Ok thanks for the help.

I'm trying to use it with 9vx + lastest 9front rootfs that already have
this patch applied.

I put my client private key into factotum like this:
% cat client.key.plan9 >> /mnt/factotum/ctl

Then I'm trying to dial with tlsclient:
% tlsclient -D -c client.crt.pem -t ca.crt.pem tcp!127.0.0.1!5640

As you told me, if there is no certificate chain verification, I may better
provide the server certificate instead of the ca's:
% tlsclient -D -c client.crt.pem -t server.crt.pem tcp!127.0.0.1!5640

Is it the right thing to do? I read the man page but I don't get what
tlsclient does that allow me to finally mount the fs.

For now, I get the error message "could not negociate acceptable security
parameters".

I tried disabling client authentication on the server side. Same error
message.

Maybe it is because I use the cipher
suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA which might not be supported...


2013/12/19 David du Colombier <0intro@gmail.com>

> > I think I also need to add the server's CA's certificate, so factotum
> > can check the server identity. Right?
>
> Factotum is meant to store the private keys. The CA certificate
> would probably have its place in /sys/lib/tls (in PEM format).
> However, this is not needed, since the current X.509 implementation
> in Plan 9 doesn't verify certificate chain.
>
> Also, TLS client authentication isn't currently supported in Plan 9,
> but you could try Christian Kellermann's implementation.
>
> http://plan9.bell-labs.com/sources/patch/maybe/tls-client-auth/
>
> hget http://www.9legacy.org/9legacy/patch/tls-client-auth.diff |
> ape/patch -p0
>
> --
> David du Colombier
>
>


-- 
Jean-André Santoni