Although the tls syscall to set up the upcall should
not normally fail, the daemon should check for such
a failure. This patch adds a check for that failure.
MFC after: 1 week
Commit 1e588a9ceb added a new command line option -N/numdaemons
that specifies how many daemons to run. This allows a server
to be configured with more than one rpc.tlsservd daemon, which
may be necessary to handle a reboot for an NFS server with
many NFS-over-TLS client mounts.
This patch updates the man page for this commit.
This is a content change.
Reviewed by: karels, pauamma (man pages)
Differential Revision: https://reviews.freebsd.org/D37382
During discussions with someone that was doing NFS-over-TLS
development for Solaris, we had a concern that the server might
become overloaded after rebooting, due to a large number of
TLS handshake requests from clients.
To alleviate this potential problem, this patch modifies rpc.tlsservd
so that it supports the "-N/--numdaemons" command line option,
which specifies that up to RPCTLS_SRV_MAXNPROCS (currently defined
as 16 in the patch) may be started.
When there are multiple daemons, one is selected by the patched kernel
in a round-robin fashion, to serve a TLS handshake request.
The man page update will be done in a future commit.
Reviewed by: emaste, karels
Differential Revision: https://reviews.freebsd.org/D35886
The RFC for this finally got published and, therefore,
now has a number. This patch puts this RFC number
in the man page.
This is a content change.
MFC after: 1 week
Commit 0637b12b13 added the -2 option to allow
TLS 1.2 NFS-over-TLS mounts. It did not add -2
to the usage message.
This patch adds -2 to the usage message.
MFC after: 2 weeks
Since the KTLS now supports TLS1.3, the daemons default
to version 1.3, since the draft (to be an RFC someday)
requires TLS1.3.
However, since FreeBSD 13,0, 13,1 uses TLS1.2 for
NFS-over-TLS, the "-2" option is added to both daemons
for compatibility with FreeBSD 13.0, 13.1.
This patch updates the man pages for this.
This is a content change.
Reviewed by: pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35290
Commit 0b4f2ab0e9 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page has already been updated.
MFC after: 2 weeks
Commit 712aac1389 adds a new -C command line option
to rpc.tlsservd.
This patch updates the man page for this new command
line option.
This is a content change.
Reviewed by: jhb, pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35136
Commit 0b4f2ab0e9 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that mounts from 13.0, 13.1 will still work.
Without the command line option, only TLS version 1.3
mounts are permitted.
The man page update will be a separate commit.
MFC after: 2 weeks
This patch adds logging of the version of TLS and cipher
negotiated successfully by the TLS handshake for each client,
if the "-v" command line option has been specified.
This information may be useful for monitoring and debugging
NFS-over-TLS mounts.
MFC after: 2 weeks
The "C" option in the argument to getopt_long() was
missing a ":" for both rpc.tlsclntd.c and rpc.tlsservd.c.
This patch fixes this.
MFC after: 2 weeks
rpc.tlsclntd has a -C command line option for setting
preferred_ciphers. Testing at a recent IETF NFSv4 testing
event showed that setting preferred_ciphers is not normally
needed for the rpc.tlsservd.
This patch modifies rpc.tlsservd to not specify preferred_ciphers
by default, but provides the same -C option as rpc.tlsclntd to
set preferred_ciphers, in case it is needed.
The man page update will be done as a separate commit.
MFC after: 2 weeks
Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
(SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
TLS.
Reviewed by: rmacklem
Sponsored by: Netflix
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31445
The kernel changes needed for nfs-over-tls have been committed to main.
However, nfs-over-tls requires user space daemons to handle the
TLS handshake and other non-application data TLS records.
There is one daemon (rpc.tlsclntd) for the client side and one daemon
(rpc.tlsservd) for the server side, although they share a fair amount
of code found in rpc.tlscommon.c and rpc.tlscommon.h.
They use a KTLS enabled OpenSSL to perform the actual work and, as such,
are only built when MK_OPENSSL_KTLS is set.
Communication with the kernel is done via upcall RPCs done on AF_LOCAL
sockets and the custom system call rpctls_syscall.
Reviewed by: gbe (man pages only), jhb (usr.sbin/Makefile only)
Comments by: jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28430
Relnotes: yes
