John-Mark Gurney wrote: >Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000: >> The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated >> CRL (Certificate Revocation List) when a SIGHUP is posted to it. >> However, it does not SSL_shutdown()/close() extant TCP connections using TLS. >> (Those would only be closed if the daemon is restarted.) >> >> I am now thinking that, maybe, an SSL_shutdown()/close() should be done on >> all extant TCP connections using NFS over TLS when an updated CRL is loaded, >> since a connection might have used a revoked certificate for its handshake. >> >> What do others think? > >IMO, this should scan the existing connections, and only shut them >down if they are using a revoked Cert. This is the correct way to >do things. > >I do realize that this is likely not possible, and in reality, the >ssl library in use should do this automatically, but likely does not. Well, not exactly "automatically, but X509_CRL_get0_by_ccert() checks to see if a certificate is revoked, so all the code needed to do was read the CRL file and then loop through the certificates, checking each one. >As the library likely does not, we should probably make this an >option to close all connections upon CRL reload, with it being well >documented. > >Now that option should likely be set to default on, but documented >such that if you do regular/often CRL reloads, that a user may want >to turn that off if it's disruptive to their server. Not necessary, since doing just the revoked ones seems to work. If you are curious, you can look at the recent commits or code under head/projects/nfs-over-tls. If anyone is interested in testing it, you can look at: https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt Thanks for the useful suggestion, rick -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Thu Sep 17 2020 - 00:16:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:25 UTC