[prev in list] [next in list] [prev in thread] [next in thread]
List: drbd-user
Subject: Can't get tls via ktls-utils working on drbd-utils 9.27.0
From: Alexander <twilight.idea () gmail ! com>
Date: 2024-04-10 10:28:20
Message-ID: D36BFC5E-8543-4C4D-A45C-CBCF4C94DFCE () gmail ! com
[Download RAW message or body]
Can't get it working with ktls-utils.
Got drbd on 3 nodes, all in sync, works just fine.
Then I have added net { tls yes; } on all these nodes.
Got this:
dmesg
[ 1897.683054] drbd beta b2.domain.tld: conn( NetworkFailure -> Unconnected ) \
[disconnected] [ 1898.469975] drbd beta b0.domain.tld: conn( Unconnected -> \
Connecting ) [connecting] [ 1898.693995] drbd beta b2.domain.tld: conn( Unconnected \
-> Connecting ) [connecting] [ 1899.045185] drbd beta tcp:b0.domain.tld: \
dtt_send_page: size=80 len=80 sent=-95 [ 1899.046412] drbd beta b0.domain.tld: conn( \
Connecting -> NetworkFailure ) [disconnected] [ 1899.047512] drbd beta b0.domain.tld: \
Terminating sender thread
journalctl -f -u tlshd
Apr 10 10:18:12 b1.domain.tld tlshd[8385]: Handshake with b2.domain.tld (192.168.Y.Z) \
was successful
Apr 10 10:18:12 b1.domain.tld tlshd[8386]: Handshake with b2.domain.tld (192.168.Y.Z) \
was successful
Apr 10 10:18:13 b1.domain.tld tlshd[8390]: Handshake with b0.domain.tld (192.168.0.X) \
was successful
Apr 10 10:18:13 b1.domain.tld tlshd[8389]: Handshake with b0.domain.tld (192.168.0.X) \
was successful ^^ fine on all nodes.
On verbose node also this:
DBG<1>././lib/cache_mngt.c:302 nl_cache_mngt_unregister: Unregistered cache \
operations genl/family
I have certs generated as follows Encrypted Replication With DRBD - LINBIT \
<https://linbit.com/blog/encrypted-replication-with-drbd/> just fixed CN to match \
hostnames
drbd-utils 9.27.0-1
ktls-utils 0.10-6
beta role:Secondary
disk:UpToDate quorum:no
b1.domain.tld connection:Connecting
B2.domain.tld connection:NetworkFailure
beta role:Secondary
disk:UpToDate quorum:no
b1.domain.tld connection:Unconnected
B2.domain.tls connection:Unconnected
I have disabled cram-hmac-alg, data-integrity-alg, shared-secret just in case to keep \
net section clean with just "tls yes", no luck.
Is there anything I have forgotten to add to make it all together?
[Attachment #3 (unknown)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;"><div>Can't get it working with \
ktls-utils.</div><div><br></div>Got drbd on 3 nodes, all in sync, works just \
fine.<div><br><div>Then I have added net { tls yes; } on all these \
nodes.</div><div><br></div><div>Got \
this:</div><div><br></div><div>dmesg</div><div><br></div><div><div>[ 1897.683054] \
drbd beta b2.domain.tld: conn( NetworkFailure -> Unconnected ) \
[disconnected]</div><div>[ 1898.469975] drbd beta b0.<span style="caret-color: rgb(0, \
0, 0); color: rgb(0, 0, 0);">domain.tld</span>: conn( Unconnected -> Connecting ) \
[connecting]</div><div>[ 1898.693995] drbd beta b2.<span style="caret-color: rgb(0, \
0, 0); color: rgb(0, 0, 0);">domain.tld</span>: conn( Unconnected -> Connecting ) \
[connecting]</div><div>[ 1899.045185] drbd beta tcp:b0.<span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);">domain.tld</span>: dtt_send_page: size=80 len=80 \
sent=-95</div><div>[ 1899.046412] drbd beta b0.<span style="caret-color: rgb(0, 0, \
0); color: rgb(0, 0, 0);">domain.tld</span>: conn( Connecting -> NetworkFailure ) \
[disconnected]</div><div>[ 1899.047512] drbd beta b0.<span style="caret-color: rgb(0, \
0, 0); color: rgb(0, 0, 0);">domain.tld</span>: Terminating sender \
thread</div></div><div><br></div><div>journalctl -f -u \
tlshd</div><div><br></div><div><div>Apr 10 10:18:12 b1.<span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);">domain.tld</span> tlshd[8385]: Handshake \
with b2.<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);">domain.tld</span> (192.168.Y.Z) was successful</div><div>Apr 10 10:18:12 \
b1.<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);">domain.tld</span> tlshd[8386]: Handshake with b2.<span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);">domain.tld</span> (192.168.Y.Z) was \
successful</div><div>Apr 10 10:18:13 b1.<span style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);">domain.tld</span> tlshd[8390]: Handshake with b0.<span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);">domain.tld</span> (192.168.0.X) was successful</div><div>Apr 10 10:18:13 \
b1.<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);">domain.tld</span> tlshd[8389]: Handshake with b0.<span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);">domain.tld</span> (192.168.0.X) was \
successful</div></div><div>^^ fine on all nodes.</div><div><br></div><div>On verbose \
node also this:</div><div><br></div><div>DBG<1>././lib/cache_mngt.c:302 \
nl_cache_mngt_unregister: Unregistered cache operations \
genl/family</div><div><br></div><div>I have certs generated as follows <a \
href="https://linbit.com/blog/encrypted-replication-with-drbd/">Encrypted Replication \
With DRBD - LINBIT</a> just fixed CN to match \
hostnames</div><div><br></div><div>drbd-utils \
9.27.0-1</div><div>ktls-utils \
0.10-6</div><div><br></div><div><div>beta \
role:Secondary</div><div> disk:UpToDate quorum:no</div><div> \
b1.domain.tld connection:Connecting</div><div> B2.domain.tld \
connection:NetworkFailure</div></div><div><br></div><div><br></div><div><div>beta \
role:Secondary</div><div> disk:UpToDate quorum:no</div><div> \
b1.domain.tld connection:Unconnected</div><div> B2.domain.tls \
connection:Unconnected</div></div><div><br></div><div>I have \
disabled cram-hmac-alg, data-integrity-alg, shared-secret just in case \
to keep net section clean with just "tls yes", no luck.</div><div><br></div><div>Is \
there anything I have forgotten to add to make it all \
together?</div></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic