svn commit: r361101 - projects/nfs-over-tls/sys/rpc
Benjamin Kaduk
bjkfbsd at gmail.com
Sat May 16 05:26:17 UTC 2020
On Fri, May 15, 2020 at 7:43 PM Rick Macklem <rmacklem at freebsd.org> wrote:
> Author: rmacklem
> Date: Sat May 16 02:43:27 2020
> New Revision: 361101
> URL: https://svnweb.freebsd.org/changeset/base/361101
>
> Log:
> Add support for doing upcalls to the rpctlscd daemon to the krpc client
> when TLS non-application data records are received.
>
> This is similar to code added to the krpc server side. However, since
> soreceive() is called in a socket upcall where it cannot sleep, the
> code needed to get a thread that is in clnt_vc_call() to do the
> upcall.
> The ct_dontrcv boolean was changed to a 5 state variable to indicate
> when/if an upcall is done.
>
> This code hasn't really been tested, since I don't know how to get
> TLS1.2 to put a non-application data record in the stream, except when
> doing SSL_shutdown() (a close alert) and this is initiated by the
> client when the socket is closing.
>
>
A typical way to do so is to perform renegotiation (e.g., send a ClientHello
in the encrypted stream). Renegotiation has some pretty weird properties to
it and isn't in TLS 1.3 at all, but it should get you non-application-data
records
in a TLS 1.2 connection.
In openssl look at the SSL_renegotiate() API.
-Ben
More information about the svn-src-projects
mailing list