Bug 2148442
| Summary: | Enabling kTLS causes TLS-PSK connections to fail (with fix) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Richard W.M. Jones <rjones> |
| Component: | gnutls | Assignee: | Frantisek Krenzelok <fkrenzel> |
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | ansasaki, crypto-team, dueno, fkrenzel, tm, zfridric |
| Target Milestone: | --- | Flags: | fedora-admin-xmlrpc:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-21 11:40:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(Please assign this bug to me if you would like me to fix it) This bug is pretty annoying if, like me, you have kTLS enabled. If you want me to fix it, please assign it to me, but I don't want to make changes to your packages without your consent. Hi, any movement on this, it's still affecting Fedora. Hey, I have filed a PR [1] but the CI fails. I will try to figure out why asap so we can merge. [1] https://src.fedoraproject.org/rpms/gnutls/pull-request/68 Hey, The bug fixing patch with the latest ktls updates was merged to rawhide. This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38. There has been no issue reported with the Fix, closing the bug as Fixed |
Description of problem: If you enable kTLS and try a TLS-PSK connection it will fail: $ cat /etc/crypto-policies/local.d/gnutls-ktls.config [global] ktls = true $ psktool -u bob -p keys.psk Generating a random key for user 'bob' Key stored to keys.psk $ nbdkit --tls=require --tls-psk=keys.psk null \ --run 'nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" ' nbdkit: null[1]: error: gnutls_record_recv: Error in the pull function. nbdkit: null[1]: error: reading option: conn->recv: Input/output error nbdinfo: nbd_connect_uri: gnutls_record_recv: Error in the pull function. It turns out this happens because we are missing an upstream commit: commit 67843b3a8e28e4c74296caea2d1019065c87afb3 Author: Frantisek Krenzelok <krenzelok.frantisek> Date: Mon Sep 5 13:05:17 2022 +0200 KTLS: fallback to default If an error occurs during setting of keys either initial or key update then fallback to default mode of operation (disable ktls) and let the user know Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek> lib/handshake.c | 7 ++++++- lib/tls13/key_update.c | 23 +++++++++++++++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) Version-Release number of selected component (if applicable): gnutls-3.7.8-9.fc38.x86_64 How reproducible: 100% Steps to Reproduce: 1. See above. Additional info: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/KX3R7T3AWHESMPL32W72ONA27ERA2B7T/