Date: Thu, 17 Sep 2020 02:16:36 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: John-Mark Gurney <jmg@funkthat.com> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: rfc: should extant TLS connections be closed when a CRL is updated? Message-ID: <YTBPR01MB39665170E3F8EF9D91DFEE26DD3E0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20200904223726.GK4213@funkthat.com> References: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>, <20200904223726.GK4213@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote:=0A= >Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000:=0A= >> The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated= =0A= >> CRL (Certificate Revocation List) when a SIGHUP is posted to it.=0A= >> However, it does not SSL_shutdown()/close() extant TCP connections using= TLS.=0A= >> (Those would only be closed if the daemon is restarted.)=0A= >>=0A= >> I am now thinking that, maybe, an SSL_shutdown()/close() should be done = on=0A= >> all extant TCP connections using NFS over TLS when an updated CRL is loa= ded,=0A= >> since a connection might have used a revoked certificate for its handsha= ke.=0A= >>=0A= >> What do others think?=0A= >=0A= >IMO, this should scan the existing connections, and only shut them=0A= >down if they are using a revoked Cert. This is the correct way to=0A= >do things.=0A= >=0A= >I do realize that this is likely not possible, and in reality, the=0A= >ssl library in use should do this automatically, but likely does not.=0A= Well, not exactly "automatically, but X509_CRL_get0_by_ccert() checks=0A= to see if a certificate is revoked, so all the code needed to do was=0A= read the CRL file and then loop through the certificates, checking=0A= each one.=0A= =0A= >As the library likely does not, we should probably make this an=0A= >option to close all connections upon CRL reload, with it being well=0A= >documented.=0A= >=0A= >Now that option should likely be set to default on, but documented=0A= >such that if you do regular/often CRL reloads, that a user may want=0A= >to turn that off if it's disruptive to their server.=0A= Not necessary, since doing just the revoked ones seems to work.=0A= =0A= If you are curious, you can look at the recent commits or code=0A= under head/projects/nfs-over-tls.=0A= =0A= If anyone is interested in testing it, you can look at:=0A= https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= =0A= Thanks for the useful suggestion, rick=0A= =0A= --=0A= John-Mark Gurney Voice: +1 415 225 5579=0A= =0A= "All that I will do, has been done, All that I have, has not."=0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB39665170E3F8EF9D91DFEE26DD3E0>