Date: Fri, 4 Sep 2020 15:37:26 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: rfc: should extant TLS connections be closed when a CRL is updated? Message-ID: <20200904223726.GK4213@funkthat.com> In-Reply-To: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> References: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000: > The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated > CRL (Certificate Revocation List) when a SIGHUP is posted to it. > However, it does not SSL_shutdown()/close() extant TCP connections using TLS. > (Those would only be closed if the daemon is restarted.) > > I am now thinking that, maybe, an SSL_shutdown()/close() should be done on > all extant TCP connections using NFS over TLS when an updated CRL is loaded, > since a connection might have used a revoked certificate for its handshake. > > What do others think? IMO, this should scan the existing connections, and only shut them down if they are using a revoked Cert. This is the correct way to do things. I do realize that this is likely not possible, and in reality, the ssl library in use should do this automatically, but likely does not. As the library likely does not, we should probably make this an option to close all connections upon CRL reload, with it being well documented. Now that option should likely be set to default on, but documented such that if you do regular/often CRL reloads, that a user may want to turn that off if it's disruptive to their server. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200904223726.GK4213>