>From the proto.md: > NBD_REP_ERR_TLS_REQD (2^31 + 5) > > The server is unwilling to continue negotiation unless TLS is negotiated > first. A server MUST NOT send this error if it has one or more exports that > do not require TLS; not even if the client indicated interest (by way of > NBD_OPT_PEEK_EXPORT) in an export which requires TLS. > > If this reply is used, servers SHOULD send it in reply to each and every > unencrypted NBD_OPT_* message (apart from NBD_OPT_STARTTLS).
I think the last SHOULD is wrong and should be deleted. Firstly, this implies a server should reply with NBD_REP_ERR_TLS_REQD even before it knows the client even supports TLS. That's wrong. It even implies the server should sent it even if *it* doesn't support TLS. Secondly, even if by magic the server somehow knows that the client supports TLS, and it supports TLS too, it makes it impossible for a server to serve both TLS and non-TLS exports as it would force the client to negotiate TLS to process (say) NBD_OPT_LIST, and there's then no way of un-negotiating TLS. I think this should thus be deleted. -- Alex Bligh ------------------------------------------------------------------------------ _______________________________________________ Nbd-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nbd-general
