Although the tls syscall to set up the upcall should
not normally fail, the daemon should check for such
a failure. This patch adds a check for that failure.
MFC after: 1 week
The RFC for this finally got published and, therefore,
now has a number. This patch puts this RFC number
in the man page.
This is a content change.
MFC after: 1 week
Commit 72bf76d6b8 added the -2 option to use
TLS 1.2 NFS-over-TLS mounts. It did not add -2
to the usage message.
This patch adds -2 to the usage message.
MFC after: 2 weeks
Since the KTLS now supports TLS1.3, the daemons default
to version 1.3, since the draft (to be an RFC someday)
requires TLS1.3.
However, since FreeBSD 13,0, 13,1 uses TLS1.2 for
NFS-over-TLS, the "-2" option is added to both daemons
for compatibility with FreeBSD 13.0, 13.1.
This patch updates the man pages for this.
This is a content change.
Reviewed by: pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35290
Commit f5b40aa0de modifies the -C command line option
for rpc.tlsclntd to use the TLS 1.3 SSL_CTX_set_ciphersuites().
This patch updates the man page for this modified command
line option.
This is a content change.
Reviewed by: jhb, pauamma_gundo.com (same change for rpc.tlsservd.8)
MFC after: 2 weeks
Commit 0b4f2ab0e9 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page will be updated in a separate commit.
MFC after: 2 weeks
Commit 0b4f2ab0e9 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that NFS-over-TLS mounts to 13.0, 13.1
servers will still work.
Without the command line option, NFS-over-TLS mounts
will use TLS version 1.3.
The man page update will be a separate commit.
MFC after: 2 weeks
The "C" option in the argument to getopt_long() was
missing a ":" for both rpc.tlsclntd.c and rpc.tlsservd.c.
This patch fixes this.
MFC after: 2 weeks
Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
(SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
TLS.
Reviewed by: rmacklem
Sponsored by: Netflix
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31445
The kernel changes needed for nfs-over-tls have been committed to main.
However, nfs-over-tls requires user space daemons to handle the
TLS handshake and other non-application data TLS records.
There is one daemon (rpc.tlsclntd) for the client side and one daemon
(rpc.tlsservd) for the server side, although they share a fair amount
of code found in rpc.tlscommon.c and rpc.tlscommon.h.
They use a KTLS enabled OpenSSL to perform the actual work and, as such,
are only built when MK_OPENSSL_KTLS is set.
Communication with the kernel is done via upcall RPCs done on AF_LOCAL
sockets and the custom system call rpctls_syscall.
Reviewed by: gbe (man pages only), jhb (usr.sbin/Makefile only)
Comments by: jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28430
Relnotes: yes
