From owner-svn-src-projects@freebsd.org  Thu Jul  9 00:34:08 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EFEF735A391
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Thu,  9 Jul 2020 00:34:08 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B2HH464Z9z4GyJ;
 Thu,  9 Jul 2020 00:34:08 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B40F78DD1;
 Thu,  9 Jul 2020 00:34:08 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0690Y8EX089996;
 Thu, 9 Jul 2020 00:34:08 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0690Y8Yd089993;
 Thu, 9 Jul 2020 00:34:08 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202007090034.0690Y8Yd089993@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Thu, 9 Jul 2020 00:34:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r363033 - in projects/nfs-over-tls/sys/fs: nfs nfsclient
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: in projects/nfs-over-tls/sys/fs: nfs nfsclient
X-SVN-Commit-Revision: 363033
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 00:34:09 -0000

Author: rmacklem
Date: Thu Jul  9 00:34:07 2020
New Revision: 363033
URL: https://svnweb.freebsd.org/changeset/base/363033

Log:
  Essentially revert changes done to nfsm_uiombuflist() to what is in head/.
  
  The changes allowed the mbuf list to be created using ext_pgs mbufs.
  This is used for doing writing to mirrored DSs. However, these writes
  require that part of the mbuf list be copied (by nfsm_copym()) and
  m_copym() cannot do this for ext_pgs mbufs.
  The work to patch m_copym() to do partial copies of ext_pgs mbuf lists
  is non-trivial, so I am not doing it at this time.
  
  This does mean that the write requests will be in mbuf clusters and
  will need to be copied in the krpc before sosend() for TLS connections,
  but will work correctly.

Modified:
  projects/nfs-over-tls/sys/fs/nfs/nfs_var.h
  projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c
  projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c

Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_var.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs_var.h	Wed Jul  8 21:40:27 2020	(r363032)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs_var.h	Thu Jul  9 00:34:07 2020	(r363033)
@@ -363,7 +363,7 @@ void nfsm_set(struct nfsrv_descript *, u_int);
 
 /* nfs_clcomsubs.c */
 void nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int);
-struct mbuf *nfsm_uiombuflist(bool, int, struct uio *, int, struct mbuf **, char **);
+struct mbuf *nfsm_uiombuflist(struct uio *, int, struct mbuf **, char **);
 nfsuint64 *nfscl_getcookie(struct nfsnode *, off_t off, int);
 u_int8_t *nfscl_getmyip(struct nfsmount *, struct in6_addr *, int *);
 int nfsm_getfh(struct nfsrv_descript *, struct nfsfh **);

Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c	Wed Jul  8 21:40:27 2020	(r363032)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c	Thu Jul  9 00:34:07 2020	(r363033)
@@ -156,24 +156,20 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui
 /*
  * copies a uio scatter/gather list to an mbuf chain.
  * This version returns the mbuf list and does not use "nd".
- * It allocates mbuf(s) of NFSM_RNDUP(siz) and ensures that
- * it is nul padded to a multiple of 4 bytes.
- * Since mbufs are allocated by this function, they will
- * always have space for an exact multiple of 4 bytes in
- * each mbuf.  This implies that the nul padding can be
- * safely done without checking for available space in
- * the mbuf data area (or page for M_EXTPG mbufs).
  * NOTE: can ony handle iovcnt == 1
+ * This function is used to create an mbuf list for doing writing to
+ * mirrored flexfile DSs.
+ * It cannot be modified to optionally support ext_pgs mbufs until
+ * nfsm_copym() is converted to work for ext_pgs mbufs.
  */
 struct mbuf *
-nfsm_uiombuflist(bool doextpgs, int maxextsiz, struct uio *uiop, int siz,
-    struct mbuf **mbp, char **cpp)
+nfsm_uiombuflist(struct uio *uiop, int siz, struct mbuf **mbp, char **cpp)
 {
 	char *uiocp;
 	struct mbuf *mp, *mp2, *firstmp;
-	int i, left, mlen, rem, xfer;
-	int uiosiz, clflg, bextpg, bextpgsiz = 0;
-	char *mcp, *tcp;
+	int xfer, left, mlen;
+	int uiosiz, clflg;
+	char *tcp;
 
