Hi Chuck,
I've ran into the following problem while trying to mount on RHEL9.4
client using xprtsec=tls. After some debugging I have determined that
the reason mount by DNS name was failing is because gnutls insisted on
having in SubjectAltName=DNS:foo.bar.com. Having a certificate that
has a DNS name in the "CN" and then had "SubjectAltName=IP:x.x.x.x"
was failing. But when I created a certificate with
"SubjectAltName:IP:x.x.x.x:DNS:x.x.x.x" then I could mount (or just
having DNS: works too but in that case mounting by IP doesn't work).
Here's the output from tlshd when it fail (with SubjectAltName "IP")::
tlshd[260035]: gnutls(3): self-signed cert found: subject
`[email protected],CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
Arbor,ST=MI,C=US', issuer
`[email protected],CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
Arbor,ST=MI,C=US', serial 0x751ad911565945cce5d29d1c206450538f496b90,
RSA key 2048 bits, signed using RSA-SHA256, activated `2024-05-31
15:07:53 UTC', expires `2024-06-30 15:07:53 UTC',
pin-sha256="Efzu7ftve1SHxBVAIwf81jwAasQ0M3j5qWbEVuM8X8I="
tlshd[260035]: gnutls(3): ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:111
tlshd[260035]: gnutls(3): ASSERT: x509.c[get_alt_name]:2011
tlshd[260035]: gnutls(3): ASSERT:
verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615
tlshd[260035]: gnutls(3): ASSERT: auto-verify.c[auto_verify_cb]:51
tlshd[260035]: gnutls(3): ASSERT: handshake.c[_gnutls_run_verify_callback]:3018
tlshd[260035]: gnutls(3): ASSERT:
handshake-tls13.c[_gnutls13_handshake_client]:139
tlshd[260035]: Certificate owner unexpected.
Question: is ktls-utils requirement for IP presence in SubjectAltName
now requires both?
> On May 31, 2024, at 1:23 PM, Olga Kornievskaia <[email protected]> wrote:
>
> Hi Chuck,
>
> I've ran into the following problem while trying to mount on RHEL9.4
> client using xprtsec=tls. After some debugging I have determined that
> the reason mount by DNS name was failing is because gnutls insisted on
> having in SubjectAltName=DNS:foo.bar.com. Having a certificate that
> has a DNS name in the "CN" and then had "SubjectAltName=IP:x.x.x.x"
> was failing. But when I created a certificate with
> "SubjectAltName:IP:x.x.x.x:DNS:x.x.x.x" then I could mount (or just
> having DNS: works too but in that case mounting by IP doesn't work).
>
> Here's the output from tlshd when it fail (with SubjectAltName "IP")::
>
> tlshd[260035]: gnutls(3): self-signed cert found: subject
> `[email protected],CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
> Arbor,ST=MI,C=US', issuer
> `[email protected],CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
> Arbor,ST=MI,C=US', serial 0x751ad911565945cce5d29d1c206450538f496b90,
> RSA key 2048 bits, signed using RSA-SHA256, activated `2024-05-31
> 15:07:53 UTC', expires `2024-06-30 15:07:53 UTC',
> pin-sha256="Efzu7ftve1SHxBVAIwf81jwAasQ0M3j5qWbEVuM8X8I="
> tlshd[260035]: gnutls(3): ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:111
> tlshd[260035]: gnutls(3): ASSERT: x509.c[get_alt_name]:2011
> tlshd[260035]: gnutls(3): ASSERT:
> verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615
> tlshd[260035]: gnutls(3): ASSERT: auto-verify.c[auto_verify_cb]:51
> tlshd[260035]: gnutls(3): ASSERT: handshake.c[_gnutls_run_verify_callback]:3018
> tlshd[260035]: gnutls(3): ASSERT:
> handshake-tls13.c[_gnutls13_handshake_client]:139
> tlshd[260035]: Certificate owner unexpected.
>
> Question: is ktls-utils requirement for IP presence in SubjectAltName
> now requires both?
I'm not sure I understand.
If you want to mount by DNS name, the certificate has to have
a matching DNS name in it.
If you want to mount by IP address, the certificate has to have
a matching IP address in it.
The reason for this is to avoid any potential interaction with
a DNS server which might be compromised.
--
Chuck Lever