Date: Fri, 15 May 2020 22:26:04 -0700 From: Benjamin Kaduk <bjkfbsd@gmail.com> To: Rick Macklem <rmacklem@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-projects@freebsd.org Subject: Re: svn commit: r361101 - projects/nfs-over-tls/sys/rpc Message-ID: <CAJ5_RoDZF79aghNoQAjtaQ2ygWicEFLv2EShwR87QYGzbg2azQ@mail.gmail.com> In-Reply-To: <202005160243.04G2hSIn006010@repo.freebsd.org> References: <202005160243.04G2hSIn006010@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 15, 2020 at 7:43 PM Rick Macklem <rmacklem@freebsd.org> wrote: > Author: rmacklem > Date: Sat May 16 02:43:27 2020 > New Revision: 361101 > URL: https://svnweb.freebsd.org/changeset/base/361101 > > Log: > Add support for doing upcalls to the rpctlscd daemon to the krpc client > when TLS non-application data records are received. > > This is similar to code added to the krpc server side. However, since > soreceive() is called in a socket upcall where it cannot sleep, the > code needed to get a thread that is in clnt_vc_call() to do the > upcall. > The ct_dontrcv boolean was changed to a 5 state variable to indicate > when/if an upcall is done. > > This code hasn't really been tested, since I don't know how to get > TLS1.2 to put a non-application data record in the stream, except when > doing SSL_shutdown() (a close alert) and this is initiated by the > client when the socket is closing. > > A typical way to do so is to perform renegotiation (e.g., send a ClientHello in the encrypted stream). Renegotiation has some pretty weird properties to it and isn't in TLS 1.3 at all, but it should get you non-application-data records in a TLS 1.2 connection. In openssl look at the SSL_renegotiate() API. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ5_RoDZF79aghNoQAjtaQ2ygWicEFLv2EShwR87QYGzbg2azQ>