Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp958465lqt; Fri, 7 Jun 2024 04:08:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUES+5EHfsL7GmDKyWzcPTLSYKq9vKbDu+W/cRRuQPB7HXjOIOgBV/syefy6tRPmWSiRtlfhI5lxmc3xmbeUbkQpA8jTkRfkFLMFPhsvw== X-Google-Smtp-Source: AGHT+IEaJ8ask5+d8vm5B9iC+ZHOs9xoWeMK07rzwQ1uJZFAhMA9BIWg+sBUQQyhGtNqz/I5zRtq X-Received: by 2002:a05:620a:1a1c:b0:792:c10c:dca2 with SMTP id af79cd13be357-7953af1cf3emr466282585a.21.1717758531421; Fri, 07 Jun 2024 04:08:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717758531; cv=pass; d=google.com; s=arc-20160816; b=PXWAyXR3Sm98vEeZ9WKj05Rk987W/NXa/F4Pkn8JTh2RryAlJc1ls5W/Iz8U2g1mV8 SSgBEy8wi8ee9l5AyqkCUZhNe3+aMwYw9MFQ5udIiAyHypKzphQqJBGwETbbww8v7yDN +lHbIlRXRMLWURyVARvG/L/Nj8L8s26KfCSdC1b/hZt+yPB0a4INbv3pDkJrliqppS/C dRxDiTIAoMGE+6PY+fcrE+6iz6IhgwoMhq1EjKCm0744k5GAF7qbPX+2DR5apAPWY4Pa 4+Pu1Nv3QHGMEUQrnLcbDrljHOdmK000v+5f6pPR1laJovbXSRg1ieVqQW3A3Jq2L6ei FeaA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=dzDF2DGvCUGt5vR6xbdqlR1EOVxNuvckJwiT+/HHVV0=; fh=/9k3EUlNM7d6iNXkS/w+HlbfQFSscJ6OjCd0yKEPJQE=; b=JfiBEtgmJME6FX8Oz90wmqkFUyg0ceXPHXUHdZRfFPacSDq46uRnLddFJobGOjQLIe /mkC5oG+MwliQgAHkejpvn3jZ3gAj6TXOcNlSh0N1N4ARIF/dlTikATO5XbinWS2xgij YI14yppPRQT7I0NC2/5WK4oILwVu3ETG2LrKYyJffpwLGV5Xe1L1ZBRzwapBVNUWjSTT T/0Hfeyk73n+AeKIxk0oOIXBBQThL+8HyANc37cv1fYC5Q4W4l8vuPEL/hjzq6efS5mr HwgOTaJVeQeK7sCdnygllZ8rrt9p6YNkFvE2RLpEzxw5XBNljU2f6h1ffWcBMtS+ijCi vwLw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UM8Difsf; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-nfs+bounces-3580-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3580-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id af79cd13be357-795332edc34si19835785a.447.2024.06.07.04.08.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jun 2024 04:08:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3580-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UM8Difsf; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-nfs+bounces-3580-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3580-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2692A1C216D3 for ; Fri, 7 Jun 2024 11:08:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A6F9714F9C9; Fri, 7 Jun 2024 11:08:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UM8Difsf" X-Original-To: linux-nfs@vger.kernel.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CAFF8187321 for ; Fri, 7 Jun 2024 11:08:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717758493; cv=none; b=nswaPQhLzj9De0O+Ekn9FRahLL9s9Vo4lS3HRqMw6lufdQ/P7XTejoEYMCVaXYtEP7QTR4cWZdAce5uCV1WrGcsxoyQHDZZT1HejyfbbhHGhnu86vwKpvl08+05VfohoTu7qFu4xnz5nz0Jop1PqaTRDdfQ5flYJMgzn2w3e8Hg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717758493; c=relaxed/simple; bh=0tfo5ILZwZRBOJ/nNd09A2XNzBSvgdrc15CVXi/ngyY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KBRHMF8QwModGsiq8EmCpWqihH9YZgF8KhWgWOzGPyv7PpsbjSZtByp2GkKtlshBueMCPMvGL3tZlAHxyld4ebwVBP4jQl1Q1lmL7ldNA6w+omy/8AFU7IcdRk8ZJ26AWWA0XmIsJQnD+mh5ScOTkwktBvdD4dx2YUi8bHF+urU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UM8Difsf; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717758490; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dzDF2DGvCUGt5vR6xbdqlR1EOVxNuvckJwiT+/HHVV0=; b=UM8DifsfyDblYk8w2knPCqUFWguyW7qsuO6CyVf22VJzG8y+j9bcurtgkldnFN5N1CSwa/ fcaEEh7Lfu/gnoWxk7itPrCMRRO6fe3ykFBwD3B0G2DyW5BYEA655VmL/2R8Tvo+mAWGfS CjxjZ88mkIo0+v6ezTDCFudsMbOU+bI= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-249-D5sWAnC5O56ta6HveuvYpA-1; Fri, 07 Jun 2024 07:08:09 -0400 X-MC-Unique: D5sWAnC5O56ta6HveuvYpA-1 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 204BD1955D5B; Fri, 7 Jun 2024 11:08:08 +0000 (UTC) Received: from [192.168.37.1] (ovpn-0-11.rdu2.redhat.com [10.22.0.11]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 787DC30000C4; Fri, 7 Jun 2024 11:08:07 +0000 (UTC) From: Benjamin Coddington To: Dan Shelton Cc: Linux NFS Mailing List Subject: Re: Implement NFSv4 TLS support with /usr/bin/openssl s_client? Date: Fri, 07 Jun 2024 07:08:04 -0400 Message-ID: <44A8B3C5-9486-40A3-9D2D-C317A0208A50@redhat.com> In-Reply-To: References: <96A320F4-AFC1-4DD9-8D5D-784F13DE94D4@redhat.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 On 6 Jun 2024, at 19:53, Dan Shelton wrote: > On Fri, 26 Jan 2024 at 02:05, Dan Shelton wro= te: >> >> On Thu, 25 Jan 2024 at 22:11, Benjamin Coddington wrote: >>> >>> On 25 Jan 2024, at 15:37, Jeff Layton wrote: >>> >>>> On Thu, 2024-01-25 at 03:21 +0100, Dan Shelton wrote: >>>>> Hello! >>>>> >>>>> Is it possible for a NFSv4 client to implement TLS support via >>>>> /usr/bin/openssl s_client? >>>>> >>>>> /usr/bin/openssl s_client would do the connection, and a normal >>>>> libtirpc client would connect to the other side of s_client. >>>>> >>>>> Does that work? >>>>> >>>>> Dan >>>> >>>> Doubtful. RPC over TLS requires some cleartext setup before TLS is >>>> negotiated. At one time Ben Coddington had a proxy based on nginx th= at >>>> could handle the TLS negotiation, but I think that might have been b= ased >>>> on an earlier draft of the spec. It would probably need some work to= be >>>> brought up to the state of the RFC. >>> >>> Yeah, its' a little bit rotted. Wasn't super fresh to begin with, bu= t it >>> did help bootstrap some implementation. >>> >>> You could also modify openssl to be aware of the clear text, somethin= g like: >>> https://github.com/bcodding/openssl/commit/9bf2c4d66eacccd3530fb2f3a0= a6c87d5878348c >>> >>> .. but I think you're definitely in "what are you really trying to do= ?" territory. >> >> For example legacy NFSv4 client add-on? You cannot expect that >> everyone can or will update to the latest and greatest version, so >> either you have clients without TLS, which is a security risk, or have= >> a way to retrofit them. > > Is there a public NFSv4.1 server with TLS enabled, which I can use to > test whether openssl with > https://github.com/bcodding/openssl/commit/9bf2c4d66eacccd3530fb2f3a0a6= c87d5878348c > can be used to plug in older clients? That little hack is really only appropriate to retrieve a server's certificates, it will not work as TLS-offload layer. Why not just do an implementation for libtirpc? Ben