From owner-freebsd-current@freebsd.org  Thu Sep 17 02:16:40 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 596D63F7EE5
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Thu, 17 Sep 2020 02:16:40 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com
 (mail-eopbgr660048.outbound.protection.outlook.com [40.107.66.48])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BsLF26wnKz4ZdT
 for <freebsd-current@freebsd.org>; Thu, 17 Sep 2020 02:16:38 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=nvU2ERjbVeUkl6Q1aufpcaXA70EIEnYKIoej2Uk8K8PgMQWyGsOuLXLTYmCNH/ZdgKhym/SufMb9t2SQEhPzkf2lK3wH4DV+Rfo35m9dfuIb2ZvM8rj+oiMOuLViiMK6CCPSLpDPaWnKphcEnQXItAuIAH9QEO0Fm4rqU2nGfbmUyzBNRPrl4S0na7Yz5y+8DO9GqmKn/Tr/ISyvjREyQjI0RRtSYsAj5rZFS9ozESukV+xvVRVNiJzwhqzjQ4tjtMyXQPQ3D9wOS31aFdxk3Ru7U+DPTZZYLcLieAkQyb/5U/kj2FzBT+vhtxamNC1Myh6y8sTwhWpIglXntTVSkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=NsHNrkzS0VqxM20Eb4TArodjy/iWl2910hevJN2I5KA=;
 b=HD7kVgEOeW6lufuade/RVlyDLa7SGnf3QmraQBzvwcsyYjkJPidN88OjO7x48Z7dOAVrT1e9EbaRGXH2G30lH105+lKA8pyQgR5SJDFBW5f+1LQHt5G9rFVCT7+Seb71GZ7emHpn4yn4QeNPzZbyutf1RN8b0bfJqAGqdgZgyjKj8s+kqs6FKVTcNQHUepZGZyYwyKuO/rhCsMKYCLqyOSyvg97MQm69P/ghXPqwGrE58Iu8wwKTWbxbh+p58O8l0D2oRlnwiYsSL3DMBSe13C7JD0IhoAbOah/WHD1e/JIY71wGcGq0bY+3LlW1WKIlhnmf/oe7Tld9fc6hAkG7Yw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:24::27)
 by YTBPR01MB2701.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:22::33)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Thu, 17 Sep
 2020 02:16:36 +0000
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20]) by YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20%6]) with mapi id 15.20.3391.014; Thu, 17 Sep 2020
 02:16:36 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: John-Mark Gurney <jmg@funkthat.com>
CC: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Subject: Re: rfc: should extant TLS connections be closed when a CRL is
 updated?
Thread-Topic: rfc: should extant TLS connections be closed when a CRL is
 updated?
Thread-Index: AQHWglkASBYleWH1wEypwb+mRG1+HalZEzsAgBMXNO0=
Date: Thu, 17 Sep 2020 02:16:36 +0000
Message-ID: <YTBPR01MB39665170E3F8EF9D91DFEE26DD3E0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
References: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>,
 <20200904223726.GK4213@funkthat.com>
In-Reply-To: <20200904223726.GK4213@funkthat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b6accdd0-cedd-4333-8671-08d85aafb471
x-ms-traffictypediagnostic: YTBPR01MB2701:
x-microsoft-antispam-prvs: <YTBPR01MB2701C47B79A3A523A4908744DD3E0@YTBPR01MB2701.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dyFc3+LrJCaIDavlIAnQg/hy5yrUA60DiSYGXvbfJbjYnHHInoUgtEKNddFR+2jt6m2+138BG6+auOh3rSueVR3AHIWVDMryIyOoQrJ2otdDnIiKZtzJy2QpeVT6ziT6Jd7VduZwJYgdJs1xRVVQQ0hJ0tV88SKWa4r027e5XSND8qQxoc62dHf0ObeZhdKJDAB/fayfF1dSmX27E+6M26KxL+trROgqObFbp2RAnsdY798hoRvyJFo8UAQPwnPWY8rnM57hzHQHKOahFbhCP6PfZ2MEGylR/xZ020GD23QeFJT90qrnFQFOcR6fN2gx/rGhXNnZpzxXHwXV+du8KXMr9Yzyl5CiN0r5h0143mJfqXBYFe1YM22t8KkmclyCHCU310Hjh0n8XVXJp5o9Pg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(346002)(39860400002)(366004)(376002)(396003)(136003)(66946007)(4326008)(7696005)(71200400001)(478600001)(2906002)(55016002)(5660300002)(52536014)(33656002)(6506007)(9686003)(316002)(186003)(15650500001)(786003)(8676002)(6916009)(8936002)(64756008)(66476007)(66556008)(66446008)(966005)(91956017)(76116006)(86362001)(83380400001);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata: fKdNq4+Ecp0T0nZ0NQlSV4HWYhrhTi5paMkpkJ/CVDuU+ga0flMV9mEKrPR6+wHvAzlrtdh8QqXWi8xwDMbiqmNi0Aam0YanWCtb9a5ptJniKrnAXSYS4dYhgumnkftzH/34l3HrgBjKgtniosj/VybGE0y4zVv/8grUYUbEbT4egtHQBl2hxDEfz/V3Xgxv029UqlY2zxnLDVvJwWhpErTN4CwTtrzAgm2G+QDiBz0Rte4P3Bs4pfQKaw2xpO7PwVde5VxKYpMcj4pJAko7VzesWX1/AqvO22boHLfUHoi8ysTdSXctjTJORxZwKcFlGnyS+wcs0zcRLqHMj2I/x0+MqH+wo0ppzqRcEpPLNxtnYpsPci983MdTjJNAEEXfJX6JhQqPpaBOouc18MDsr+fJlMulXDnhVbvsNXin4hQsQpXIFqzQL9IeiRkV5jy0hLPIfgTPxOJmPPw89LDMd0BOEChhoettUk46+pwSCHFAelTWp1vc0EQiMeGPaohnzqf433svqD6yuf8M/D95U9suANifntRtpVOec4NrjVDKf8Ms745vFqurW7Rhkbj+Hf8x2JVEDv5Wo065jTNQDoAtcF5/t11EO9y91Z2fj0GY8/uExwMCqReatckhG+Qrj7k8s1soKOOu4Pv5SRjlZDUY53dSr81NjoGUadH2+H0o1LbdxhHm6Psg/7E0tsUj7YZHwqB+L0DPhSK6+fFUcw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b6accdd0-cedd-4333-8671-08d85aafb471
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2020 02:16:36.5431 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SgGs3Jsdki6klIJfcexlDlKZnDwNlDmkO7lny8zCjeCBL8fqA6NICeluFD/Y8osWjqQfpTsng8SsS2B7yHwj5Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB2701
X-Rspamd-Queue-Id: 4BsLF26wnKz4ZdT
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.46 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-0.98)[-0.981];
 R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1];
 FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16];
 NEURAL_HAM_LONG(-1.00)[-0.999]; MIME_GOOD(-0.10)[text/plain];
 ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1];
 DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[40.107.66.48:from];
 NEURAL_HAM_SHORT(-1.48)[-1.484];
 DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 SUBJECT_ENDS_QUESTION(1.00)[];
 ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US];
 RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current];
 RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.66.48:from]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 02:16:40 -0000

John-Mark Gurney wrote:=0A=
>Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000:=0A=
>> The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated=
=0A=
>> CRL (Certificate Revocation List) when a SIGHUP is posted to it.=0A=
>> However, it does not SSL_shutdown()/close() extant TCP connections using=
 TLS.=0A=
>> (Those would only be closed if the daemon is restarted.)=0A=
>>=0A=
>> I am now thinking that, maybe, an SSL_shutdown()/close() should be done =
on=0A=
>> all extant TCP connections using NFS over TLS when an updated CRL is loa=
ded,=0A=
>> since a connection might have used a revoked certificate for its handsha=
ke.=0A=
>>=0A=
>> What do others think?=0A=
>=0A=
>IMO, this should scan the existing connections, and only shut them=0A=
>down if they are using a revoked Cert.  This is the correct way to=0A=
>do things.=0A=
>=0A=
>I do realize that this is likely not possible, and in reality, the=0A=
>ssl library in use should do this automatically, but likely does not.=0A=
Well, not exactly "automatically, but X509_CRL_get0_by_ccert() checks=0A=
to see if a certificate is revoked, so all the code needed to do was=0A=
read the CRL file and then loop through the certificates, checking=0A=
each one.=0A=
=0A=
>As the library likely does not, we should probably make this an=0A=
>option to close all connections upon CRL reload, with it being well=0A=
>documented.=0A=
>=0A=
>Now that option should likely be set to default on, but documented=0A=
>such that if you do regular/often CRL reloads, that a user may want=0A=
>to turn that off if it's disruptive to their server.=0A=
Not necessary, since doing just the revoked ones seems to work.=0A=
=0A=
If you are curious, you can look at the recent commits or code=0A=
under head/projects/nfs-over-tls.=0A=
=0A=
If anyone is interested in testing it, you can look at:=0A=
https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A=
=0A=
Thanks for the useful suggestion, rick=0A=
=0A=
--=0A=
  John-Mark Gurney                              Voice: +1 415 225 5579=0A=
=0A=
     "All that I will do, has been done, All that I have, has not."=0A=
=0A=