Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229698/?format=api
{ "id": 2229698, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229698/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260428160020.226512-1-henrique.carvalho@suse.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260428160020.226512-1-henrique.carvalho@suse.com>", "date": "2026-04-28T16:00:20", "name": "[v2,11/11] docs: smb: document SMB3 over QUIC setup for cifs.ko and ksmbd.ko", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "3cf1595943336150a328f8440f0bb7513c307241", "submitter": { "id": 89563, "url": "http://patchwork.ozlabs.org/api/1.1/people/89563/?format=api", "name": "Henrique Carvalho", "email": "henrique.carvalho@suse.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260428160020.226512-1-henrique.carvalho@suse.com/mbox/", "series": [ { "id": 501886, "url": "http://patchwork.ozlabs.org/api/1.1/series/501886/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=501886", "date": "2026-04-28T15:55:41", "name": "smb: implement SMB over QUIC", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/501886/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229698/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229698/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-11237-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=suse.com header.i=@suse.com header.a=rsa-sha256\n header.s=google header.b=Epl9Kqyt;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11237-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com\n header.b=\"Epl9Kqyt\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.128.46", "smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=suse.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.com" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4llF3Rpzz1xrS\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 02:10:17 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id C4D7B30E98FC\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 16:02:19 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0EFDF282F27;\n\tTue, 28 Apr 2026 16:00:34 +0000 (UTC)", "from mail-wm1-f46.google.com (mail-wm1-f46.google.com\n [209.85.128.46])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B272439005\n\tfor <linux-cifs@vger.kernel.org>; Tue, 28 Apr 2026 16:00:32 +0000 (UTC)", "by mail-wm1-f46.google.com with SMTP id\n 5b1f17b1804b1-488a88aeec9so142472905e9.2\n for <linux-cifs@vger.kernel.org>;\n Tue, 28 Apr 2026 09:00:31 -0700 (PDT)", "from precision ([2a01:4b00:c007:bb00:be9d:a3c4:18b1:4a25])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-4464004edc8sm7505041f8f.37.2026.04.28.09.00.29\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 09:00:29 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777392033; cv=none;\n b=LWXcmPQhEEmMk1TYzDKunALrnDDFSrkEdSUFhFOawo4l5rVSYaIVURADa5hj0JaaW5aEO7gbXrZDAPcUOqldSrMsQignM4+3R8D9z0Y2hfoZb1g9gFWdqSfbmpvve33M78qdB+O2CObfKsuSbDJtck+GZJVdNvX7YBakVHG0bwY=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777392033; c=relaxed/simple;\n\tbh=9l6Zn4WQCZSZfbxZtAvKLch/4uMIOw9Dd0LhEB1yBb4=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=DIZFFvBVwtJjuJ8+iNVLKNNzFhdTIZsBvgb4im20UfdfgzEfTtrEVwZmYKDwuP0UoZpeM4BJr/d5EtRZY5iICq25QKLQ67CJZaDVh62IwBqvAUcfAumlDTJxBMaeRPDez2yLdwrm2ttL4DrfMFvwzOjNmT1Eex3kEhCT3L0N0pg=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=suse.com;\n spf=pass smtp.mailfrom=suse.com;\n dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com\n header.b=Epl9Kqyt; arc=none smtp.client-ip=209.85.128.46", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=suse.com; s=google; t=1777392031; x=1777996831;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=NJULVraPYnaUtno+Mw7BPPXxWq+DJtTZsScFGIZf28I=;\n b=Epl9Kqytdc9aUOumvYPp66hgi711q1hgERYZfX8JYY/UvLYBxHxtYuE+BGxo+Oy1fi\n p4V1JU2Xra0wdZQkOVwRiqwCfdLExNYZYglzG2IzVc6xqVsRGHsrYxNdvrkGCCjPl1us\n lDM45w7nOYcXb2Y2nh4pVT+kyBYpQI/Y06dJtYtEeYoVqzXUfnWym9HlkxJ0WDbCk4gu\n ESSYWWcfN5o1vFicK9Yb45ayGHMSLSLBf8cnbD3xrbjNb5hVsm22iGeYK60sowhtNopG\n uU6lJI6ZxAp2FfhPH2MmiUHS3mYQotIsMbR+DXfd8h9v0Dyje1LxBl1r4PC+38JjChVy\n CGFw==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777392031; x=1777996831;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=NJULVraPYnaUtno+Mw7BPPXxWq+DJtTZsScFGIZf28I=;\n b=Gjv3IPPTai9fhHdaQQBAiWIbqzJlymIpB4wODuRMeHNUS35VjmSLRN/KaTLFHQsc14\n IJFWI+1CEczW8FhvXyu4eSPw3UZstWP7GbSDRnAcSXbUEpUJH+tg7ZokMeurZHN7aEau\n dZk2iiCJRosotDI4hzIMW8Ucs8QI54tfZKn+eHDbGj5BoeMef594cvHY5ruGJyH5AAG4\n PwJC4CzfB8csauRv8jtw9cngKElQHiF5TBPUduh13S2ZzfsR+pvYzbwym4i15L9VQbOS\n NzXHQkGtHJKo3J+c7qEavbQv4CJ7nRvwN5dcp+QLYjtCiiyJRpqswAZilm6LZg8bA0Wd\n mOUg==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ8Vd8wNyU4tjOlNOPSMS7ACGDMCMWnOStfnCzzzd9oO1gAiE7O3+gF/f8+cUSJomX1XedKJlzxRYqit@vger.kernel.org", "X-Gm-Message-State": "AOJu0YzTsSqViFu1IyNS/pozovMor/IbjFM9DB6E/85BurBxqIE6DYNp\n\tUNDIdILwmG138FgWWMQwdDSXQiYRcls9Am5YLOSnVa2+AIyJgOnrUNrGcoUrCZCHZlpyb3Z2Xtw\n\tZOaQJxMfcNw==", "X-Gm-Gg": "AeBDieu9O3ww74gF0FXbM8GbnZxRBuyZhaSdlrHFBdQPkNbUi7sACTfB+75OoPlo+cR\n\tX8QFJFyhxUk7kCAYX1VxpFtdZd8RKspcEMKhul205h8N+MK6siPur8A6bf1NTXU0NYcUgdm0c3t\n\tOSjO34J4ca++k17ejkff3E8JtsOQQHvwjp+W9n26wuFLmZtW8hTUpWTbtm6Y50r/l5/Mnx/5QQr\n\t/VTpE9VqwSmLkg3fxnDaiF2FHBAuvJ8K4qynvjFfg7LfYbYQcxbxmMPovdcnE91+S2VbXUGD3ug\n\tIvaH9zcG+g3th45xtq0NeIFFh0vK4tD0NaA/F09Z/gIUjywlLC2CgmA68Y9s8VxhBRnADm+HXns\n\tglHWPFoAZ+HNqNiTVG9cHn8m8X7ZV1w8RoluZkqf6sFupleR21iVoRNFGNDAsqKLubuQsUWtrKL\n\t0H1Aoe9S6FPHe8XqL4BPWQdvC85dOhqu2tzmGw8j4uDXeZ", "X-Received": "by 2002:a05:6000:2c01:b0:43d:73de:abd2 with SMTP id\n ffacd0b85a97d-4464a168597mr6674016f8f.26.1777392030417;\n Tue, 28 Apr 2026 09:00:30 -0700 (PDT)", "From": "Henrique Carvalho <henrique.carvalho@suse.com>", "To": "corbet@lwn.net", "Cc": "linux-doc@vger.kernel.org,\n\tlinux-cifs@vger.kernel.org,\n\tsfrench@samba.org,\n\tlinkinjeon@kernel.org,\n\tmetze@samba.org,\n\tematsumiya@suse.de,\n\tHenrique Carvalho <henrique.carvalho@suse.com>", "Subject": "[PATCH v2 11/11] docs: smb: document SMB3 over QUIC setup for cifs.ko\n and ksmbd.ko", "Date": "Tue, 28 Apr 2026 13:00:20 -0300", "Message-ID": "<20260428160020.226512-1-henrique.carvalho@suse.com>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Add quic.rst covering setup for SMB over QUIC between the kernel SMB\nserver (ksmbd.ko) and client (cifs.ko).\n\nUpdate index.rst to include quic.rst in the SMB documentation tree.\n\nUpdate ksmbd.rst feature table: SMB3.1.1 over QUIC is now Experimental\n(previously listed as Planned for future).