From owner-freebsd-current@freebsd.org Wed Mar 4 03:16:02 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B0D23262851 for ; Wed, 4 Mar 2020 03:16:02 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660052.outbound.protection.outlook.com [40.107.66.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48XJtR5G5Gz4Q64 for ; Wed, 4 Mar 2020 03:15:58 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JEBt0x2pyGqoK3uqXIVR+/QPsQCuhHvPPVuKjoaOvXFLZo1kA+sJ4nyluVfly7qV6wzyybI5bX088eSn+Rh+197q4ViKHFKhf8hUa9l/z/cgDETr098teKRqbJpM5YpTRDsKpbZ0dwIhOUf1CeIhAyuytfwGgMZE8rLwZvuqFsKKBc5UA/Rv44JH6eiwHqTN6174S65t/CzRYmIfP5SZuHR7tdlJbhLenmbWsrhD86mRmj2kphB4hN0x7hCirL/DTZSW5rOITnHA/QRnqCD500f8s+2v3vmtRm49Qt5n1ELK4CB+eAg3E3TlGJK/7vpsbIKyy95VtdRFNNcYCf0hQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P0W/j5w9+L8RWC8oJJEYdlD96f51jp/3+Z+uGbgpyBE=; b=Z8qVXWmPoljh2LhCYm9k92urcnv2IwynhvpcdaaKaz4tCm/XBtIbFvpF9JNMzVHeYm2JpgA11XXYdS+RhXdKGRfb292j3y6XivvTlzPHx/1MvTbBMnZFNWbKZVQmq7Y/2ztgAi7JT9JCTZnjBLpBLB0xEm2hEqS9iw4rilHJE1REshtTQuRBT51FHczC9ekf/4v6CRfeyJSXFdtgRAoV+xqDGzobWuE4uRn2jQ+mDTiCS/6gBQN+axyR7BAvRf6S2Kzm+aqMKDPLcFUhTU9T25ZLDtz4MchryDwZ04pJfpbFVClDyng8T2VEEL+/T2hstdyZJchM6enCD5mTtuRYIQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3808.CANPRD01.PROD.OUTLOOK.COM (10.255.45.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14; Wed, 4 Mar 2020 03:15:57 +0000 Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2772.019; Wed, 4 Mar 2020 03:15:48 +0000 From: Rick Macklem To: "freebsd-current@FreeBSD.org" Subject: TLS certificates for NFS-over-TLS floating client Thread-Topic: TLS certificates for NFS-over-TLS floating client Thread-Index: AQHV8dDjD29GK4BL2kGnxfg+gW2rAQ== Date: Wed, 4 Mar 2020 03:15:48 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5a17cd28-6efd-42e7-ef9d-08d7bfea5615 x-ms-traffictypediagnostic: YTBPR01MB3808: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-forefront-prvs: 0332AACBC3 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(376002)(136003)(346002)(396003)(189003)(199004)(6916009)(6506007)(33656002)(52536014)(5660300002)(316002)(786003)(71200400001)(2906002)(9686003)(186003)(66476007)(64756008)(66556008)(66446008)(478600001)(7696005)(86362001)(76116006)(81166006)(81156014)(55016002)(8676002)(8936002)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3808; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: FjJb/KcKV0/1O4HG6ksUsp2tswX1uIDqzFl9z4HFZaTh+R+3hCmjrR4nNvhVC4pEiACCzkBMZzXC3nwo/H8fEf17bONTECHkOM/hDMLU/SPLC/aLVTh0X+61X4/7JrkxSCu8FCAnf+AZzjRnLCE+7uw8eNI9H1OyT2XhigzRVtt9e60ZUrTWg5b7jseq8ALsR+TvW8j7FpZu4TyXCJfh/wpmKkN/iHbSBH4K/cu1vmzxqdE+ytmg43b0LjQFHwKA0UXh0lw+dpnpNNmND/SXCk6L45cH6IQWTBwlk+LWCyWWggfr7PykSKJeb58cwdLrleJ/pR32lHjkgvo0LYyzb0GT93m9TnnqUcjQ/OG8z+lGT8ve68rITAwN6hk7STLObb9qawM+23MqmVzWdiVwh6vSRHYgACHRrneQJYu0LmC+9rAcLgLS9ES0Kc2fhmCB x-ms-exchange-antispam-messagedata: jp/7H1zup2StKglq0s/TG1BLbPbpqnWW7bNPC2+U1LhVzwQq0Bv7WjKfvyPRGhzAsWVIEj0sC30wqu0qnW7yorGdBZju0A35ZCBdUUdmq6hn1P+jkH5WG4SpEv+GYeUcBsywJOJxP/zIMdV0fhHWHQOlq6YFYyUxcUTffoTnuCSCZnlmpPw7C9jFyTeZrF8Y2spApNjITuU8NWf6ZKjSsw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 5a17cd28-6efd-42e7-ef9d-08d7bfea5615 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2020 03:15:48.2096 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: TMLmFNx8wDMoVEeQ+gvJzi68LAHe5351onpZ5B9qhPhbvup44TZbbX3JAEzBwFwa072rMExBtzf8E2LwOUotOw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3808 X-Rspamd-Queue-Id: 48XJtR5G5Gz4Q64 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.66.52 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.70 / 15.00]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[uoguelph.ca]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-1.40)[ipnet: 40.64.0.0/10(-3.83), asn: 8075(-3.10), country: US(-0.05)]; RCVD_IN_DNSWL_NONE(0.00)[52.66.107.40.list.dnswl.org : 127.0.3.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2020 03:16:02 -0000 Hi,=0A= =0A= I am slowly trying to understand TLS certificates and am trying to figure= =0A= out how to do the following:=0A= -> For an /etc/exports file with...=0A= /home -tls -network 192.168.1.0 -mask 255.255.255.0=0A= /home -tlscert=0A= =0A= This syntax isn't implemented yet, but the thinking is that clients on the= =0A= 192.168.1 subnet would use TLS, but would not require a certificate.=0A= For access from anywhere else, the client(s) would be required to have a=0A= certificate.=0A= =0A= A typical client mounting from outside of the subnet might be my laptop,=0A= which is using wifi and has no fixed IP/DNS name.=0A= --> How do you create a certificate that the laptop can use, which the NFS= =0A= server can trust enough to allow the mount?=0A= My thinking is that a "secret" value can be put in the certificate that the= NFS=0A= server can check for.=0A= The simplest way would be a fairly long list of random characters in the=0A= organizationName and/or organizationUnitName field(s) of the subject name.= =0A= Alternately, it could be a newly defined extension for X509v3, I think?=0A= =0A= Now, I'm not sure, but I don't think this certificate can be created via=0A= a trust authority such that it would "verify". However, the server can=0A= look for the "secret" in the certificate and allow the mount based on that.= =0A= =0A= Does this sound reasonable?=0A= =0A= Also, even if the NFS client/server have fixed IP addresses with well known= =0A= DNS names, it isn't obvious to me how signed certificates can be acquired= =0A= for them?=0A= (Lets Encrypt expects the Acme protocol to work and that seems to be=0A= web site/http specific?)=0A= =0A= Thanks for any help with this, rick=0A= =0A=