Page MenuHomeFreeBSD

update the rpc.tlsservd man page for the -C option
Needs ReviewPublic

Authored by rmacklem on Thu, May 5, 11:03 PM.


Group Reviewers

Commit 712aac1389e8 adds a new -C command line option
to rpc.tlsservd.

This patch updates the man page for this new command
line option.

Diff Detail

R10 FreeBSD src repository
Lint Skipped
Unit Tests Skipped

Event Timeline added inline comments.

Audience check: does this need to include "for the format of preferred_ciphers, see ciphers(1)" with the appropriate .Xr here and in SEE ALSO?

Reference openssl-ciphers for the preferred-ciphers list
and comment on what is likely to work as suggested by
Pau Amma.


How does this look. I used openssl-ciphers(1), since that
seems to be directly related to the preferred-cipher list
format expected by openssl.

I also added a simple comment on what should work,
copied from recent email I received from jhb@.

jhb added inline comments.

I'm not sure if "many" is quite correct. All of the TLS 1.3 cipher suites that you get from openssl ciphers -s -tls1_3 work with KTLS for both send and receive. Of the TLS 1.2 ciphers listed in openssl ciphers -s -tls1_2, 16 are for AES-CBC and will not work, and 11 are for AES-GCM or ChaCha20-Poly1305 and will work with KTLS. However, using AES-CBC is a becoming more obscure. Most TLS 1.2 sessions use AES-GCM (as do most TLS 1.3 sessions).

The other thing to perhaps consider is that SSL_CTX_set_cipher_list only affects TLS <= 1.2. TLS 1.3 uses SSL_CTX_set_ciphersuites. (Sorry, I didn't realize this yesterday.) If NFS over TLS is supposed to only use TLS 1.3, then it's probably not worth letting users configure the TLS 1.2 cipher list.


I wasn't quite precise in my e-mail, so probably replace Chacha20-poly1305 with either "ChaCha20-Poly1305" or "Chacha20-Poly1305". crypto(7) uses the former (both C's capitalized).

Since I should be able to test KTLS1.3 in a couple of weeks,
I think this man page update should be delayed until KTLS1.3
is working and "-C" is converted to SSL_CTX_set_ciphersuites().

I'll try and update the man page for that soon.

Thanks for pointing out SSL_CTX_set_cipher_list() doesn't do
TLS1.3. (The daemons will still allow TLS1.2 for some time, since
FreeBSD13.0 and 13.1 will only do TLS1.2, but the default of
not calling SSL_CTX_set_cipher_list() should be sufficient.


Thanks John. Obviously, the "-C" option should be changed to use
SSL_CTX_ciphersuites() soon. Btw, I found this nice man page, but
it is in debian and not the generic OpenSSL stuff. I don't know if the
list there would be accurate for FreeBSD?

Update the description to use SSL_CTX_set_ciphersuites().
I now note that "openssl ciphers -s -tls1_3" will list the
ciphers that work.

This man page update would not be committed until
rpc.tlsservd is converted to using primarily TLS1.3.


This variant references SSL_CTX_set_ciphersuites() and
describes the list, plus using "openssl ciphers -s -tls1_3"
for the set to select from.

How does this variant sound?


I got rid of this sentence and replaced it with
a note to do the openssl command.

Use the .So, .Sc macros for single quotes around :

Will rereview if time permits when the dust settles on the TLS 1.3 change.