\n\nSigned-off-by: Henrique Carvalho <henrique.carvalho@suse.com>\n---\n Documentation/filesystems/smb/index.rst | 1 +\n Documentation/filesystems/smb/ksmbd.rst | 2 +-\n Documentation/filesystems/smb/quic.rst | 332 ++++++++++++++++++++++++\n 3 files changed, 334 insertions(+), 1 deletion(-)\n create mode 100644 Documentation/filesystems/smb/quic.rst", "diff": "diff --git a/Documentation/filesystems/smb/index.rst b/Documentation/filesystems/smb/index.rst\nindex 6df23b0e45c8..e75ebba0e739 100644\n--- a/Documentation/filesystems/smb/index.rst\n+++ b/Documentation/filesystems/smb/index.rst\n@@ -9,3 +9,4 @@ CIFS\n ksmbd\n cifsroot\n smbdirect\n+ quic\ndiff --git a/Documentation/filesystems/smb/ksmbd.rst b/Documentation/filesystems/smb/ksmbd.rst\nindex 67cb68ea6e68..de00adc73a8f 100644\n--- a/Documentation/filesystems/smb/ksmbd.rst\n+++ b/Documentation/filesystems/smb/ksmbd.rst\n@@ -112,7 +112,7 @@ DCE/RPC support Partially Supported. a few calls(NetShareEnumAll,\n ksmbd/nfsd interoperability Planned for future. The features that ksmbd\n support are Leases, Notify, ACLs and Share modes.\n SMB3.1.1 Compression Planned for future.\n-SMB3.1.1 over QUIC Planned for future.\n+SMB3.1.1 over QUIC Experimental. See quic.rst.\n Signing/Encryption over RDMA Planned for future.\n SMB3.1.1 GMAC signing support Planned for future.\n ============================== =================================================\ndiff --git a/Documentation/filesystems/smb/quic.rst b/Documentation/filesystems/smb/quic.rst\nnew file mode 100644\nindex 000000000000..016a29e7bb27\n--- /dev/null\n+++ b/Documentation/filesystems/smb/quic.rst\n@@ -0,0 +1,332 @@\n+.. SPDX-License-Identifier: GPL-2.0\n+\n+========================================\n+SMB3 over QUIC with ksmbd.ko and cifs.ko\n+========================================\n+\n+This is a setup note for testing SMB3 over QUIC between the Linux kernel SMB\n+server (ksmbd.ko) and the Linux kernel SMB client (cifs.ko).\n+\n+Requirements\n+============\n+\n+- Kernel options for QUIC and the in-kernel handshake path:\n+\n+ .. code-block:: text\n+\n+ CONFIG_IP_QUIC\n+ CONFIG_NET_HANDSHAKE\n+\n+- Kernel options for key handling:\n+\n+ .. code-block:: text\n+\n+ CONFIG_KEYS\n+ CONFIG_ASYMMETRIC_KEY_TYPE\n+ CONFIG_X509_CERTIFICATE_PARSER\n+ CONFIG_PKCS8_PRIVATE_KEY_PARSER\n+\n+- Kernel options for SMB:\n+\n+ .. code-block:: text\n+\n+ CONFIG_SMB_SERVER\n+ CONFIG_CIFS\n+\n+- SMB version 3.1.1 or higher.\n+\n+- QUIC delegates the TLS handshake to a userspace component. Here we use\n+ the userspace handshake agent tlshd. See Documentation/networking/quic.rst\n+ and Documentation/networking/tls-handshake.rst.\n+\n+Configuring tlshd\n+=================\n+\n+Load the certificate and key into tlshd by, either using a by using the\n+pathnames or by using a keyring.\n+\n+Using Pathnames\n+===============\n+\n+If mutual authentication is used, the same will have to be done in the client system.\n+\n+The second option is by using pathnames to the certificate and private key.