Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +0000: > I am slowly trying to understand TLS certificates and am trying to figure > out how to do the following: > -> For an /etc/exports file with... > /home -tls -network 192.168.1.0 -mask 255.255.255.0 > /home -tlscert Are you looking at implementing draft-cel-nfsv4-rpc-tls? > This syntax isn't implemented yet, but the thinking is that clients on the > 192.168.1 subnet would use TLS, but would not require a certificate. > For access from anywhere else, the client(s) would be required to have a > certificate. > > A typical client mounting from outside of the subnet might be my laptop, > which is using wifi and has no fixed IP/DNS name. > --> How do you create a certificate that the laptop can use, which the NFS > server can trust enough to allow the mount? > My thinking is that a "secret" value can be put in the certificate that the NFS > server can check for. > The simplest way would be a fairly long list of random characters in the > organizationName and/or organizationUnitName field(s) of the subject name. > Alternately, it could be a newly defined extension for X509v3, I think? > > Now, I'm not sure, but I don't think this certificate can be created via > a trust authority such that it would "verify". However, the server can > look for the "secret" in the certificate and allow the mount based on that. > > Does this sound reasonable? Without a problem statement or what you're trying to accomplish, it's hard to say if it is. > Also, even if the NFS client/server have fixed IP addresses with well known > DNS names, it isn't obvious to me how signed certificates can be acquired > for them? > (Lets Encrypt expects the Acme protocol to work and that seems to be > web site/http specific?) There is DNS challenges that can be used. I use them to obtain certs for SMTP and SIP servers... using nsupdate, this is relatively easy to automate pushing the challenges to a DNS server, and I now use DNS challenges for everything, including https. > Thanks for any help with this, rick Let me know if you'd like to hop on a call about this. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Thu Mar 19 2020 - 18:16:15 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC