From owner-freebsd-current@freebsd.org Thu Mar 19 23:41:32 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2D7482740EF for ; Thu, 19 Mar 2020 23:41:32 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660082.outbound.protection.outlook.com [40.107.66.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48k3MZ1Yc5z4fLZ for ; Thu, 19 Mar 2020 23:41:29 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lGl3AB8ipWhddQFr1uOWbTbbQCA+f2T0FYwl6Z1Ux0YqtkHKUBKu+8WN0/Dn5iLgwFfJh9CQ8jfAl9s27GhGW57Ltq3xtqzxo8rFINRjMeVB4GuTVZeXMQcWk4v/M63ieFhqqKKL9mVASZgpvfcaojZySYDyFyrbrro/oIGIGIeXIrN7OOJ3f/9bYxcb0qIzIDaBDtyNq22HN5X03aUNe/DbG+8JvfX38+U6XYOhW1qnX5nf6+fyHJ76bltSc3xa5V9lgpAginJPK41uC5fyILbg08476Q067jLQM0NdLp0sy26RgxstuUb3lnFONcrlH8lUyaQqF+HzbNbGFpN/wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jCk7VhQ0W7dPm71xAIAAc8lNWBZs14mmPRhp4vJ/uDE=; b=kt2JvPs73DOyTECoAB42Yx7Zxv+yoBw+5ROmDcpgsRNuurMJS1xSHb/ZRHGgS9kxUkbQkSUHzNe1ZMpEXhNu+a7UqKa/XFoIJMqPVSNnd9bxPLYHNcmsGrSU8PW5ZNg3wPuAV7rHfAC0OlPJvN95gs7+IsMy4pMVdS94umwxojKTzhg1uQxDjKYP6bXGoMp/AFKu0r3jtQ3K1BBuYiGiNg3rQrfJv2PPqIuY2bko1JFr+zZrxsZtilrIsYVufL/PY3I5vLDNhFvmiWJhdMzSfjlzbFIQr4I2xCuZRc/LMvqqvHqEZsmuomeEOYlnIaM8WBeGqHVrs3BWiefKo6KCAQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3279.CANPRD01.PROD.OUTLOOK.COM (10.255.46.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.19; Thu, 19 Mar 2020 23:41:28 +0000 Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2814.025; Thu, 19 Mar 2020 23:41:28 +0000 From: Rick Macklem To: John-Mark Gurney CC: "freebsd-current@FreeBSD.org" Subject: Re: TLS certificates for NFS-over-TLS floating client Thread-Topic: TLS certificates for NFS-over-TLS floating client Thread-Index: AQHV8dDjD29GK4BL2kGnxfg+gW2rAahQYgqAgABFwt4= Date: Thu, 19 Mar 2020 23:41:28 +0000 Message-ID: References: , <20200319191605.GJ4213@funkthat.com> In-Reply-To: <20200319191605.GJ4213@funkthat.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fcfe13f3-ca3a-402d-52bb-08d7cc5f0b64 x-ms-traffictypediagnostic: YTBPR01MB3279: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7219; x-forefront-prvs: 0347410860 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(346002)(376002)(366004)(136003)(199004)(316002)(2906002)(186003)(786003)(52536014)(33656002)(66446008)(66476007)(66556008)(64756008)(5660300002)(478600001)(8936002)(86362001)(8676002)(81156014)(66946007)(76116006)(6506007)(7696005)(81166006)(4326008)(71200400001)(55016002)(66574012)(9686003)(6916009); DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3279; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: y1jsAAuPvZJoGF1By9KssB4DcOdM5xae/eSVIJ97VvpiC8290BnkNAZ/kzfv9tFwGx3PkXgGcoeJ2c7k3GibYJ8EUaCoxutsfpU79kpt96OOZrvqxKEa4V0nDl74wSVc0YQtl4sX+0noqyljLO9hnyjCanntUDKnBw4ugx2wGPRLMAWwb+pNVgfCpZg87MpJGmOHvSngoSNlZyx+Gll3q1Fjp8BKspjxCIrFEuUY6PiHazq7KWHa34UtwLYi7zwby1Nn8L/aCyxuMfXwG1CH5gm0bvO4QgjGtErGr98BzSjZpQlKTwxlKPnT3rp5NiZswnHNiVx3Iu2+J6VicGSMNPz0BhD2SIvpiwWteDuaV6EnpMzjrej73ITpKb8twNcaV4rdTrb0GcxSPz6fudxzP2u4Wx7ob0uL+0KTlcEwqGOv40vK8twQxw9FoHxYFe4M x-ms-exchange-antispam-messagedata: TrOWcGmzLoOoQZ2/zu2eTFlk13OZRXG5Cq465FIgmYSj0PpypDkFU6NDRUCfGyDU1MIvMNH11bFosAycJN1tk0WNTHzVUsXaO6vfVRyi6/XVHnu/CwgSN5LGyP8p5mGbL48uoEDEAGvB4jn+HcCpgX4/RxSl2rFR/7bam+SURO5H5zOwH/8kh7OdpiJ2t6OpCOYu3p9Wg1U0BhS9KbNoSw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: fcfe13f3-ca3a-402d-52bb-08d7cc5f0b64 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2020 23:41:28.0618 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: mc2r/gA4aAAkAV+x9G+tHa1uN4q5n+m/JlqUjTqsoXFqcxF++Iqs3LOf/y++FnwoKxWtJ7oHPmZa2wA1SRaa+g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3279 X-Rspamd-Queue-Id: 48k3MZ1Yc5z4fLZ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.66.82 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.67 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.990,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[uoguelph.ca]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[82.66.107.40.list.dnswl.org : 127.0.3.0]; IP_SCORE(-1.38)[ipnet: 40.64.0.0/10(-3.76), asn: 8075(-3.11), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 23:41:32 -0000 John-Mark Gurney wrote:=0A= >Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +0000:=0A= >> I am slowly trying to understand TLS certificates and am trying to figur= e=0A= >> out how to do the following:=0A= >> -> For an /etc/exports file with...