1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
=head1 NAME
nbd_opt_starttls - request the server to initiate TLS
=head1 SYNOPSIS
#include <libnbd.h>
int nbd_opt_starttls (
struct nbd_handle *h
);
=head1 DESCRIPTION
Request that the server initiate a secure TLS connection, by
sending C<NBD_OPT_STARTTLS>. This can only be used if
L<nbd_set_opt_mode(3)> enabled option mode; furthermore, if you
use L<nbd_set_tls(3)> to request anything other than the default
of C<LIBNBD_TLS_DISABLE>, then libnbd will have already attempted
a TLS connection prior to allowing you control over option
negotiation. This command is disabled if L<nbd_supports_tls(3)>
reports false.
This function is mainly useful for integration testing of corner
cases in server handling; in particular, misuse of this function
when coupled with a server that is not careful about resetting
stateful commands such as L<nbd_opt_structured_reply(3)> could
result in a security hole (see CVE-2021-3716 against nbdkit, for
example). Thus, when security is a concern, you should instead
prefer to use L<nbd_set_tls(3)> with C<LIBNBD_TLS_REQUIRE> and
let libnbd negotiate TLS automatically.
This function returns true if the server replies with success,
false if the server replies with an error, and fails only if
the server does not reply (such as for a loss of connection,
which can include when the server rejects credentials supplied
during the TLS handshake). Note that the NBD protocol documents
that requesting TLS after it is already enabled is a client
error; most servers will gracefully fail a second request, but
that does not downgrade a TLS session that has already been
established, as reported by L<nbd_get_tls_negotiated(3)>.
=head1 RETURN VALUE
This call returns a boolean value.
=head1 ERRORS
On error C<-1> is returned.
Refer to L<libnbd(3)/ERROR HANDLING>
for how to get further details of the error.
The following parameters must not be NULL: C<h>.
For more information see L<libnbd(3)/Non-NULL parameters>.
=head1 HANDLE STATE
nbd_opt_starttls
can be called when the handle is in the following state:
┌─────────────────────────────────────┬─────────────────────────┐
│ Handle created, before connecting │ ❌ error │
│ Connecting │ ❌ error │
│ Connecting & handshaking (opt_mode) │ ✅ allowed │
│ Connected to the server │ ❌ error │
│ Connection shut down │ ❌ error │
│ Handle dead │ ❌ error │
└─────────────────────────────────────┴─────────────────────────┘
=head1 VERSION
This function first appeared in libnbd 1.16.
If you need to test if this function is available at compile time
check if the following macro is defined:
#define LIBNBD_HAVE_NBD_OPT_STARTTLS 1
=head1 SEE ALSO
L<nbd_aio_opt_starttls(3)>,
L<nbd_create(3)>,
L<nbd_get_tls_negotiated(3)>,
L<nbd_opt_structured_reply(3)>,
L<nbd_set_opt_mode(3)>,
L<nbd_set_tls(3)>,
L<nbd_supports_tls(3)>,
L<libnbd(3)>.
=head1 AUTHORS
Eric Blake
Richard W.M. Jones
=head1 COPYRIGHT
Copyright Red Hat
|
