From owner-freebsd-current@freebsd.org  Fri Sep  4 22:37:32 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 222033D14F5
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Fri,  4 Sep 2020 22:37:32 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gate2.funkthat.com",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bjsxk1r8zz4hp6
 for <freebsd-current@freebsd.org>; Fri,  4 Sep 2020 22:37:29 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (localhost [127.0.0.1])
 by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 084MbRpB069490
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 4 Sep 2020 15:37:27 -0700 (PDT)
 (envelope-from jmg@gold.funkthat.com)
Received: (from jmg@localhost)
 by gold.funkthat.com (8.15.2/8.15.2/Submit) id 084MbRh2069489;
 Fri, 4 Sep 2020 15:37:27 -0700 (PDT) (envelope-from jmg)
Date: Fri, 4 Sep 2020 15:37:26 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Subject: Re: rfc: should extant TLS connections be closed when a CRL is
 updated?
Message-ID: <20200904223726.GK4213@funkthat.com>
Mail-Followup-To: Rick Macklem <rmacklem@uoguelph.ca>,
 "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
References: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
X-Operating-System: FreeBSD 11.3-STABLE amd64
X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7  ED9B D5FF 5A51 C0AC 3D65
X-Files: The truth is out there
X-URL: https://www.funkthat.com/
X-Resume: https://www.funkthat.com/~jmg/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (gold.funkthat.com [127.0.0.1]); Fri, 04 Sep 2020 15:37:27 -0700 (PDT)
X-Rspamd-Queue-Id: 4Bjsxk1r8zz4hp6
X-Spamd-Bar: /
X-Spamd-Result: default: False [0.21 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.02)[-1.017];
 RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[];
 MID_RHS_MATCH_FROM(0.00)[]; NEURAL_HAM_LONG(-0.94)[-0.938];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.03)[-0.034];
 RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[no SPF record];
 FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com];
 SUBJECT_ENDS_QUESTION(1.00)[]; R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US];
 MIME_TRACE(0.00)[0:+];
 FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com];
 MAILMAN_DEST(0.00)[freebsd-current]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 22:37:32 -0000

Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000:
> The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated
> CRL (Certificate Revocation List) when a SIGHUP is posted to it.
> However, it does not SSL_shutdown()/close() extant TCP connections using TLS.
> (Those would only be closed if the daemon is restarted.)
> 
> I am now thinking that, maybe, an SSL_shutdown()/close() should be done on
> all extant TCP connections using NFS over TLS when an updated CRL is loaded,
> since a connection might have used a revoked certificate for its handshake.
> 
> What do others think?

IMO, this should scan the existing connections, and only shut them
down if they are using a revoked Cert.  This is the correct way to
do things.

I do realize that this is likely not possible, and in reality, the
ssl library in use should do this automatically, but likely does not.
As the library likely does not, we should probably make this an
option to close all connections upon CRL reload, with it being well
documented.

Now that option should likely be set to default on, but documented
such that if you do regular/often CRL reloads, that a user may want
to turn that off if it's disruptive to their server.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."