Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Mar 2020 19:26:53 -0800
From:      Chris <bsd-lists@BSDforge.com>
To:        Rick Macklem <rmacklem@uoguelph.ca>
Cc:        <freebsd-current@FreeBSD.org>
Subject:   Re: TLS certificates for NFS-over-TLS floating client
Message-ID:  <4f1119e2d61d50fedc99b223fe8681d3@udns.ultimatedns.net>
In-Reply-To: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Mar 2020 03:15:48 +0000 Rick Macklem rmacklem@uoguelph=2Eca said

> Hi,
>=20
> I am slowly trying to understand TLS certificates and am trying to figure
> out how to do the following:
> -> For an /etc/exports file with=2E=2E=2E
> /home -tls -network 192=2E168=2E1=2E0 -mask 255=2E255=2E255=2E0
> /home -tlscert
>=20
> This syntax isn't implemented yet, but the thinking is that clients on th=
e
> 192=2E168=2E1 subnet would use TLS, but would not require a certificate=2E
> For access from anywhere else, the client(s) would be required to have a
> certificate=2E
>=20
> A typical client mounting from outside of the subnet might be my laptop,
> which is using wifi and has no fixed IP/DNS name=2E
> --> How do you create a certificate that the laptop can use, which the NF=
S
>       server can trust enough to allow the mount?
> My thinking is that a "secret" value can be put in the certificate that t=
he
> NFS
> server can check for=2E
> The simplest way would be a fairly long list of random characters in the
> organizationName and/or organizationUnitName field(s) of the subject name=
=2E
> Alternately, it could be a newly defined extension for X509v3, I think?
>=20
> Now, I'm not sure, but I don't think this certificate can be created via
> a trust authority such that it would "verify"=2E However, the server can
> look for the "secret" in the certificate and allow the mount based on tha=
t=2E
>=20
> Does this sound reasonable?
>=20
> Also, even if the NFS client/server have fixed IP addresses with well kno=
wn
> DNS names, it isn't obvious to me how signed certificates can be acquired
> for them?
> (Lets Encrypt expects the Acme protocol to work and that seems to be
> web site/http specific?)
I can only speak to the LetsEncrypt part of your question(s);
There are additional verification methods available beyond www/httpd(s)=2E
But I found in the case of (e)mail; that the cert(s) issued by LetsEncrypt
also work well for all my MXs=2E

Hope this is helpful!
>=20
> Thanks for any help with this, rick
>=20
--Chris





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f1119e2d61d50fedc99b223fe8681d3>