Setup NBD with TLS

To: nbd@other.debian.org
Subject: Setup NBD with TLS
From: Turakar <turakar23@gmail.com>
Date: Sat, 16 Jul 2022 14:40:16 +0200
Message-id: <[🔎] 618b6ab5-e275-6573-e00d-aa62019089bb@gmail.com>

Hello,

I am currently trying to setup nbd-server/nbd-client with TLS authentication, but I ran into some difficult error messages. If this is the wrong list for support, please feel free to redirect me.

I use one system (Debian 10) for both nbd-server and nbd-client for debugging, but want to move to separate hosts later. I used the following nbd-server config file:

[generic]
       user = root
       group = root
       includedir = /etc/nbd-server/conf.d

       allowlist = true

# TLS setup
       force_tls = true
       cacertfile = /etc/nbd-server/certificates/ca.cert.pem
       certfile = /etc/nbd-server/certificates/server.cert.pem
       keyfile = /etc/nbd-server/certificates/server.key.pem

[export]
       exportname = /dev/system/nixos
       flush = true

I created the certificates as follows:

$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 36500 -key ca.key -out ca.cert.pem
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 36500 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt
$ openssl genrsa -out client.key.pem 4096
$ openssl req -new -key -client.key.pem -out client.csr
$ openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -days 36500 -sha512 -out clien
t.cert.pem

And use the following command for testing the connection:

$ nbd-client -l localhost -certfile /etc/nbd-server/certificates/client.cert.
pem -keyfile /etc/nbd-server/certificates/client.key.pem -cacertfile /etc/nbd-server/certificates/ca.cert.pem -n
Negotiation: ..
Error: Reading magic from server: Connection reset by peer
Exiting.

Thereby, the server log says this:

Jul 16 14:21:28 mini systemd[1]: Started LSB: Network Block Device server.
Jul 16 14:21:30 mini nbd_server[26099]: Spawned a child process
Jul 16 14:21:30 mini nbd_server[26099]: Child exited with 1

Not that informative... Can someone of you spot the problem in my configuration?

Remarks: If I set force_tls = False and do not use the certificates with nbd-client, it works fine. However, I need TLS encryption for my use case.

Thank you and kind regards,
Turakar

Reply to:

Follow-Ups:
- Re: Setup NBD with TLS
  - From: Turakar <turakar23@gmail.com>

Prev by Date: Re: [PATCH v3 6/6] blk-mq: Drop local variable for reserved tag
Next by Date: Re: Setup NBD with TLS
Previous by thread: Re: [PATCH v3 6/6] blk-mq: Drop local variable for reserved tag
Next by thread: Re: Setup NBD with TLS
Index(es):
- Date
- Thread