 	KASSERT(uiop->uio_iovcnt == 1, ("nfsm_uiotombuf: iovcnt != 1"));
 
@@ -181,21 +177,11 @@ nfsm_uiombuflist(bool doextpgs, int maxextsiz, struct 
 		clflg = 1;
 	else
 		clflg = 0;
-	rem = NFSM_RNDUP(siz) - siz;
-	if (doextpgs) {
-		mp = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK);
-		mcp = (char *)(void *)
-		    PHYS_TO_DMAP(mp->m_epg_pa[0]);
-		bextpgsiz = PAGE_SIZE;
-		bextpg = 0;
-	} else {
-		if (clflg != 0)
-			NFSMCLGET(mp, M_WAITOK);
-		else
-			NFSMGET(mp);
-		mp->m_len = 0;
-		mcp = mtod(mp, char *);
-	}
+	if (clflg != 0)
+		NFSMCLGET(mp, M_WAITOK);
+	else
+		NFSMGET(mp);
+	mp->m_len = 0;
 	firstmp = mp2 = mp;
 	while (siz > 0) {
 		left = uiop->uio_iov->iov_len;
@@ -204,42 +190,27 @@ nfsm_uiombuflist(bool doextpgs, int maxextsiz, struct 
 			left = siz;
 		uiosiz = left;
 		while (left > 0) {
-			if (doextpgs)
-				mlen = bextpgsiz;
-			else
-				mlen = M_TRAILINGSPACE(mp);
+			mlen = M_TRAILINGSPACE(mp);
 			if (mlen == 0) {
-				if (doextpgs) {
-					mp = nfsm_add_ext_pgs(mp, maxextsiz,
-					    &bextpg);
-					mcp = (char *)(void *)PHYS_TO_DMAP(
-					    mp->m_epg_pa[bextpg]);
-					mlen = bextpgsiz = PAGE_SIZE;
-				} else {
-					if (clflg)
-						NFSMCLGET(mp, M_WAITOK);
-					else
-						NFSMGET(mp);
-					mp->m_len = 0;
-					mcp = mtod(mp, char *);
-					mlen = M_TRAILINGSPACE(mp);
-					mp2->m_next = mp;
-					mp2 = mp;
-				}
+				if (clflg)
+					NFSMCLGET(mp, M_WAITOK);
+				else
+					NFSMGET(mp);
+				mp->m_len = 0;
+				mp2->m_next = mp;
+				mp2 = mp;
+				mlen = M_TRAILINGSPACE(mp);
 			}
 			xfer = (left > mlen) ? mlen : left;
 			if (uiop->uio_segflg == UIO_SYSSPACE)
-				NFSBCOPY(uiocp, mcp, xfer);
+				NFSBCOPY(uiocp, mtod(mp, caddr_t) +
+				    mp->m_len, xfer);
 			else
-				copyin(uiocp, mcp, xfer);
+				copyin(uiocp, mtod(mp, caddr_t) +
+				    mp->m_len, xfer);
 			mp->m_len += xfer;
 			left -= xfer;
 			uiocp += xfer;
-			mcp += xfer;
-			if (doextpgs) {
-				bextpgsiz -= xfer;
-				mp->m_epg_last_len += xfer;
-			}
 			uiop->uio_offset += xfer;
 			uiop->uio_resid -= xfer;
 		}
@@ -249,14 +220,8 @@ nfsm_uiombuflist(bool doextpgs, int maxextsiz, struct 
 		uiop->uio_iov->iov_len -= uiosiz;
 		siz -= uiosiz;
 	}
-	for (i = 0; i < rem; i++) {
-		*mcp++ = '\0';
-		mp->m_len++;
-		if (doextpgs)
-			mp->m_epg_last_len++;
-	}
 	if (cpp != NULL)
-		*cpp = mcp;
+		*cpp = mtod(mp, caddr_t) + mp->m_len;
 	if (mbp != NULL)
 		*mbp = mp;
 	return (firstmp);

Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c	Wed Jul  8 21:40:27 2020	(r363032)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c	Thu Jul  9 00:34:07 2020	(r363033)
@@ -5759,11 +5759,11 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
     uint32_t rwaccess, int docommit, struct ucred *cred, NFSPROC_T *p)
 {
 	struct nfsnode *np = VTONFS(vp);
-	struct nfsmount *nmp = VFSTONFS(vnode_mount(vp));
+	struct nfsmount *nmp = VFSTONFS(vp->v_mount);
 	struct nfscllayout *layp;
 	struct nfscldevinfo *dip;
 	struct nfsclflayout *rflp;
-	struct mbuf *m, *m2;
+	struct mbuf *m;
 	struct nfsclwritedsdorpc *drpc, *tdrpc;
 	nfsv4stateid_t stateid;
 	struct ucred *newcred;
@@ -5775,11 +5775,6 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
 	size_t iovlen = 0;
 	off_t offs = 0;
 	ssize_t resid = 0;
-	int maxextsiz;
-	bool doextpgs;
-#ifdef KERN_TLS
-	u_int maxlen;
-#endif
 
 	if (!NFSHASPNFS(nmp) || nfscl_enablecallb == 0 || nfs_numnfscbd == 0 ||
 	    (np->n_flag & NNOLAYOUT) != 0)
@@ -5873,19 +5868,8 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
 						iovbase =
 						    uiop->uio_iov->iov_base;
 						iovlen = uiop->uio_iov->iov_len;
-						doextpgs = false;
-						maxextsiz = 0;
-#ifdef KERN_TLS
-						if (NFSHASTLS(nmp) &&
-						    rpctls_getinfo(&maxlen,
-						    false, false)) {
-							doextpgs = true;
-							maxextsiz = maxlen;
-						}
-#endif
-						m = nfsm_uiombuflist(doextpgs,
-						    maxextsiz, uiop, len, NULL,
-						    NULL);
+						m = nfsm_uiombuflist(uiop, len,
+						    NULL, NULL);
 					}
 					tdrpc = drpc = malloc(sizeof(*drpc) *
 					    (mirrorcnt - 1), M_TEMP, M_WAITOK |
@@ -5893,12 +5877,6 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
 				}
 			}
 			for (i = firstmirror; i < mirrorcnt && error == 0; i++){
-				if (m != NULL && i < mirrorcnt - 1)
-					m2 = m_copym(m, 0, M_COPYALL, M_WAITOK);
-				else {
-					m2 = m;
-					m = NULL;
-				}
 				if ((layp->nfsly_flags & NFSLY_FLEXFILE) != 0) {
 					dev = rflp->nfsfl_ffm[i].dev;
 					dip = nfscl_getdevinfo(nmp->nm_clp, dev,
@@ -5915,7 +5893,7 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
 						    uiop, iomode, must_commit,
 						    &eof, &stateid, rwaccess,
 						    dip, layp, rflp, off, xfer,
-						    i, docommit, m2, tdrpc,
+						    i, docommit, m, tdrpc,
 						    newcred, p);
 					else
 						error = nfscl_doflayoutio(vp,
@@ -5924,13 +5902,12 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
 						    dip, layp, rflp, off, xfer,
 						    docommit, newcred, p);
 					nfscl_reldevinfo(dip);
-				} else {
-					m_freem(m2);
+				} else
 					error = EIO;
-				}
 				tdrpc++;
 			}
-			m_freem(m);
+			if (m != NULL)
+				m_freem(m);
 			tdrpc = drpc;
 			timo = hz / 50;		/* Wait for 20msec. */
 			if (timo < 1)

From owner-svn-src-projects@freebsd.org  Sat Jul 11 03:39:45 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 46C8635415B
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Sat, 11 Jul 2020 03:39:45 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B3bJK16yQz4K1W;
 Sat, 11 Jul 2020 03:39:45 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0A005C46B;
 Sat, 11 Jul 2020 03:39:45 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 06B3diBX086635;
 Sat, 11 Jul 2020 03:39:44 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 06B3digg086633;
 Sat, 11 Jul 2020 03:39:44 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202007110339.06B3digg086633@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 11 Jul 2020 03:39:44 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r363089 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: in projects/nfs-over-tls/sys/rpc: . rpcsec_tls
X-SVN-Commit-Revision: 363089
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2020 03:39:45 -0000

Author: rmacklem
Date: Sat Jul 11 03:39:44 2020
New Revision: 363089
URL: https://svnweb.freebsd.org/changeset/base/363089

Log:
  Close a could of windows where, if the TLS upcall daemon terminated, the
  socket would not be closed properly.
  
