From owner-freebsd-current@freebsd.org  Sat Mar 21 01:54:00 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC540279D7C
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Sat, 21 Mar 2020 01:54:00 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com
 (mail-to1can01on060c.outbound.protection.outlook.com
 [IPv6:2a01:111:f400:fe5d::60c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48kkFy6v94z3yDW;
 Sat, 21 Mar 2020 01:53:58 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Jl+MtYZLRAVcbzncZEkBSHXd6BXAtVTyhB49MGKqtgGW2b3UmejKpOQ2E9J3huIg8MAnisNfaWdkkwHe1rgWFHGqaaJ2RKKaWDKU1ayTqJdxRzd7BO3o7bfVeudAIzwHaGeFygAgiGd926aIaWwv1KZcSNPRWRZz34xII0tWF5QJs2d5qPYPugulBRtXm4bfEbjZDNU154YX1oMDqg9JZihpH82UFb6UpfSF8weTC2OZeWkuxofU14zTwyRWogiTLqRQUXqknJrarimi87Q2GN/TRKloGftFjlo8no2FGmC5a2XJDMqcslzZ8O7S2orVwIZCuur4nuKjN6yzsAZY1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=BEpDjwRyXcFTi7iheIHFD92kXt3Djfqp/oEcKWIvZWs=;
 b=fR9VkwcAsb/kjqLQrC3xGybpsY0QJOTYIjg1uXM26ddBjqV1mbiqQRhbv2hDRdpyj9BTjRdipU2bpdgW//13PmbB++z1YGHyR2qCgsXoM9pHWqT7yiVhXHk6yagUg51XQW5k/CDelCMl8VaZuT/f1ozWZi0podW/Uecmv9FBQj/Vxqsj1xFao6Zfk4id3aUDAbzSDibLAF8jxAP4P+1dNfR5IPsDAtfahcXUOGtlj7vCV9HAW6VFQlqpy6TQvHjyJyLUYRnoY9438nrVpA8+35Bk08m2pgkihZx4Avpaf8DRFIsvcS9JlKcdIgYK2lJYidHXxhyYZlAccHQq+xcQzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM (52.132.86.26) by
 QB1PR01MB4003.CANPRD01.PROD.OUTLOOK.COM (52.132.89.80) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2835.20; Sat, 21 Mar 2020 01:53:56 +0000
Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::ed8c:7662:79ba:5f9f]) by QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::ed8c:7662:79ba:5f9f%5]) with mapi id 15.20.2835.017; Sat, 21 Mar 2020
 01:53:56 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Miroslav Lachman <000.fbsd@quip.cz>, Hiroki Sato <hrs@FreeBSD.org>
CC: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org>
Subject: Re: TLS certificates for NFS-over-TLS floating client
Thread-Topic: TLS certificates for NFS-over-TLS floating client
Thread-Index: AQHV8dDjD29GK4BL2kGnxfg+gW2rAag32PeAgABluQCAFwCY9oAAlCgAgAKLNW8=
Date: Sat, 21 Mar 2020 01:53:56 +0000
Message-ID: <QB1PR01MB36491AD811EFF67A5A05A14ADDF20@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
 <20200304.133515.520383339344620673.hrs@FreeBSD.org>
 <c07496fe-357d-43c6-86fb-17b04e60ea26@quip.cz>
 <YTBPR01MB3374BB2A3ED8435FFEDEA18EDDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>,
 <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz>
In-Reply-To: <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 48d02aa3-2882-4633-2efd-08d7cd3ab786
x-ms-traffictypediagnostic: QB1PR01MB4003:
x-microsoft-antispam-prvs: <QB1PR01MB40032B4796420C654CA7CB7FDDF20@QB1PR01MB4003.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 034902F5BC
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(39860400002)(346002)(136003)(376002)(366004)(396003)(199004)(316002)(786003)(81156014)(8676002)(4326008)(66476007)(66556008)(81166006)(8936002)(33656002)(110136005)(478600001)(66446008)(64756008)(52536014)(7696005)(86362001)(71200400001)(76116006)(5660300002)(6506007)(186003)(9686003)(55016002)(2906002)(66946007);
 DIR:OUT; SFP:1101; SCL:1; SRVR:QB1PR01MB4003;
 H:QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; A:1; 
received-spf: None (protection.outlook.com: uoguelph.ca does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HY7YiTgv8uCgbj1zynXezztuY3U+JmleoIq8SZy+Xp//pPb+1M8Wp9QTCTwU9Tr0pcpyRdNEGlc/ciX5H446NCNBJgk8kISmlF4T/HlbKjJCXfwefAQ5mR9+llZhSYzqku17Cs2ncXLTLXP3JUs3vSNdvLgRVGlYumdHMKC95Qdf20EL+v4eR4TQaAhd93we5LSyVBZP8vwBHJNgET2CpwyPM/8kfG7WgC32o/hh4RKA7uCXeUob0Ai06EVtcX9dL+LmXUDqQVbixOCf44VKlPROmo76YoJbOppeBY849FWRji1tMGOeFRu+frkVqQX36n6SpCEDbuEJMl6GMMKAZk9xIbLvBsdRRkTmJlZBAP9SLkeIU4za4RCHpedtyOE3zZc0ZA9Ug+aVhhAHQgZ+lKhhWYhSNY1ouMM85HzbBTBuMHbsSDiTbrzkdk7c+RqPNcrEKX7j7YTzWVq6ATZ8gEM3rqFXrxre0+qsuTXP2LuP17XSPP0ik4F4nr67Nm26BLXuyVAtVJvSONkNVPPwGg==
