Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Mar 2020 03:15:48 +0000
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org>
Subject:   TLS certificates for NFS-over-TLS floating client
Message-ID:  <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help 
Hi,=0A=
=0A=
I am slowly trying to understand TLS certificates and am trying to figure=
=0A=
out how to do the following:=0A=
-> For an /etc/exports file with...=0A=
/home -tls -network 192.168.1.0 -mask 255.255.255.0=0A=
/home -tlscert=0A=
=0A=
This syntax isn't implemented yet, but the thinking is that clients on the=
=0A=
192.168.1 subnet would use TLS, but would not require a certificate.=0A=
For access from anywhere else, the client(s) would be required to have a=0A=
certificate.=0A=
=0A=
A typical client mounting from outside of the subnet might be my laptop,=0A=
which is using wifi and has no fixed IP/DNS name.=0A=
--> How do you create a certificate that the laptop can use, which the NFS=
=0A=
       server can trust enough to allow the mount?=0A=
My thinking is that a "secret" value can be put in the certificate that the=
 NFS=0A=
server can check for.=0A=
The simplest way would be a fairly long list of random characters in the=0A=
organizationName and/or organizationUnitName field(s) of the subject name.=
=0A=
Alternately, it could be a newly defined extension for X509v3, I think?=0A=
=0A=
Now, I'm not sure, but I don't think this certificate can be created via=0A=
a trust authority such that it would "verify". However, the server can=0A=
look for the "secret" in the certificate and allow the mount based on that.=
=0A=
=0A=
Does this sound reasonable?=0A=
=0A=
Also, even if the NFS client/server have fixed IP addresses with well known=
=0A=
DNS names, it isn't obvious to me how signed certificates can be acquired=
=0A=
for them?=0A=
(Lets Encrypt expects the Acme protocol to work and that seems to be=0A=
 web site/http specific?)=0A=
=0A=
Thanks for any help with this, rick=0A=
=0A=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50>