Date: Thu, 19 Mar 2020 23:41:28 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: John-Mark Gurney <jmg@funkthat.com> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <YTBPR01MB337407CFCBE26DBAB1BC985ADDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20200319191605.GJ4213@funkthat.com> References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>, <20200319191605.GJ4213@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote:=0A=
>Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +0000:=0A=
>> I am slowly trying to understand TLS certificates and am trying to figur=
e=0A=
>> out how to do the following:=0A=
>> -> For an /etc/exports file with...=0A=
>> /home -tls -network 192.168.1.0 -mask 255.255.255.0=0A=
>> /home -tlscert=0A=
>=0A=
>Are you looking at implementing draft-cel-nfsv4-rpc-tls?=0A=
Yes. The 2 week out of date (I can only do commits once in a while these da=
ys) can=0A=
be found in FreeBSD's subversion under base/projects/nfs-over-tls.=0A=
=0A=
>> This syntax isn't implemented yet, but the thinking is that clients on t=
he=0A=
>> 192.168.1 subnet would use TLS, but would not require a certificate.=0A=
>> For access from anywhere else, the client(s) would be required to have a=
=0A=
>> certificate.=0A=
>>=0A=
>> A typical client mounting from outside of the subnet might be my laptop,=
=0A=
>> which is using wifi and has no fixed IP/DNS name.=0A=
>> --> How do you create a certificate that the laptop can use, which the N=
FS=0A=
>> server can trust enough to allow the mount?=0A=
>> My thinking is that a "secret" value can be put in the certificate that =
the NFS=0A=
>> server can check for.=0A=
>> The simplest way would be a fairly long list of random characters in the=
=0A=
>> organizationName and/or organizationUnitName field(s) of the subject nam=
e.=0A=
>> Alternately, it could be a newly defined extension for X509v3, I think?=
=0A=
>>=0A=
>> Now, I'm not sure, but I don't think this certificate can be created via=
=0A=
>> a trust authority such that it would "verify". However, the server can=
=0A=
>> look for the "secret" in the certificate and allow the mount based on th=
at.=0A=
>>=0A=
>> Does this sound reasonable?=0A=
>=0A=
>Without a problem statement or what you're trying to accomplish, it's=0A=
>hard to say if it is.=0A=
The problem I was/am trying to solve was a way for NFS clients without a=0A=
fixed IP/DNS name could have a certificate to allow access to the NFS serve=
r.=0A=
As suggested by others, having a site local CA created by the NFS admin. se=
emed=0A=
to be the best solution. The server can verify that the certificate was iss=
ued by=0A=
the local CA. Unfortunately, if the client is compromised and the certifica=
te is copied=0A=
to another client, that client would gain access.=0A=
--> I've thought of having the client keep the certificate encrypted in a f=
ile and=0A=
require the "user" of the client type in a passphrase to unencrypt t=
he certificate=0A=
so that it can be used by the daemon in the client that handles the =
client side=0A=
of the TLS handshake, but I have not implemented this.=0A=
--> This would at least subvert the simple case of the certificate f=
ile being copied=0A=
to a different client and being used to mount the NFS server,=
but if the=0A=
client is compromised, then the passphrase could be captured =
and...=0A=
=0A=
>> Also, even if the NFS client/server have fixed IP addresses with well kn=
own=0A=
>> DNS names, it isn't obvious to me how signed certificates can be acquire=
d=0A=
>> for them?=0A=
>> (Lets Encrypt expects the Acme protocol to work and that seems to be=0A=
>> web site/http specific?)=0A=
>=0A=
>There is DNS challenges that can be used. I use them to obtain certs=0A=
>for SMTP and SIP servers... using nsupdate, this is relatively easy to=0A=
>automate pushing the challenges to a DNS server, and I now use DNS=0A=
>challenges for everything, including https.=0A=
Since my internet connection is a single dynamically assigned IP from the p=
hone=0A=
company, I doubt this would work for me (which I why I say I don't know how=
=0A=
to do this). I suspect there are ways and it would be nice if you could doc=
ument=0A=
this, so I can put it in a howto document.=0A=
- An actual example using the nsupdate command would be nice.=0A=
Thanks, rick=0A=
=0A=
> Thanks for any help with this, rick=0A=
=0A=
Let me know if you'd like to hop on a call about this.=0A=
=0A=
--=0A=
John-Mark Gurney Voice: +1 415 225 5579=0A=
=0A=
"All that I will do, has been done, All that I have, has not."=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB337407CFCBE26DBAB1BC985ADDF40>