Date: Sun, 10 May 2020 00:52:11 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-fs@FreeBSD.org" <freebsd-fs@FreeBSD.org> Subject: nfs-over-tls ready for testing Message-ID: <QB1PR01MB36490799503D454AF4D8822BDDA00@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Hi, I think the nfs-over-tls project is now ready for testing by others. (This uses a TLS session to encrypt/decrypt NFS RPCs on the wire. There is an internet draft called "Towards Remote Procedure Call Encryption By Default" which should soon become an RFC that describes what this implements. The biggest caveat is that the KERN_TLS does not yet support TLS1.3, so the code currently uses TLS1.2, which is not allowed by the above draft. I know jhb@ is working on TLS1.3 support, so this should get resolved. There is a basic setup document here: http://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt (It can also be found on FreeBSD's subversion repository at base/projects/nfs-over-tls.) For now, the setup takes some fiddling, but that will get easier as some of the code finds its way into head. I do hope that this can make it into FreeBSD13. Last, but not least, thanks go to jhb@ (and others, I'd guess?) for the KERN_TLS work and for providing the ktls rx patch plus the patched openssl3 needed to make it work. Let me know how it goes if you test it, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB36490799503D454AF4D8822BDDA00>