Re: Verifying NFS over TLS

Reply: Peter Jeremy : "Re: Verifying NFS over TLS"
In reply to: Peter Jeremy : "Verifying NFS over TLS"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Sat, 24 Jun 2023 13:09:07 UTC

On Sat, Jun 24, 2023 at 1:52 AM Peter Jeremy <peterj@freebsd.org> wrote:
>
> I've recently been configuring NFS over TLS[*] and one issue that came
> up was how to verify that it's actually using using TLS.
> * "mount -v" doesn't provide any indication of mount options.
> * Various kern.ipc.tls sysctls can confirm that *something* is using
>   ktls but not that a specific NFS mount is using TLS.
> * tcpdump's inability to decode traffic on port 2049 is a fairly good
>   indication but isn't as direct as I'd like.
>
> What is the recommended way to distinguish TLS from non-TLS mounts?
"nfsstat -m" on the client shows what mount options are actually being used.
(If "tls" is in the list, it should be happening.)

You can capture packets via tcpdump and then look at them in wireshark
and you should be able to see that TLS application data records are what is
going on the wire.

If you attempt an NFS mount with the "tls" option against a server not
configured to do NFS-over-TLS (the original authors use RPC-with-TLS,
which is more accurate but, to me, less informative), the mount should fail.

rick

>
> [*] Thanks very much rmacklem@ for your work.
> --
> Peter Jeremy