=0A= >> /home -tls -network 192.168.1.0 -mask 255.255.255.0=0A= >> /home -tlscert=0A= >=0A= >Are you looking at implementing draft-cel-nfsv4-rpc-tls?=0A= Yes. The 2 week out of date (I can only do commits once in a while these da= ys) can=0A= be found in FreeBSD's subversion under base/projects/nfs-over-tls.=0A= =0A= >> This syntax isn't implemented yet, but the thinking is that clients on t= he=0A= >> 192.168.1 subnet would use TLS, but would not require a certificate.=0A= >> For access from anywhere else, the client(s) would be required to have a= =0A= >> certificate.=0A= >>=0A= >> A typical client mounting from outside of the subnet might be my laptop,= =0A= >> which is using wifi and has no fixed IP/DNS name.=0A= >> --> How do you create a certificate that the laptop can use, which the N= FS=0A= >> server can trust enough to allow the mount?=0A= >> My thinking is that a "secret" value can be put in the certificate that = the NFS=0A= >> server can check for.=0A= >> The simplest way would be a fairly long list of random characters in the= =0A= >> organizationName and/or organizationUnitName field(s) of the subject nam= e.=0A= >> Alternately, it could be a newly defined extension for X509v3, I think?= =0A= >>=0A= >> Now, I'm not sure, but I don't think this certificate can be created via= =0A= >> a trust authority such that it would "verify". However, the server can= =0A= >> look for the "secret" in the certificate and allow the mount based on th= at.=0A= >>=0A= >> Does this sound reasonable?=0A= >=0A= >Without a problem statement or what you're trying to accomplish, it's=0A= >hard to say if it is.=0A= The problem I was/am trying to solve was a way for NFS clients without a=0A= fixed IP/DNS name could have a certificate to allow access to the NFS serve= r.=0A= As suggested by others, having a site local CA created by the NFS admin. se= emed=0A= to be the best solution. The server can verify that the certificate was iss= ued by=0A= the local CA. Unfortunately, if the client is compromised and the certifica= te is copied=0A= to another client, that client would gain access.=0A= --> I've thought of having the client keep the certificate encrypted in a f= ile and=0A= require the "user" of the client type in a passphrase to unencrypt t= he certificate=0A= so that it can be used by the daemon in the client that handles the = client side=0A= of the TLS handshake, but I have not implemented this.=0A= --> This would at least subvert the simple case of the certificate f= ile being copied=0A= to a different client and being used to mount the NFS server,= but if the=0A= client is compromised, then the passphrase could be captured = and...=0A= =0A= >> Also, even if the NFS client/server have fixed IP addresses with well kn= own=0A= >> DNS names, it isn't obvious to me how signed certificates can be acquire= d=0A= >> for them?=0A= >> (Lets Encrypt expects the Acme protocol to work and that seems to be=0A= >> web site/http specific?)=0A= >=0A= >There is DNS challenges that can be used. I use them to obtain certs=0A= >for SMTP and SIP servers... using nsupdate, this is relatively easy to=0A= >automate pushing the challenges to a DNS server, and I now use DNS=0A= >challenges for everything, including https.=0A= Since my internet connection is a single dynamically assigned IP from the p= hone=0A= company, I doubt this would work for me (which I why I say I don't know how= =0A= to do this). I suspect there are ways and it would be nice if you could doc= ument=0A= this, so I can put it in a howto document.=0A= - An actual example using the nsupdate command would be nice.=0A= Thanks, rick=0A= =0A= > Thanks for any help with this, rick=0A= =0A= Let me know if you'd like to hop on a call about this.=0A= =0A= --=0A= John-Mark Gurney Voice: +1 415 225 5579=0A= =0A= "All that I will do, has been done, All that I have, has not."=0A=