From owner-freebsd-current@freebsd.org Fri Sep 4 01:20:44 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8FFE53D1638 for ; Fri, 4 Sep 2020 01:20:44 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on061f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::61f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjKcW3pjNz4JkM for ; Fri, 4 Sep 2020 01:20:43 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m0HvK32aAiebsw6E8xxGCUWQJ8vKIdDEX4QNgBLuBpIFFd3P3q/aIXaBufbKggbjSbSQsabXSqPpMNJYSNUj892ACnqoCXJCutectxzKjwYTyOm/s0a6llUId09WMLLwMtPaaxcEJ2ZQfcN6SA4X1Q5gBbCl/qN4pme/5BUFyNW249cDFBD3jUs6LYSq4yREqalK+eMPiHJBhaSOvql5NU07EEBwvrqUivRq/QsWISqujlXOihvbQSSnRcG839DwX9KFI2YGPZjgzPUv1XTNMygCdfrkaSv5kQ+c7E2mtqqoRSsl/lzdiAs7B32E5AQPtxTw+mkchAg67kgXqjfcgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7AE7umRMns9DY9q8nVqufLyCY4FyARZLY7cgWp7wwwg=; b=Cv7EwXw+JsKp8/DXcoXKHePeQm0fMvFQKgxdaQDvJJw19X559weqqRr4Lfnkc4V/TiuRr1nZA4O4FL8LBObqpWfAJkkZy3eClIIwMpWE4rqwP6Xor6D1hlBY5CJOcjeeFdOWvTHpGfp3JYrAdm32AmTEQeW1kyAkcxS0w/K7NkneVF5xXNTzMPa5solnvEDLSgRrUHtptKEtV1lq2hY8TyIqC0xzF1Vk/UDwwnYo0BU3eTq+rvO3swpw+jeuHjugxvxZ6XE0GJWIEUAZ8bk21RGt2IAJreN4jZFJnxIakTiavgX8qr0KpYpifDCmZAhRz09iAHjR0WJ6CnTR/Meypg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:24::27) by YTBPR01MB2830.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:16::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Fri, 4 Sep 2020 01:20:36 +0000 Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM ([fe80::687f:d85a:a0a3:bd20]) by YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM ([fe80::687f:d85a:a0a3:bd20%6]) with mapi id 15.20.3348.016; Fri, 4 Sep 2020 01:20:35 +0000 From: Rick Macklem To: "freebsd-current@freebsd.org" Subject: rfc: should extant TLS connections be closed when a CRL is updated? Thread-Topic: rfc: should extant TLS connections be closed when a CRL is updated? Thread-Index: AQHWglkASBYleWH1wEypwb+mRG1+HQ== Date: Fri, 4 Sep 2020 01:20:35 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b8a4b578-d713-4be4-4ba1-08d85070b9f6 x-ms-traffictypediagnostic: YTBPR01MB2830: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lt8HXG6mJrpPcW3FTMPqvW5q/nddLxdWzTvPgsjkd43FwUYPxIpCAl3J10OB4a/867Kwy6SnenkLjqXiX1sVjXAzBMsQATNVOW5mQDxx8CJWz9zpcWsMysXDVPs/31EZ/uGnPwOaAb3nO/TTr75rqvsCkdyQb9lK3F2fOTIz/tdj+Qh8W6FqDBCRyEAp0nKDzS7oFBtyPtGi8uUIdf4VgHkS6iyhrrj3YOeXqr205I/bAf3iqAMHOI8ruoMHUigjjkFYM2fCeuPV5VpPdD3xDjiV0zAdHgiDHLSExriNHXtmCy5xs8dH6QVdkD9JCbnCDD2Oz30EqBdkdssW/82wzw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(136003)(366004)(346002)(39860400002)(396003)(8936002)(6506007)(316002)(186003)(83380400001)(55016002)(786003)(9686003)(15650500001)(478600001)(6916009)(8676002)(86362001)(7696005)(33656002)(66556008)(4744005)(71200400001)(5660300002)(66946007)(76116006)(91956017)(2906002)(66476007)(66446008)(52536014)(64756008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: MFJcyblEDHsB+ah1OWID25BiY1gdIxQzc1lx3EV4HLVA5JKZ91Zg6K4MEvrGRCOF4Tltiayh09K7tnjHuN0FlZeL40HT4AWYZ3R8mN7haJeBumLEWHSpDNxIgTTDVJg7X6/XmI6d9VCJjKFodHpImQMVOQOyR58h8WG6u0H4dYWc0vf+oUK/CToH0+TFKv6cBxJc/VIGhhxuVkKBxZHocQA9da++Vy7diqDHrsMDg+HQ87S8fKm6xNx5pRiNcX6hvA3w2hx3O/VPeoQzAc/IZ4RKUgaRtRAD88d/v9S87Z53ZvwI5zItM2HVRko47DEI4iOb/pqoSLbaAuIOUZptR0XgxydD1A/N4eKMICMfev0+hgP0tIuHZHY0b5ycEvrolVx94bBnBmtGuD4Krn6bNw+JeS1qEPhlNdiCxt5EHK52jV6MBexkazQ0D9nbL9Wu2pZS6ujHAqfs+Ghhqzjx6ogiWOVi+A0zBlRSD+lCmkd8MxE7uiFwsPpssAV+L7cQNgH67AMfL3/WufuD099eznwFjlqY3tR3wisjeS1ryVeZLBlhmcY1jEzFP2B//o02rHR5ASEgaZbcOrhhanZpNwo9kwCztvB3vXIzz79jNESJiXF9th9IHa7yMPvg2ZksdAvWg5zynvD9MRcNhyhfDPqKY5RMNa0+Ws7CDUjXAY8bAFlMGyi0ZfqiGpQ/RyXCdgYkHMeDKdhvM5njofFljw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: b8a4b578-d713-4be4-4ba1-08d85070b9f6 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2020 01:20:35.8361 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: YLOOmw+QsZc0mx9Ovsj03mwboBHKeWR47P9gzky9dl2NhDSqCftTXWZuKDuc7pFxnu3BrBEp7ysWRqlfoXuTMg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB2830 X-Rspamd-Queue-Id: 4BjKcW3pjNz4JkM X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.87 / 15.00]; NEURAL_HAM_MEDIUM(-0.97)[-0.974]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.004]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[uoguelph.ca:+]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; NEURAL_HAM_SHORT(-0.89)[-0.892]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2020 01:20:44 -0000 Hi,=0A= =0A= The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated=0A= CRL (Certificate Revocation List) when a SIGHUP is posted to it.=0A= However, it does not SSL_shutdown()/close() extant TCP connections using TL= S.=0A= (Those would only be closed if the daemon is restarted.)=0A= =0A= I am now thinking that, maybe, an SSL_shutdown()/close() should be done on= =0A= all extant TCP connections using NFS over TLS when an updated CRL is loaded= ,=0A= since a connection might have used a revoked certificate for its handshake.= =0A= =0A= What do others think?=0A= =0A= Thanks, rick=0A=