ >> fs/nfs/fs_context.c | 65 +++++-- >> fs/nfs/internal.h | 2 + >> fs/nfs/nfs3client.c | 1 + >> fs/nfs/nfs4client.c | 16 +- >> fs/nfs/nfstrace.h | 77 ++++++++ >> fs/nfs/super.c | 7 + >> include/linux/nfs_fs_sb.h | 5 +- >> include/linux/sunrpc/auth.h | 1 + >> include/linux/sunrpc/clnt.h | 15 +- >> include/linux/sunrpc/sched.h | 32 ++-- >> include/linux/sunrpc/xprt.h | 2 + >> include/linux/sunrpc/xprtsock.h | 4 + >> include/net/tls.h | 2 + >> include/trace/events/sunrpc.h | 157 ++++++++++++++-- >> net/sunrpc/Makefile | 2 +- >> net/sunrpc/auth.c | 2 +- >> net/sunrpc/auth_tls.c | 120 +++++++++++++ >> net/sunrpc/clnt.c | 34 ++-- >> net/sunrpc/debugfs.c | 2 +- >> net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- >> 21 files changed, 805 insertions(+), 65 deletions(-) >> create mode 100644 net/sunrpc/auth_tls.c >> >> -- >> Chuck Lever >> > > Chuck, > > How have you been testing this series? It looks like nfsd support is not > fully in yet, so I was wondering if you had a 3rd party server. I'd like > to do a little testing with this, and was wondering what I needed to > cobble together a test rig. Ben Coddington has an ngnix module to support RPC-with-TLS that can front-end a stock Linux NFSD. Rick has a FreeBSD server implementation of RPC-with-TLS. Rick's probably taken his server down, but Ben's server is still up on the bake-a-thon VPN. -- Chuck Lever
