From owner-freebsd-current@freebsd.org  Thu Mar 19 10:45:48 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 562A325B945
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Thu, 19 Mar 2020 10:45:48 +0000 (UTC)
 (envelope-from SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48jk8V57yFz44Q2;
 Thu, 19 Mar 2020 10:45:46 +0000 (UTC)
 (envelope-from SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 3466F28422;
 Thu, 19 Mar 2020 11:45:44 +0100 (CET)
Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz
 [62.24.92.232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 6546F28416;
 Thu, 19 Mar 2020 11:45:42 +0100 (CET)
Subject: Re: TLS certificates for NFS-over-TLS floating client
To: Rick Macklem <rmacklem@uoguelph.ca>, Hiroki Sato <hrs@FreeBSD.org>
Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org>
References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
 <20200304.133515.520383339344620673.hrs@FreeBSD.org>
 <c07496fe-357d-43c6-86fb-17b04e60ea26@quip.cz>
 <YTBPR01MB3374BB2A3ED8435FFEDEA18EDDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz>
Date: Thu, 19 Mar 2020 11:45:42 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Firefox/52.0 SeaMonkey/2.49.3
MIME-Version: 1.0
In-Reply-To: <YTBPR01MB3374BB2A3ED8435FFEDEA18EDDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 48jk8V57yFz44Q2
X-Spamd-Bar: ++++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of
 SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
 94.124.105.4) smtp.mailfrom=SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [4.04 / 15.00]; ARC_NA(0.00)[];
 TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[];
 IP_SCORE(0.84)[ip: (0.30), ipnet: 94.124.104.0/21(0.15), asn: 42000(3.64),
 country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000,0];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_SPAM_LONG(1.00)[1.000,0];
 RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0];
 R_SPF_NA(0.00)[];
 FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
 FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=nYxM=5E=quip.cz=000.fbsd@elsa.codelab.cz];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 10:45:48 -0000

Rick Macklem wrote on 2020/03/19 03:09:
> Miroslav Lachman wrote:
>>
> [...]

>> NFS (or any other server) should check list of revoked certificates too.
>> Otherwise you will not be able to deny access to user which you no
>> longer want to have an access.
> Yes, good point.
> I won't claim to understand this stuff, but from what I can see, all that is
> done is the CRL is appended to the CAfile (the one with the CA certificates
> are in being used for certificate verification via SSL__CTX_load_verify_locations().
> (https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
> shows a CAfile and CRLfile being concatenated and then used to verify a certificate.)
> 
> There is code in sendmail that loads a CRL file separately, but it seems to
> just put it in the X509 store returned by SSL_CTX_get_cert_store(), which
> is the one where the CAfile certificates are stored via SSL_CTX_load_verify_locations(),
> I think?
> (It just seems easier to append it to CAfile than do this. The sendmail code uses
>   poorly documented functions where the man page says
>   "SSL_CTX_load_verify_locations()" normally takes care of this.)
> 
> Does this sound right? rick

I think it would be better to have it in a separate file as Apache does
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile

Seems more convenient to have CA file write protected (read only) and 
then separate file for list of revoked client certificates, maybe 
somewhere else than CA certificate.

Kind regards
Miroslav Lachman