Re: Potential kTLS issue with TLS-PSK, GnuTLS + Rawhide - how to debug it?

Fri, 25 Nov 2022 05:57:57 -0800 

Turns out this is fixed in upstream gnutls (not the version in
Rawhide).  The commit which fixes it is:

commit 67843b3a8e28e4c74296caea2d1019065c87afb3
Author: Frantisek Krenzelok <krenzelok.franti...@gmail.com>
Date:   Mon Sep 5 13:05:17 2022 +0200

    KTLS: fallback to default
    
    If an error occurs during setting of keys either initial or key update
    then fallback to default mode of operation (disable ktls) and let the
    user know
    
    Signed-off-by: Frantisek Krenzelok <krenzelok.franti...@gmail.com>

 lib/handshake.c        |  7 ++++++-
 lib/tls13/key_update.c | 23 +++++++++++++++++++----
 2 files changed, 25 insertions(+), 5 deletions(-)

With full debugging you can see the message caused by this commit:

nbdkit: null[1]: debug: gnutls: 4: HSK[0x7fc9e00010a0]: TLS 1.3 set read key 
with cipher suite: GNUTLS_CHACHA20_POLY1305_SHA256
nbdkit: null[1]: debug: gnutls: 13: BUF[HSK]: Emptied buffer
nbdkit: null[1]: debug: gnutls: 13: BUF[HSK]: Emptied buffer
nbdkit: null[1]: debug: gnutls: 5: REC[0x7fc9e00010a0]: Start of epoch cleanup
nbdkit: null[1]: debug: gnutls: 5: REC[0x7fc9e00010a0]: Epoch #0 freed
nbdkit: null[1]: debug: gnutls: 5: REC[0x7fc9e00010a0]: Epoch #1 freed
nbdkit: null[1]: debug: gnutls: 5: REC[0x7fc9e00010a0]: End of epoch cleanup
nbdkit: null[1]: debug: gnutls: 1: disabling KTLS: failed to set keys

Is this because kTLS doesn't support PSK?

Anyway I will file a bug to add this commit to Rawhide.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to