\n+\n+Add the following to the configuration file inside the server machine:\n+\n+.. code-block:: txt\n+\n+ [authenticate.server]\n+ x509.certificate=/path/to/smb-server-cert.pem\n+ x509.private_key=/path/to/smb-server-key.pem\n+\n+If you are using mutual authentication, the following will have to be done in the client machine:\n+\n+.. code-block:: txt\n+\n+ [authenticate.client]\n+ x509.certificate=/path/to/smb-client-cert.pem\n+ x509.private_key=/path/to/smb-client-key.pem\n+\n+For more information about these fields, see `man tlshd.conf`\n+\n+Using Keyrings\n+==============\n+\n+Instead of using file paths, certificates and private keys can be loaded\n+from a kernel keyring. This avoids exposing key material via filesystem paths.\n+\n+Enable keyring usage in tlshd:\n+\n+.. code-block:: txt\n+\n+ keyrings=smb\n+\n+Keys must be added to the keyring named `smb`.\n+\n+On both client and server:\n+\n+.. code-block:: bash\n+\n+ keyctl newring smb @u\n+\n+ keyctl padd asymmetric \"smb-ca\" %keyring:smb < /etc/ssl/certs/ca-cert.pem\n+\n+On server:\n+\n+.. code-block:: bash\n+\n+ keyctl padd asymmetric \"smb-server-cert\" %keyring:smb < /etc/ssl/certs/smb-server-cert.pem\n+\n+ keyctl padd asymmetric \"smb-server-key\" %keyring:smb < /etc/ssl/private/smb-server-key.pem\n+\n+On client:\n+\n+.. code-block:: bash\n+\n+ keyctl padd asymmetric \"smb-client-cert\" %keyring:smb < /etc/ssl/certs/smb-client-cert.pem\n+\n+ keyctl padd asymmetric \"smb-client-key\" %keyring:smb < /etc/ssl/private/smb-client-key.pem\n+\n+When using keyrings, do not specify file paths.\n+\n+Server:\n+\n+.. code-block:: txt\n+\n+ [authenticate.server]\n+ x509.certificate=smb-server-cert\n+ x509.private_key=smb-server-key\n+ x509.truststore=smb-ca\n+\n+Client:\n+\n+.. code-block:: txt\n+\n+ [authenticate.client]\n+ x509.certificate=smb-client-cert\n+ x509.private_key=smb-client-key\n+ x509.truststore=smb-ca\n+\n+Restart tlshd service after modifying the configuration.\n+\n+Running CIFS with SMB QUIC\n+==========================\n+\n+After tlshd is configured, mount the CIFS filesystem with the mount option\n+`quic`. Example using mount.smb3 from cifs-utils package:\n+\n+.. code-block:: bash\n+\n+ mount.smb3 //server.example.com/share /mnt -o quic\n+\n+If mutual authentication is used, run with `mtls` mount option:\n+\n+.. code-block:: bash\n+\n+ mount.smb3 //server.example.com/share /mnt -o quic,mtls\n+\n+QUIC works on top of TLS 1.3, so it has its own transport layer\n+encryption. It is possible, however, to mount CIFS with:\n+\n+.. code-block:: bash\n+\n+ mount.smb3 //server.example.com/share/mnt -o quic,seal\n+\n+Testing SMB QUIC Implementation\n+===============================\n+\n+For proper TLS and mTLS testing, use a local Certificate Authority (CA)\n+instead of self-signed leaf certificates.\n+\n+This avoids validation issues and matches real deployments.\n+\n+Certificate Layout\n+==================\n+\n+- CA (created once, can be on a third machine or server)\n+- Server certificate (signed by CA)\n+- Client certificate (signed by CA)\n+\n+The CA certificate must be present on both client and server.