Date: Sun, 10 May 2020 00:52:11 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-fs@FreeBSD.org" <freebsd-fs@FreeBSD.org> Subject: nfs-over-tls ready for testing Message-ID: <QB1PR01MB36490799503D454AF4D8822BDDA00@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Hi,=0A= =0A= I think the nfs-over-tls project is now ready for testing by others.=0A= (This uses a TLS session to encrypt/decrypt NFS RPCs on the wire.=0A= There is an internet draft called "Towards Remote Procedure=0A= Call Encryption By Default" which should soon become an RFC=0A= that describes what this implements.=0A= =0A= The biggest caveat is that the KERN_TLS does not yet support TLS1.3,=0A= so the code currently uses TLS1.2, which is not allowed by the above=0A= draft. I know jhb@ is working on TLS1.3 support, so this should get=0A= resolved.=0A= =0A= There is a basic setup document here:=0A= http://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= (It can also be found on FreeBSD's subversion repository at=0A= base/projects/nfs-over-tls.)=0A= =0A= For now, the setup takes some fiddling, but that will get easier=0A= as some of the code finds its way into head.=0A= =0A= I do hope that this can make it into FreeBSD13.=0A= =0A= Last, but not least, thanks go to jhb@ (and others, I'd guess?) for the KER= N_TLS=0A= work and for providing the ktls rx patch plus the patched openssl3=0A= needed to make it work.=0A= =0A= Let me know how it goes if you test it, rick=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB36490799503D454AF4D8822BDDA00>