From nobody Fri Jun 03 02:15:16 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B1F401B4B774; Fri, 3 Jun 2022 02:15:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LDmgS4SD2z3mW0; Fri, 3 Jun 2022 02:15:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654222516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rcxoU7zNGcCPmA7i6ctGpRMRv/9o0AMjdqSfje6h0O0=; b=O4N4kbxuyhOC7WT9LlpflKeLGxNhhzhysntI3DeqcCrw2zj5Zan2YaCsHRaI61R22UVst0 abDQcrzGTYd0aFhG46lYkxFs0R9s11oKv75A1MTrbRTOn12LpjdDAiQWHeL+jhdwTulUpU FMXOIPsA0G2M1M65JGqRU/VLHRE7nezs4uBvLM+tDv153O31FWRkFaLq5eJ1iL5BnMfgVq jXp0qvX6gzZ0t7zlt3p79SELwXcI0ly55jVgylIRlC0MO1Ro9Eeyae4GHPvI69AXGGt7gq 9L9waZfxv1PAPfHCUjT1Ni0tP6tN9WCzzwW+4tukH/XmcSYeG9Cui1S7FPvQ+g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7921F1FCFD; Fri, 3 Jun 2022 02:15:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2532FGku033590; Fri, 3 Jun 2022 02:15:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2532FGOu033589; Fri, 3 Jun 2022 02:15:16 GMT (envelope-from git) Date: Fri, 3 Jun 2022 02:15:16 GMT Message-Id: <202206030215.2532FGOu033589@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: 81b2ab51138d - stable/13 - rpc.tlsservd: Add an option to allow TLS version 1.2 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 81b2ab51138d5a994bbdd49c2c21ff8812ed9d3c Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654222516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rcxoU7zNGcCPmA7i6ctGpRMRv/9o0AMjdqSfje6h0O0=; b=x8Umlc3g8xPQM81NQJZC9ubJnPjihRd6wQfcc+BxOf6dcXLLW54EwqJRtPRf5bOetYFEHC GMlPXtTIxnp9CgkToc6osGnptUJ8R49IBApTV4sqc/qJacDylTHGeFZ548olBbXj3z7hpk vWBvOW73x+ieTvGvENJe43Pf8MOAOvFwpCPs5lG5OSEMUlo2JNzDealqQdZsBHUg7Ex8i/ am0iK3kR6pJroZfZGTdCrUAvgM9pYvt0yyCOt0ARfTxiF79z2cs6epz9BE6YIgFrB9VoRj 3j8aGyDfzu5q50kzBcZBlxzSLsEGTsM6PZ6zGNOdmKIPsQcMAMCbLgPyFQeDfg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654222516; a=rsa-sha256; cv=none; b=fLgyJGaQBA3cRWE4WavBucSH2bf/Rwm6CmWH4ETfC2EiTKWgViKe265JJzQPHeYM5EqHaW nRkZQ3m2FSoelh+ONVgZKc3ySJx8Kzw/6NYBtj2RpdxLDyr5goPPvU+GXJVHnL8uu+xBNg HRdFPJhnY85iD90sSa0njYktWio6geTEEGCMbSjqmzjQSgDbX8pG9So9tD5kWjH7ti3bbq 19PzP1DQfzO7O8e1xQYUKtUy+bbepOTIZrOJ3rBr4X5CD/LndHsRf1gCzu6nrqJ7DROArD KD1PTEk7viKClVLzg1yyXwuFQPhslbT4FRMdlIhoAiI1zqVKAZhXIFQRtJk+dw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=81b2ab51138d5a994bbdd49c2c21ff8812ed9d3c commit 81b2ab51138d5a994bbdd49c2c21ff8812ed9d3c Author: Rick Macklem AuthorDate: 2022-05-20 21:44:50 +0000 Commit: Rick Macklem CommitDate: 2022-06-03 02:14:13 +0000 rpc.tlsservd: Add an option to allow TLS version 1.2 Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS version 1.3 for NFS-over-TLS, as required by the draft (someday to be an RFC). Since FreeBSD 13.0, 13.1 use TLS version 1.2 for NFS-over-TLS mounts, this command line option may be used so that mounts from 13.0, 13.1 will still work. Without the command line option, only TLS version 1.3 mounts are permitted. The man page update will be a separate commit. (cherry picked from commit 0637b12b13be442aacda808bb937d45e538dd98f) --- usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index 9ae3355805a1..96f3c06a5c2e 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -105,6 +105,7 @@ static bool rpctls_cnuser = false; static char *rpctls_dnsname; static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; static const char *rpctls_ciphers = NULL; +static int rpctls_mintls = TLS1_3_VERSION; static void rpctlssd_terminate(int); static SSL_CTX *rpctls_setup_ssl(const char *certdir); @@ -119,6 +120,7 @@ static void rpctls_huphandler(int sig __unused); extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp); static struct option longopts[] = { + { "allowtls1_2", no_argument, NULL, '2' }, { "ciphers", required_argument, NULL, 'C' }, { "certdir", required_argument, NULL, 'D' }, { "debuglevel", no_argument, NULL, 'd' }, @@ -181,9 +183,12 @@ main(int argc, char **argv) debug = 0; rpctls_verbose = false; - while ((ch = getopt_long(argc, argv, "C:D:dhl:n:mp:r:uvWw", longopts, + while ((ch = getopt_long(argc, argv, "2C:D:dhl:n:mp:r:uvWw", longopts, NULL)) != -1) { switch (ch) { + case '2': + rpctls_mintls = TLS1_2_VERSION; + break; case 'C': rpctls_ciphers = optarg; break; @@ -580,6 +585,21 @@ rpctls_setup_ssl(const char *certdir) } } + ret = SSL_CTX_set_min_proto_version(ctx, rpctls_mintls); + if (ret == 0) { + rpctls_verbose_out("rpctls_setup_ssl: " + "SSL_CTX_set_min_proto_version failed\n"); + SSL_CTX_free(ctx); + return (NULL); + } + ret = SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); + if (ret == 0) { + rpctls_verbose_out("rpctls_setup_ssl: " + "SSL_CTX_set_max_proto_version failed\n"); + SSL_CTX_free(ctx); + return (NULL); + } + /* Get the cert.pem and certkey.pem files from the directory certdir. */ len = strlcpy(path, certdir, sizeof(path)); rlen = sizeof(path) - len;