\n+\n+Creating a CA\n+=============\n+\n+Run on a trusted machine (server or separate host):\n+\n+.. code-block:: bash\n+\n+ mkdir -p /etc/ssl/smb-ca\n+ cd /etc/ssl/smb-ca\n+\n+ openssl genpkey -algorithm RSA \\\n+ -pkeyopt rsa_keygen_bits:4096 \\\n+ -out ca-key.pem\n+\n+ openssl req -x509 -new \\\n+ -key ca-key.pem \\\n+ -sha256 -days 3650 \\\n+ -subj \"/CN=SMB Test CA\" \\\n+ -addext \"basicConstraints=critical,CA:TRUE\" \\\n+ -addext \"keyUsage=critical,keyCertSign,cRLSign\" \\\n+ -out ca-cert.pem\n+\n+Distribute:\n+\n+- Copy `ca-cert.pem` to both client and server:\n+ - /etc/ssl/certs/ca-cert.pem\n+\n+Creating Server Certificate\n+===========================\n+\n+Run on server:\n+\n+.. code-block:: bash\n+\n+ openssl genpkey -algorithm RSA \\\n+ -pkeyopt rsa_keygen_bits:2048 \\\n+ -out /etc/ssl/private/smb-server-key.pem\n+\n+ openssl req -new \\\n+ -key /etc/ssl/private/smb-server-key.pem \\\n+ -subj \"/CN=server.example.com\" \\\n+ -out smb-server.csr\n+\n+Copy `smb-server.csr` to CA machine and sign:\n+\n+.. code-block:: bash\n+\n+ openssl x509 -req \\\n+ -in smb-server.csr \\\n+ -CA ca-cert.pem \\\n+ -CAkey ca-key.pem \\\n+ -CAcreateserial \\\n+ -out smb-server-cert.pem \\\n+ -days 365 -sha256 \\\n+ -extfile <(cat <<EOF\n+basicConstraints=critical,CA:FALSE\n+keyUsage=critical,digitalSignature,keyEncipherment\n+extendedKeyUsage=serverAuth\n+subjectAltName=DNS:server.example.com\n+EOF\n+)\n+\n+Copy back to server:\n+\n+- /etc/ssl/certs/smb-server-cert.pem\n+\n+Creating Client Certificate (for mTLS)\n+======================================\n+\n+Run on client:\n+\n+.. code-block:: bash\n+\n+ openssl genpkey -algorithm RSA \\\n+ -pkeyopt rsa_keygen_bits:2048 \\\n+ -out /etc/ssl/private/smb-client-key.pem\n+\n+ openssl req -new \\\n+ -key /etc/ssl/private/smb-client-key.pem \\\n+ -subj \"/CN=client.example.com\" \\\n+ -out smb-client.csr\n+\n+Copy `smb-client.csr` to CA machine and sign:\n+\n+.. code-block:: bash\n+\n+ openssl x509 -req \\\n+ -in smb-client.csr \\\n+ -CA ca-cert.pem \\\n+ -CAkey ca-key.pem \\\n+ -CAcreateserial \\\n+ -out smb-client-cert.pem \\\n+ -days 365 -sha256 \\\n+ -extfile <(cat <<EOF\n+basicConstraints=critical,CA:FALSE\n+keyUsage=critical,digitalSignature\n+extendedKeyUsage=clientAuth\n+subjectAltName=DNS:client.example.com\n+EOF\n+)\n+\n+Copy back to client:\n+\n+- /etc/ssl/certs/smb-client-cert.pem\n+\n+tlshd Configuration\n+===================\n+\n+Server:\n+\n+.. code-block:: txt\n+\n+ [authenticate.server]\n+ x509.certificate=/etc/ssl/certs/smb-server-cert.pem\n+ x509.private_key=/etc/ssl/private/smb-server-key.pem\n+ x509.truststore=/etc/ssl/certs/ca-cert.pem\n+\n+Client (mTLS):\n+\n+.. code-block:: txt\n+\n+ [authenticate.client]\n+ x509.certificate=/etc/ssl/certs/smb-client-cert.pem\n+ x509.private_key=/etc/ssl/private/smb-client-key.pem\n+ x509.truststore=/etc/ssl/certs/ca-cert.pem\n+\n+Restart tlshd on both systems after changes.\n+\n+Testing ksmbd with smbtorture and smbclient\n+===========================================\n+\n+[TODO: REVIEW && TEST]\n+\n+With smbclient or smbtorture:\n+\n+.. code-block:: bash\n+\n+ --option='client smb transports = quic'\n+\n+Avoid:\n+\n+.. code-block:: bash\n+\n+ --option='tls verify peer=no_check'\n+\n+unless debugging, as it disables certificate validation.\n+\n+Samba server config:\n+\n+.. code-block:: txt\n+\n+ server smb transports = +quic\n+\n+Optional:\n+\n+- force userspace QUIC:\n+ --option='client smb transport:force_ngtcp2_quic=yes'\n+\n+- disable double encryption:\n+ --option='client smb encryption over quic=no'\n", "prefixes": [ "v2", "11/11" ] }