  This patch closes these windows by setting the flag that indicates that
  a handshake is in progress just when the socket is associated with a
  file descriptor for the daemon.

Modified:
  projects/nfs-over-tls/sys/rpc/clnt_rc.c
  projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c

Modified: projects/nfs-over-tls/sys/rpc/clnt_rc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/clnt_rc.c	Fri Jul 10 22:59:26 2020	(r363088)
+++ projects/nfs-over-tls/sys/rpc/clnt_rc.c	Sat Jul 11 03:39:44 2020	(r363089)
@@ -198,16 +198,6 @@ clnt_reconnect_connect(CLIENT *cl)
 		    (struct sockaddr *) &rc->rc_addr, rc->rc_prog, rc->rc_vers,
 		    rc->rc_sendsz, rc->rc_recvsz, rc->rc_intr);
 		if (rc->rc_tls && newclient != NULL) {
-			/*
-			 * Set ssl refno so that clnt_vc_destroy() will not
-			 * close the socket and will leave that for the
-			 * daemon to do.  It is possible that the upcall
-			 * will time out, so that closing the socket via
-			 * the CLNT_CLOSE() below would happen too soon.
-			 */
-			ssl[0] = ssl[1] = 0;
-			ssl[2] = RPCTLS_REFNO_HANDSHAKE;
-			CLNT_CONTROL(newclient, CLSET_TLS, ssl);
 printf("at rpctls_connect\n");
 			stat = rpctls_connect(newclient, so, ssl, &reterr);
 printf("aft rpctls_connect=%d ssl=%jd\n", stat, (uintmax_t)ssl[2]);

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Fri Jul 10 22:59:26 2020	(r363088)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Sat Jul 11 03:39:44 2020	(r363089)
@@ -75,14 +75,16 @@ static struct syscall_helper_data rpctls_syscalls[] = 
 static CLIENT		*rpctls_connect_handle;
 static struct mtx	rpctls_connect_lock;
 static struct socket	*rpctls_connect_so = NULL;
+static CLIENT		*rpctls_connect_cl = NULL;
 static CLIENT		*rpctls_server_handle;
 static struct mtx	rpctls_server_lock;
 static struct socket	*rpctls_server_so = NULL;
+static SVCXPRT		*rpctls_server_xprt = NULL;
 static struct opaque_auth rpctls_null_verf;
 
 static CLIENT		*rpctls_connect_client(void);
 static CLIENT		*rpctls_server_client(void);
-static enum clnt_stat	rpctls_server(struct socket *so,
+static enum clnt_stat	rpctls_server(SVCXPRT *xprt, struct socket *so,
 			    uint32_t *flags, uint64_t *sslp,
 			    uid_t *uid, int *ngrps, gid_t **gids);
 
