From nobody Thu May 05 22:55:33 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 601F11AB6489; Thu, 5 May 2022 22:55:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KvTYx2DTyz4R3b; Thu, 5 May 2022 22:55:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651791333; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oAXKkHM07sTVvmDVWEINxwWpRK3UF/F6bBTseQv5jYI=; b=tEu7SmShCOOXkaimeeRukCqONmix8rrqSto7z28svBoFl/i4tuJxMERh8wUUNIU9GsV6LA IqgvYyWmdcsEyrR05J8yWgO+WcYerLX37+ieWYfFYw4+2Yc+ZrFBHnOstmyM9qgOpE7cKy Nr0COtThUupgvF4Q64hnxLEuxeWzJ9UkN5HeqY02LtbqTB/BJvbvQmiF42WXwgdu/+SPBx /5+SFv1gSTh2natkrwT8Zd/+bKbqgcIbrETR1qdD+MkA+e+/cZ2YIo++3XPdsUTdnqXepf hNjbk+Hpf3T9pGgk6zvpKBa6DvubIAA3+Hj6Hiq/CUjDge3XigDPb0qUtcdamQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2C51310837; Thu, 5 May 2022 22:55:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 245MtX7m087741; Thu, 5 May 2022 22:55:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 245MtXRI087740; Thu, 5 May 2022 22:55:33 GMT (envelope-from git) Date: Thu, 5 May 2022 22:55:33 GMT Message-Id: <202205052255.245MtXRI087740@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: 712aac1389e8 - main - rpc.tlsservd: Add a -C command line option for preferred_ciphers List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 712aac1389e8476ff3da98fd7ec80bf71fc601f4 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651791333; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oAXKkHM07sTVvmDVWEINxwWpRK3UF/F6bBTseQv5jYI=; b=g/BqG8scuoeXrCv6iBVxUgbdXkn7FUuIANyAsrJV0wat7LxQOH+DRFXkIPWrjf7KbWZF5P 4Q/iL0N/CCPdcs5cVtZyJzWmwG8SMftIaEaj6UUjEn1iMaQwLbEgj1Tq7HGGVkcYI7l4sj 6IJzDi4aR1cVGNCnLXxXfBr2wFjqu0erbr/+GyHi3x5RrXcMf3r+NbJ0gA2wHOis2RjoNw f6ofcpMZ2DW+CnH8mfR3FgaaEM1u2ItBizHDJvTXyt/RiOEywtLWHS1FBA+MhoZhMmAySF zKD/z1B5xvdW8uch82tmUyJXxoj4DvVITm18GnjzktimEP5iB816hVy3yEOahQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651791333; a=rsa-sha256; cv=none; b=iBSk+QCEf1lLAEV6RKofS6qdhTi1xsduT/VNViQ3rv8Kps+31dI8yVxR8lhjreSH9CiWOx cOC2zHGZhJb6JgXmINjHKWoEIRV5qI4ltiujTcGKzVKGkItFeLsLpXHo5Agr3aYOtnOX6P p0dcCyv7QXLkNfE3N/r/lpXwWeoOhQRdw95+koe7s/p4EmYiOY9Bn4lu/ZzUnHmHCONIbd qgC7jqQJoiAtrx6gK2FLylcCAgduZxNCFbGzwO229B50jxwWlVieR+j9WoV4Kp2g4+p0bA rIWV9xdQzzcstM4Nhts19100UHYEjWMyTC9W/+mfe3C7jIPOkV3B4XxsFwZX8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=712aac1389e8476ff3da98fd7ec80bf71fc601f4 commit 712aac1389e8476ff3da98fd7ec80bf71fc601f4 Author: Rick Macklem AuthorDate: 2022-05-05 22:54:14 +0000 Commit: Rick Macklem CommitDate: 2022-05-05 22:54:14 +0000 rpc.tlsservd: Add a -C command line option for preferred_ciphers rpc.tlsclntd has a -C command line option for setting preferred_ciphers. Testing at a recent IETF NFSv4 testing event showed that setting preferred_ciphers is not normally needed for the rpc.tlsservd. This patch modifies rpc.tlsservd to not specify preferred_ciphers by default, but provides the same -C option as rpc.tlsclntd to set preferred_ciphers, in case it is needed. The man page update will be done as a separate commit. MFC after: 2 weeks --- usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index db829be68334..2726ba84fd3b 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -104,6 +104,7 @@ static uint64_t rpctls_ssl_usec = 0; static bool rpctls_cnuser = false; static char *rpctls_dnsname; static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; +static const char *rpctls_ciphers = NULL; static void rpctlssd_terminate(int); static SSL_CTX *rpctls_setup_ssl(const char *certdir); @@ -118,6 +119,7 @@ static void rpctls_huphandler(int sig __unused); extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp); static struct option longopts[] = { + { "ciphers", required_argument, NULL, 'C' }, { "certdir", required_argument, NULL, 'D' }, { "debuglevel", no_argument, NULL, 'd' }, { "checkhost", no_argument, NULL, 'h' }, @@ -178,9 +180,12 @@ main(int argc, char **argv) } rpctls_verbose = false; - while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts, + while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts, NULL)) != -1) { switch (ch) { + case 'C': + rpctls_ciphers = optarg; + break; case 'D': rpctls_certdir = optarg; break; @@ -558,16 +563,20 @@ rpctls_setup_ssl(const char *certdir) } SSL_CTX_set_ecdh_auto(ctx, 1); - /* - * Set preferred ciphers, since KERN_TLS only supports a - * few of them. - */ - ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS); - if (ret == 0) { - rpctls_verbose_out("rpctls_setup_ssl: " - "SSL_CTX_set_cipher_list failed to set any ciphers\n"); - SSL_CTX_free(ctx); - return (NULL); + if (rpctls_ciphers != NULL) { + /* + * Set preferred ciphers, since KERN_TLS only supports a + * few of them. Normally, not doing this should be ok, + * since the library defaults will work. + */ + ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers); + if (ret == 0) { + rpctls_verbose_out("rpctls_setup_ssl: " + "SSL_CTX_set_cipher_list failed: %s\n", + rpctls_ciphers); + SSL_CTX_free(ctx); + return (NULL); + } } /* Get the cert.pem and certkey.pem files from the directory certdir. */