Ok thanks for the help. I'm trying to use it with 9vx + lastest 9front rootfs that already have this patch applied.
I put my client private key into factotum like this: % cat client.key.plan9 >> /mnt/factotum/ctl Then I'm trying to dial with tlsclient: % tlsclient -D -c client.crt.pem -t ca.crt.pem tcp!127.0.0.1!5640 As you told me, if there is no certificate chain verification, I may better provide the server certificate instead of the ca's: % tlsclient -D -c client.crt.pem -t server.crt.pem tcp!127.0.0.1!5640 Is it the right thing to do? I read the man page but I don't get what tlsclient does that allow me to finally mount the fs. For now, I get the error message "could not negociate acceptable security parameters". I tried disabling client authentication on the server side. Same error message. Maybe it is because I use the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA which might not be supported... 2013/12/19 David du Colombier <[email protected]> > > I think I also need to add the server's CA's certificate, so factotum > > can check the server identity. Right? > > Factotum is meant to store the private keys. The CA certificate > would probably have its place in /sys/lib/tls (in PEM format). > However, this is not needed, since the current X.509 implementation > in Plan 9 doesn't verify certificate chain. > > Also, TLS client authentication isn't currently supported in Plan 9, > but you could try Christian Kellermann's implementation. > > http://plan9.bell-labs.com/sources/patch/maybe/tls-client-auth/ > > hget http://www.9legacy.org/9legacy/patch/tls-client-auth.diff | > ape/patch -p0 > > -- > David du Colombier > > -- Jean-André Santoni
