From: John Floren <john@jfloren.net>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: [9fans] encrypting 9P traffic
Date: Wed, 27 Jul 2011 16:43:02 -0700 [thread overview]
Message-ID: <CAL4LZyjcj++m_mkubcQv-OuCotP45MK+EaHj+bX7Vkj6ou+BMg@mail.gmail.com> (raw)
I'm preparing to go to Defcon next week, and to help avoid getting
owned I'm planning to bring along a Plan 9 laptop. I'd like to be able
to mount, say, my home fileserver while I'm there, but 9P traffic goes
out unencrypted if you use "srv" rather than "import -E ssl". This got
me to fiddling with tlssrvtunnel and tlsclienttunnel, but I've run
into some problems:
(gozer is the cpu server, x61 is the terminal)
gozer% tlssrvtunnel tcp!gozer!564 tcp!*!12345 cert.pem # I created
cert.pem using auth/rsagen, rsa2x509, and pemencode
listen started
gozer%
# I did sha1sum of cert.pem and, on the client side, created "thumb"
containing "x509 sha1=<hash> cn=*.<myauthdomain>" where myauthdomain
is the same domain I used to create the cert
x61% tlsclienttunnel tcp!gozer!12345 tcp!*!564 thumb
x61% srv net!x61!564 x61
x61% mount /srv/x61 /n/x61
mount: mount /n/x61: EOF receiving fversion reply
I can't seem to find any mention of these programs in 9fans except for
the initial announcement of their creation. Did I do something wrong
along the way? I'm not very familiar with TLS so it's definitely
possible.
On a more general note, I've decided that probably the smartest option
will be to "import -E ssl myhomesystem /net" (because after 9 years,
import still doesn't support TLS or SSL v3) so I can essentially
tunnel all communication out that way... I'll have to use the open
wifi, since Plan 9 doesn't do WPA, and I wouldn't trust Defcon's WPA
network either in any case. Can anyone think of a problem with this
plan, besides the fact that anyone sniffing packets will figure out
that the owner of jfloren.net is quite probably in attendance?
John
next reply other threads:[~2011-07-27 23:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-27 23:43 John Floren [this message]
2011-07-27 23:49 ` Lyndon Nerenberg
2011-07-27 23:52 ` John Floren
[not found] ` <CAL4LZyjV6VOprS_=uR06TaRrLw8dmW79yhCD5CtFbKjKYR66AQ@mail.gmail.c>
2011-07-28 1:24 ` erik quanstrom
2011-07-28 1:27 ` erik quanstrom
2011-07-28 2:01 ` John Floren
2011-07-28 6:00 ` David du Colombier
2011-07-28 9:02 ` Charles Forsyth
2011-07-28 9:34 ` David du Colombier
[not found] ` <CAL4LZyiuZjc1MipCpG8uVMKc53Oj0aeyJV7jqzCfVhv7f5qeaQ@mail.gmail.c>
2011-07-28 12:42 ` erik quanstrom
2011-07-28 8:08 ` Steve Simon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAL4LZyjcj++m_mkubcQv-OuCotP45MK+EaHj+bX7Vkj6ou+BMg@mail.gmail.com \
--to=john@jfloren.net \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).