Can't get tls via ktls-utils working on drbd-utils 9.27.0

Alexander twilight.idea at gmail.com
Wed Apr 10 12:28:20 CEST 2024 

Can’t get it working with ktls-utils.

Got drbd on 3 nodes, all in sync, works just fine.

Then I have added net { tls yes; } on all these nodes.

Got this:

dmesg

[ 1897.683054] drbd beta b2.domain.tld: conn( NetworkFailure -> Unconnected ) [disconnected]
[ 1898.469975] drbd beta b0.domain.tld: conn( Unconnected -> Connecting ) [connecting]
[ 1898.693995] drbd beta b2.domain.tld: conn( Unconnected -> Connecting ) [connecting]
[ 1899.045185] drbd beta tcp:b0.domain.tld: dtt_send_page: size=80 len=80 sent=-95
[ 1899.046412] drbd beta b0.domain.tld: conn( Connecting -> NetworkFailure ) [disconnected]
[ 1899.047512] drbd beta b0.domain.tld: Terminating sender thread

journalctl -f -u tlshd

Apr 10 10:18:12 b1.domain.tld tlshd[8385]: Handshake with b2.domain.tld (192.168.Y.Z) was successful
Apr 10 10:18:12 b1.domain.tld tlshd[8386]: Handshake with b2.domain.tld (192.168.Y.Z) was successful
Apr 10 10:18:13 b1.domain.tld tlshd[8390]: Handshake with b0.domain.tld (192.168.0.X) was successful
Apr 10 10:18:13 b1.domain.tld tlshd[8389]: Handshake with b0.domain.tld (192.168.0.X) was successful
^^ fine on all nodes.

On verbose node also this:

DBG<1>././lib/cache_mngt.c:302  nl_cache_mngt_unregister: Unregistered cache operations genl/family

I have certs generated as follows Encrypted Replication With DRBD - LINBIT <https://linbit.com/blog/encrypted-replication-with-drbd/> just fixed CN to match hostnames

drbd-utils                  9.27.0-1
ktls-utils                    0.10-6

beta role:Secondary
  disk:UpToDate quorum:no
  b1.domain.tld connection:Connecting
  B2.domain.tld connection:NetworkFailure


beta role:Secondary
  disk:UpToDate quorum:no
  b1.domain.tld connection:Unconnected
  B2.domain.tls connection:Unconnected

I have disabled cram-hmac-alg, data-integrity-alg, shared-secret just in case to keep net section clean with just "tls yes", no luck.

Is there anything I have forgotten to add to make it all together?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linbit.com/pipermail/drbd-user/attachments/20240410/014e9806/attachment.htm>

More information about the drbd-user mailing list