From owner-svn-src-projects@freebsd.org Sun Aug 30 01:09:17 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 040F93C2F19 for ; Sun, 30 Aug 2020 01:09:17 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BfFbc6Gf5z4LZ3; Sun, 30 Aug 2020 01:09:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA9FAE5E3; Sun, 30 Aug 2020 01:09:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07U19GH5076900; Sun, 30 Aug 2020 01:09:16 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07U19G9E076897; Sun, 30 Aug 2020 01:09:16 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202008300109.07U19G9E076897@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sun, 30 Aug 2020 01:09:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r364971 - in projects/nfs-over-tls: . usr.sbin/rpctlssd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls: . usr.sbin/rpctlssd X-SVN-Commit-Revision: 364971 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2020 01:09:17 -0000 Author: rmacklem Date: Sun Aug 30 01:09:15 2020 New Revision: 364971 URL: https://svnweb.freebsd.org/changeset/base/364971 Log: Set the OID for a user@domain subjAltName otherName component to one assigned under the FreeBSD MIB registry. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Sun Aug 30 01:09:15 2020 (r364971) @@ -212,10 +212,10 @@ to nfsv4-server.uoguelph.ca and the other to nfsv4-ser For a client where you wish all RPCs to be done as the user rmacklem on the above server: -# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem For a client similar to the above, but has a FQDN of nfsv4-client.uoguelph.ca: -# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem If you want to look at the CSR: # openssl req -in req.pem -noout -text Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sun Aug 30 01:09:15 2020 (r364971) @@ -75,7 +75,7 @@ The option in the .Xr exports 5 file specifies that the client must provide a certificate -that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of +that verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of subjectAltName of the form .Dq user@dns_domain that maps to a . @@ -237,7 +237,7 @@ have been specified. .It Fl u This option specifies that if the client provides a certificate that both verifies and has a subjectAltName with an otherName of the form -.Dq otherName:1.2.3.4.6.9;UTF8:user@dns_domain +.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user@dns_domain the daemon will attempt to map .Dq user@dns_domain in the above Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun Aug 30 01:09:15 2020 (r364971) @@ -94,7 +94,7 @@ static uint64_t rpctls_ssl_usec = 0; static bool rpctls_gothup = false; static bool rpctls_cnuser = false; static char *rpctls_dnsname; -static const char *rpctls_cnuseroid = "1.2.3.4.6.9"; +static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; /* * A linked list of all current "SSL *"s and socket "fd"s