From owner-freebsd-fs@freebsd.org Sun May 10 00:52:14 2020 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C44912D3B48 for ; Sun, 10 May 2020 00:52:14 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670067.outbound.protection.outlook.com [40.107.67.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49KQWd1sNQz4Wgx for ; Sun, 10 May 2020 00:52:12 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PNIL78NfQu+DXrNEcw14AV2mHAhYEBg/zEgb/yEsBNZ86SI5tUYMeVO2pSZtj8Vte6TEOqHY9oMhMZREP6WQdnpf/La6d7Nl9p/1i0HU71AeD96cfdplSsKf4LhH7tqZrwNgnUQvAKm1dratgiXQDnxs0vlxCQB6ILYVhE7ZEku43Deth5Vs3vKWHAFoUejQqWFbAspiwfnrVbHPaEKXGGmMZuYeCOl50q+9r7zKa/2UrB8LpkEQhJHTs2XpwnMv/WDfPGkiWo/cw9uUwxkT9irOM9Dmgo/l/4L6LMKLEuyR5enEpfxejVnVJfSenslqP95/uJWi4Akbb7nVg3Sy9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=adfocIdWiy2GOliL2bj9bx0olqlmtJXDmb/WRbdExug=; b=VcxHnh3ziz9Qg2bvog1walaE+ZTHAWbUMIgBJ28gK4uwBmKLP3FVcTgOp59x1WgSRvVAaigx/sGuCAZdkXKFfoKe9qKYt2yU1n21zaaZV+wjfOkIMTWCxAJ2ywue6JaoAUCieQpuLvmUhT2jcy5neHPa1v1zsYrduPC0jnpm9k0xJ0C0ZtJkZnvUIOAWdi5AtmXZLRHh0kcCXyPEjCRguuVFoSUjayydn/L/NYdeMRFMsGHXy7wLcXw/Naih+VOMiqyQ+WzlLWSeRqGKAeGsOJkVfXY9AGbyb+APIFUuIWubaG7Egt0I8qp5WZ0Hpj651vfC2caaXg/FOpQ2voG1WA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM (52.132.86.26) by QB1PR01MB3137.CANPRD01.PROD.OUTLOOK.COM (52.132.84.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.34; Sun, 10 May 2020 00:52:11 +0000 Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::dd96:945c:b6ee:ffa2]) by QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::dd96:945c:b6ee:ffa2%6]) with mapi id 15.20.2979.028; Sun, 10 May 2020 00:52:11 +0000 From: Rick Macklem To: "freebsd-fs@FreeBSD.org" Subject: nfs-over-tls ready for testing Thread-Topic: nfs-over-tls ready for testing Thread-Index: AQHWJmQfMBxSsvId/0yJXTlHkpREXA== Date: Sun, 10 May 2020 00:52:11 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a7872bf1-39f3-4d1b-6f55-08d7f47c5f9f x-ms-traffictypediagnostic: QB1PR01MB3137: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-forefront-prvs: 039975700A x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: gZxShJ8mK6bXcPxNKKEipTC1LxAp/9KJ62kXFLAVw148ZfzL/MM6cxa4s1ovS9ePDjsYzftQ16/RMeYw0TZ6GQ9rdTK02y3+CZqrespO6M1VQtmoOFJ5XGCzB36aII4M/5qY5UZQFOWqDnUeh1MWWAC65ZYWuZb0b/ohjw4jToD3SztK6gNFVz+ptYImlJD2hIyGkPl0SPwlLdOOh31Qo52Aqq2xoOebIlktYUiDK9pluwozaEAuYRxrByFOBJgpqb01yRMJHH4NPbZvC8BKbSOjewwtY/guJEV1I6UpzgNPMARKOfDbOaQIsZ/D8L3DLwX8BjC9YFPiu75gWDjV3+t+cE58DX0BSnMs56jD3t6aO1yS0M070eJGCVc40DGXhOd+trgxISQbH7Dy7zk4UDI1SFmQe472o/tmmGqvWMe9qJ83382QVyKHkgnJD6/lC3Rgw4FbcxrrtWf3YTG4g5iEDm7FWEcc/M+oYBchgRN4Nnth+ACdLPTXiL1rXvpHExa72vFueSKX/qePIk6QUETP40WAiixaBD2VkV1G1PJZY//GWxAzsny4i4EbIGYtVsSfZF1S4Q0ll1LriO0LABo73vjRnIFpRSwKN4mwjKs= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(396003)(39850400004)(136003)(376002)(366004)(346002)(33430700001)(966005)(786003)(316002)(6916009)(5660300002)(9686003)(7696005)(55016002)(8936002)(86362001)(66574014)(76116006)(33440700001)(8676002)(186003)(66556008)(52536014)(66446008)(6506007)(2906002)(71200400001)(66946007)(64756008)(478600001)(33656002)(66476007); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: 2QWuxj9DICad9cxIIEbTqFhVU3+pLo6TcMB7SWCNqZxF3YLa5otdVd0cEyfDxM/qja9kZLa2OB1uZMZ4DrNX5X++akuPti6TuDi94wRpCNBmGY9ejzY4yP8OPqT/gL/9RlxQCy4jznNUuenm25sCsdPZ5vtNFbn5egTTb8Gzxtqqb4p0EjMz+XMvnnGTJU0OFg6mGGNe491YXgWrg5OYuiHGZs2F+t0sRfPuzcd07HhUGqEzPQaW9hJLkQQ4Ts85MsBnXuVDlHRnDyOGaaoYxcoKLINJONxHBmz1dn7fZ+5YoynqYD9NK1NrakR2IgOeYEejbVbwB53/UkQllFmW0oee3ROqJp0o7cvEIiQNP6AeXNTdenLzylp8+y5iSpDhbcEbhkidEEyHNxe4VO8KXtPZPn7S4xFHn58K2sNJhnrzVmUTzxtNWzzA8dlHbZV3sb14EytEeSO0hGMq4MybVjJfeahFZTcsFIKh9xKP20IbJftE+NprejCVNuxmLuWJ0j0ZjAxgJjS5xcgBlbL/BP/4vg3y51Eg/0FvABFT5rbqWzBod9h9fVHYk/J1yYjw x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: a7872bf1-39f3-4d1b-6f55-08d7f47c5f9f X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2020 00:52:11.2321 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iKF2bTBG+ry4McHq3lXMS8GmFvfXxb3VQ2Isf6KtIL5EWd7DXnXzL51pwX6qNs9qWUCRjgruH/zeuG7XWk2axw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB3137 X-Rspamd-Queue-Id: 49KQWd1sNQz4Wgx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.67.67 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.80 / 15.00]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_IN_DNSWL_LOW(-0.10)[67.67.107.40.list.dnswl.org : 127.0.3.1]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[uoguelph.ca]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-1.40)[ipnet: 40.64.0.0/10(-3.73), asn: 8075(-3.24), country: US(-0.05)]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[67.67.107.40.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; MIME_TRACE(0.00)[0:+]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.32 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 May 2020 00:52:14 -0000 Hi,=0A= =0A= I think the nfs-over-tls project is now ready for testing by others.=0A= (This uses a TLS session to encrypt/decrypt NFS RPCs on the wire.=0A= There is an internet draft called "Towards Remote Procedure=0A= Call Encryption By Default" which should soon become an RFC=0A= that describes what this implements.=0A= =0A= The biggest caveat is that the KERN_TLS does not yet support TLS1.3,=0A= so the code currently uses TLS1.2, which is not allowed by the above=0A= draft. I know jhb@ is working on TLS1.3 support, so this should get=0A= resolved.=0A= =0A= There is a basic setup document here:=0A= http://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= (It can also be found on FreeBSD's subversion repository at=0A= base/projects/nfs-over-tls.)=0A= =0A= For now, the setup takes some fiddling, but that will get easier=0A= as some of the code finds its way into head.=0A= =0A= I do hope that this can make it into FreeBSD13.=0A= =0A= Last, but not least, thanks go to jhb@ (and others, I'd guess?) for the KER= N_TLS=0A= work and for providing the ktls rx patch plus the patched openssl3=0A= needed to make it work.=0A= =0A= Let me know how it goes if you test it, rick=0A=