x-ms-exchange-antispam-messagedata: A4fd/Lxc3l/Oj0tAG33w6dJdZPQFCiOtLy8jzJLDldIqYErPTrJWGeucLxHa04rN61ODjqwJFQLXO1yJHdK0+bLYpeV7ln2naNAbs7eDJtmtD3UkKz7fH7OI7C5pQAq1XrDmLVXklysf/Xx6tbo/2M/yfT2qrJB3bTgO2+Ixig1VZcBTASA8i/IZaPaAHQuH5tDKaMAsBJtC24/TGR9q3w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-Network-Message-Id: 48d02aa3-2882-4633-2efd-08d7cd3ab786
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2020 01:53:56.5906 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KmRw/kdU/ptZ5XWpFIXYzPotx7qHkxaeJt2rog5pivgBGlG0YlJNJRFAguNZq7HPE8erQHZO5qJ37c+iYBm8zA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB4003
X-Rspamd-Queue-Id: 48kkFy6v94z3yDW
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates
 2a01:111:f400:fe5d::60c as permitted sender)
 smtp.mailfrom=rmacklem@uoguelph.ca
X-Spamd-Result: default: False [-4.73 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48];
 FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[uoguelph.ca];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 IP_SCORE(-1.44)[ipnet: 2a01:111:f000::/36(-4.01), asn: 8075(-3.12), country:
 US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US];
 ARC_ALLOW(-1.00)[i=1]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Mar 2020 01:54:00 -0000

Miroslav Lachman wrote:=0A=
>Rick Macklem wrote on 2020/03/19 03:09:=0A=
>> Miroslav Lachman wrote:=0A=
>>>=0A=
>> [...]=0A=
>=0A=
>>> NFS (or any other server) should check list of revoked certificates too=
.=0A=
>>> Otherwise you will not be able to deny access to user which you no=0A=
>>> longer want to have an access.=0A=
>> Yes, good point.=0A=
>> I won't claim to understand this stuff, but from what I can see, all tha=
t is=0A=
>> done is the CRL is appended to the CAfile (the one with the CA certifica=
tes=0A=
>> are in being used for certificate verification via SSL__CTX_load_verify_=
locations().=0A=
>> >(https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_ag=
ainst_a_CRL.html=0A=
>> shows a CAfile and CRLfile being concatenated and then used to verify a =
certificate.)=0A=
>>=0A=
>> There is code in sendmail that loads a CRL file separately, but it seems=
 to=0A=
>> just put it in the X509 store returned by SSL_CTX_get_cert_store(), whic=
h=0A=
>> is the one where the CAfile certificates are stored via SSL_CTX_load_ver=
ify_locations(),=0A=
>> I think?=0A=
>> (It just seems easier to append it to CAfile than do this. The sendmail =
code uses=0A=
>>   poorly documented functions where the man page says=0A=
>>   "SSL_CTX_load_verify_locations()" normally takes care of this.)=0A=
>>=0A=
>> Does this sound right? rick=0A=
>=0A=
>I think it would be better to have it in a separate file as Apache does=0A=
>https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile=
=0A=
>=0A=
>Seems more convenient to have CA file write protected (read only) and=0A=
>then separate file for list of revoked client certificates, maybe=0A=
>somewhere else than CA certificate.=0A=
Done. (Actually, the SSL_CTX_load_verify_locations() failed when the CRL wa=
s=0A=
appended to the CAfile, so I needed to use a separate file to get it workin=
g.)=0A=
=0A=
I found X509_load_crl_file(), which does all the glop in sendmail's tls.c f=
ile=0A=
to do it. (And it looks like the sendmail code only handles a CRL file=0A=
with a single entry in it.)=0A=
=0A=
Thanks for the comments, rick=0A=
=0A=
Kind regards=0A=
Miroslav Lachman=0A=