From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 Date: Wed, 27 Jul 2011 16:43:02 -0700 Message-ID: From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Subject: [9fans] encrypting 9P traffic Topicbox-Message-UUID: 077ecbc4-ead7-11e9-9d60-3106f5b1d025 I'm preparing to go to Defcon next week, and to help avoid getting owned I'm planning to bring along a Plan 9 laptop. I'd like to be able to mount, say, my home fileserver while I'm there, but 9P traffic goes out unencrypted if you use "srv" rather than "import -E ssl". This got me to fiddling with tlssrvtunnel and tlsclienttunnel, but I've run into some problems: (gozer is the cpu server, x61 is the terminal) gozer% tlssrvtunnel tcp!gozer!564 tcp!*!12345 cert.pem # I created cert.pem using auth/rsagen, rsa2x509, and pemencode listen started gozer% # I did sha1sum of cert.pem and, on the client side, created "thumb" containing "x509 sha1= cn=*." where myauthdomain is the same domain I used to create the cert x61% tlsclienttunnel tcp!gozer!12345 tcp!*!564 thumb x61% srv net!x61!564 x61 x61% mount /srv/x61 /n/x61 mount: mount /n/x61: EOF receiving fversion reply I can't seem to find any mention of these programs in 9fans except for the initial announcement of their creation. Did I do something wrong along the way? I'm not very familiar with TLS so it's definitely possible. On a more general note, I've decided that probably the smartest option will be to "import -E ssl myhomesystem /net" (because after 9 years, import still doesn't support TLS or SSL v3) so I can essentially tunnel all communication out that way... I'll have to use the open wifi, since Plan 9 doesn't do WPA, and I wouldn't trust Defcon's WPA network either in any case. Can anyone think of a problem with this plan, besides the fact that anyone sniffing packets will figure out that the owner of jfloren.net is quite probably in attendance? John