Date: Tue, 03 Mar 2020 19:26:53 -0800 From: Chris <bsd-lists@BSDforge.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: <freebsd-current@FreeBSD.org> Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <4f1119e2d61d50fedc99b223fe8681d3@udns.ultimatedns.net> In-Reply-To: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Mar 2020 03:15:48 +0000 Rick Macklem rmacklem@uoguelph=2Eca said > Hi, >=20 > I am slowly trying to understand TLS certificates and am trying to figure > out how to do the following: > -> For an /etc/exports file with=2E=2E=2E > /home -tls -network 192=2E168=2E1=2E0 -mask 255=2E255=2E255=2E0 > /home -tlscert >=20 > This syntax isn't implemented yet, but the thinking is that clients on th= e > 192=2E168=2E1 subnet would use TLS, but would not require a certificate=2E > For access from anywhere else, the client(s) would be required to have a > certificate=2E >=20 > A typical client mounting from outside of the subnet might be my laptop, > which is using wifi and has no fixed IP/DNS name=2E > --> How do you create a certificate that the laptop can use, which the NF= S > server can trust enough to allow the mount? > My thinking is that a "secret" value can be put in the certificate that t= he > NFS > server can check for=2E > The simplest way would be a fairly long list of random characters in the > organizationName and/or organizationUnitName field(s) of the subject name= =2E > Alternately, it could be a newly defined extension for X509v3, I think? >=20 > Now, I'm not sure, but I don't think this certificate can be created via > a trust authority such that it would "verify"=2E However, the server can > look for the "secret" in the certificate and allow the mount based on tha= t=2E >=20 > Does this sound reasonable? >=20 > Also, even if the NFS client/server have fixed IP addresses with well kno= wn > DNS names, it isn't obvious to me how signed certificates can be acquired > for them? > (Lets Encrypt expects the Acme protocol to work and that seems to be > web site/http specific?) I can only speak to the LetsEncrypt part of your question(s); There are additional verification methods available beyond www/httpd(s)=2E But I found in the case of (e)mail; that the cert(s) issued by LetsEncrypt also work well for all my MXs=2E Hope this is helpful! >=20 > Thanks for any help with this, rick >=20 --Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f1119e2d61d50fedc99b223fe8681d3>