@@ -113,9 +115,11 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_sy
         struct netconfig *nconf;
 	struct file *fp;
 	struct socket *so;
+	SVCXPRT *xprt;
 	char path[MAXPATHLEN];
 	int fd = -1, error, try_count;
-	CLIENT *cl, *oldcl;
+	CLIENT *cl, *oldcl, *concl;
+	uint64_t ssl[3];
 	struct timeval timeo;
 #ifdef KERN_TLS
 	u_int maxlen;
@@ -272,11 +276,21 @@ printf("In connect\n");
 		mtx_lock(&rpctls_connect_lock);
 		so = rpctls_connect_so;
 		rpctls_connect_so = NULL;
+		concl = rpctls_connect_cl;
+		rpctls_connect_cl = NULL;
 		mtx_unlock(&rpctls_connect_lock);
 		if (so != NULL) {
 			error = falloc(td, &fp, &fd, 0);
 printf("falloc=%d fd=%d\n", error, fd);
 			if (error == 0) {
+				/*
+				 * Set ssl refno so that clnt_vc_destroy() will
+				 * not close the socket and will leave that for
+				 * the daemon to do.
+				 */
+				ssl[0] = ssl[1] = 0;
+				ssl[2] = RPCTLS_REFNO_HANDSHAKE;
+				CLNT_CONTROL(concl, CLSET_TLS, ssl);
 				finit(fp, FREAD | FWRITE, DTYPE_SOCKET, so,
 				    &socketops);
 				fdrop(fp, td);	/* Drop fp reference. */
@@ -291,11 +305,21 @@ printf("In srvconnect\n");
 		mtx_lock(&rpctls_server_lock);
 		so = rpctls_server_so;
 		rpctls_server_so = NULL;
+		xprt = rpctls_server_xprt;
+		rpctls_server_xprt = NULL;
 		mtx_unlock(&rpctls_server_lock);
 		if (so != NULL) {
 			error = falloc(td, &fp, &fd, 0);
 printf("falloc=%d fd=%d\n", error, fd);
 			if (error == 0) {
+				/*
+				 * Once this file descriptor is associated
+				 * with the socket, it cannot be closed by
+				 * the server side krpc code (svc_vc.c).
+				 */
+				sx_xlock(&xprt->xp_lock);
+				xprt->xp_tls = RPCTLS_FLAGS_HANDSHFAIL;
+				sx_xunlock(&xprt->xp_lock);
 				finit(fp, FREAD | FWRITE, DTYPE_SOCKET, so,
 				    &socketops);
 				fdrop(fp, td);	/* Drop fp reference. */
@@ -387,6 +411,7 @@ printf("aft NULLRPC=%d\n", stat);
 		    "rtlscn", 0);
 	rpctls_connect_busy = true;
 	rpctls_connect_so = so;
+	rpctls_connect_cl = newclient;
 	mtx_unlock(&rpctls_connect_lock);
 printf("rpctls_conect so=%p\n", so);
 
@@ -423,6 +448,7 @@ printf("did soshutdown rd\n");
 	/* Once the upcall is done, the daemon is done with the fp and so. */
 	mtx_lock(&rpctls_connect_lock);
 	rpctls_connect_so = NULL;
+	rpctls_connect_cl = NULL;
 	rpctls_connect_busy = false;
 	wakeup(&rpctls_connect_busy);
 	mtx_unlock(&rpctls_connect_lock);
@@ -551,7 +577,7 @@ printf("aft srv disconnect upcall=%d\n", stat);
 
 /* Do an upcall for a new server socket using TLS. */
 static enum clnt_stat
-rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp,
+rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp,
     uid_t *uid, int *ngrps, gid_t **gids)
 {
 	enum clnt_stat stat;
@@ -575,6 +601,7 @@ printf("server_client=%p\n", cl);
 		    "rtlssn", 0);
 	rpctls_server_busy = true;
 	rpctls_server_so = so;
+	rpctls_server_xprt = xprt;
 	mtx_unlock(&rpctls_server_lock);
 printf("rpctls_conect so=%p\n", so);
 
@@ -611,6 +638,7 @@ printf("aft server upcall stat=%d flags=0x%x\n", stat,
 	/* Once the upcall is done, the daemon is done with the fp and so. */
 	mtx_lock(&rpctls_server_lock);
 	rpctls_server_so = NULL;
+	rpctls_server_xprt = NULL;
 	rpctls_server_busy = false;
 	wakeup(&rpctls_server_busy);
 	mtx_unlock(&rpctls_server_lock);
@@ -686,7 +714,7 @@ printf("authtls: null reply=%d\n", call_stat);
 	}
 
 	/* Do an upcall to do the TLS handshake. */
-	stat = rpctls_server(rqst->rq_xprt->xp_socket, &flags,
+	stat = rpctls_server(xprt, xprt->xp_socket, &flags,
 	    ssl, &uid, &ngrps, &gidp);
 
 	/* Re-enable reception on the socket within the krpc. */
@@ -704,9 +732,6 @@ printf("authtls: null reply=%d\n", call_stat);
 			xprt->xp_gidp = gidp;
 printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp);
 		}
-	} else {
-		/* Mark that TLS handshake failed. */
-		xprt->xp_tls = RPCTLS_FLAGS_HANDSHFAIL;
 	}
 	sx_xunlock(&xprt->xp_lock);
 	xprt_active(xprt);		/* Harmless if already active. */