From nobody Sat Jun 24 08:52:15 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qp7CV02wcz4hJxZ for ; Sat, 24 Jun 2023 08:52:22 +0000 (UTC) (envelope-from peterj@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qp7CT6dr3z3sJq for ; Sat, 24 Jun 2023 08:52:21 +0000 (UTC) (envelope-from peterj@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687596741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=UIR9+v00pTnD5NM33FYxkCiMAFGNDh7nRK8E19isZZs=; b=I9puOJcJXKuR/vmtU8JhB+Myphg1VMVVYcDkxb+tgzOUYGoUJxqdUjDc8VTLUZ/+/ussXe 9GX5G3TodzhJWZdSFlONquOPfwUR6hHeBEIiWdDrUygv87r/apG8LJJrwPfIsVC8c+Zn0H mpy5rgLHcVLtvn0IxIQzigyWcxZ8agGkMGby53lUYcNfAeoNt24EWW4tOv002/acZomQvV juiqyl/MWAo4O3hzjDTq2wlT28RhHBKJatoIZwhWFWzqyxbVcYYFV5wVlb+eh6P4TvdOeW w3OEHYMsf8OPAb+hPqzgYS/y//uX3XYpobKpZrHmmrWkKouRUXASIfODkpe43Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687596741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=UIR9+v00pTnD5NM33FYxkCiMAFGNDh7nRK8E19isZZs=; b=v0hLnOXp95//gZ+fWfQAB1LnaNSFVVsVaVCQHwtgehwlZ+Zy0XAOJOTgoEkwKr7+gnbSsX OKi1iAXebmonFA/zJBKUa1EkkmGVKlXBcsdxa/uu/vk0RuKUJq7wPVYsFFBKvjVDXJdMK0 6rzV2kyOb+i2tdxe9vYrF/2Q7h41JFe6Uzq65NeKI9eGKycg4r0tNzvpPV9usPDMtvC8XL IKXPk1KHd2Vn0/kK0Ko2NUcwL4eYsybr9dEYc/s3Ovh3e47dPiSWIp6hESt8bxR4j6wlzG bwk9pKsgv9U9yYryt1OYpNmjA5sDSKdV1YMEIfu83CEI6ENCbaBfEPpGB0oHzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687596741; a=rsa-sha256; cv=none; b=Sucnk1an/YoLYI+PLH952ewFxLEBKchgy1BHMeTsoNbySxqUXb8tVuAT0uHbQIKeXvpBdH k0yutqux7FKn2OoojC0hz6AF/V8xnOhBih2nNsz1fzgscHJ1/1p66AQuj27xxpOaid5WBN 7DPMO0ucpScr5UGv+cR5xC5402AG/hFz2hSk3NbSdMCGOoQWtOBLMEQzHOjbwfUScwyIyD 34/p1CRUQ5mMJL9zg9ZsBJrJMBYN7FWhu+zooxpwLbJNFwLGiW7VvAmJs3Kwmil7rif743 o00Iz6EJh6Y32y+IVN0h32HjPq0GPumTKkhuFNiHnAQzYscHAh44t8xMT1KrgA== Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) (Authenticated sender: peterj) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Qp7CT0hYfzqy5 for ; Sat, 24 Jun 2023 08:52:20 +0000 (UTC) (envelope-from peterj@freebsd.org) Date: Sat, 24 Jun 2023 18:52:15 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Verifying NFS over TLS Message-ID: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="LYneE4ka4yrhdx1+" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-ThisMailContainsUnwantedMimeParts: N --LYneE4ka4yrhdx1+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've recently been configuring NFS over TLS[*] and one issue that came up was how to verify that it's actually using using TLS. * "mount -v" doesn't provide any indication of mount options. * Various kern.ipc.tls sysctls can confirm that *something* is using ktls but not that a specific NFS mount is using TLS. * tcpdump's inability to decode traffic on port 2049 is a fairly good indication but isn't as direct as I'd like. What is the recommended way to distinguish TLS from non-TLS mounts? [*] Thanks very much rmacklem@ for your work. --=20 Peter Jeremy --LYneE4ka4yrhdx1+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSWrq5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzRVaxAAjy6hEz+AsAx2puk81G39oYlzCESTvf8Bl4GshK0RrHMyzzTA0iBaXK6B CTnfZhORKHAWazWhMxP+Ac4Mk+RTN/zPay1xca9C9h/DNeF87PzZmmEOr4NGSJqb FgKM7tQ5CXdwkHH05X9ufw588iw37LTbYjVFQ7FTDLuqZFtW+QcbYeEIC/d9lAT+ EqC/JHNWSDgFmB8IOlEofi0HWy57Gsq2jWVRfGTN0PckhaSCTMCMcl53tn52Chsv vGCJzf2JERoPdiP3caCR1ihdWCb0FE1mrTe5irBrjh5LTc8E5/8aH99UvCuwAOQz OVUsNcnOfnXskeu1OTJvesA+0gBKsG5z9YjHvMbYQ3pZGOa6/t6v87pcIoKN+5OF kEkJ44l46agol/VzP1+yZN32z7ljIYNpZ7ibW45nk6lldNOj1tzu9MSDz3cErVm2 GH0XQtKKAWH/AU2d2zFT8KHoXG4gsrM809VOtfY8eaG2Fh0aQsTYf1WD5WtB90k3 X5IxLqQRNRyAb51F6rJk5KWC/q4hFUVF2Xw7FxwrHIyqbg5yFlRbPv/HT/Jld0aU DMxqPRIA3U25SQlkb9mm80NvyvJeHxPDspyPDEhp0IlDiXEEs0PyBXxDPAtGUFhA d6/jg/SZ11gHRhDpjHBUnvPGtZ7myPgz0RVTfHmabaMzbY/nlIg= =pAZ0 -----END PGP SIGNATURE----- --LYneE4ka4yrhdx1+--