[PATCH 0/1] NVMe/TLS connection issues to SPDK
Chris Leech
cleech at redhat.com
Mon Jul 21 08:44:35 PDT 2025
On Mon, Jul 21, 2025 at 09:11:22AM +0200, Hannes Reinecke wrote:
> On 7/21/25 04:17, Chris Leech wrote:
> > ...
> > The NVMe/TCP host driver then quickly fails when SPDK sends a TLS "New
> > Session Ticket" message before ICResp.
> >
> > While possibly pointless due to the transport specification prohibition
> > on session resumption and 0-RTT data, I don't think this is necessarily
> > wrong and the host driver should be able to safely ignore it and
> > continue.
> >
> Sigh. The neverending discussion.
> Originally I didn't implement key update for NVMe as neither gnutls nor
> the kernel supported it.
> Turns out that key update was implemented last year for ktls, and gnutls
> has support functions (gnutls_session_key_update()) for this, too.
> So we _could_ start looking into it if nvme wouldn't be using the
> ->read_sock() interface.
> This interface just works on skbs, and as such we can't easily get hold
> on the TLS alert data required for figuring out if a New Session Ticket
> message had been sent.
I think this is a bit different, as it's NewSessionTicket and not
KeyUpdate. NewSessionTicket seems to provide an age-limited PSK for
session resumption, allowing additional connections or re-connections to
bypass an expensive certificate handshake. We're only using retained
PSKs and prohibited from session resumption, so while spdk probably
shouldn't be sending NewSessionTicket it should also safe for the host
to just filter it out of the data stream and never use it.
- Chris
More information about the Linux-nvme
mailing list