Changeset View
Standalone View
usr.sbin/rpc.tlsservd/rpc.tlsservd.8
| Show All 20 Lines | |||||||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||||||
| .\" | .\" | ||||||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||||||
| .\" | .\" | ||||||||
| .\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. | .\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. | ||||||||
| .Dd January 29, 2021 | .Dd May 5, 2022 | ||||||||
| .Dt RPC.TLSSERVD 8 | .Dt RPC.TLSSERVD 8 | ||||||||
| .Os | .Os | ||||||||
| .Sh NAME | .Sh NAME | ||||||||
| .Nm rpc.tlsservd | .Nm rpc.tlsservd | ||||||||
| .Nd "Sun RPC over TLS Server Daemon" | .Nd "Sun RPC over TLS Server Daemon" | ||||||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||||||
| .Nm | .Nm | ||||||||
| .Op Fl C Ar preferred_ciphers | |||||||||
| .Op Fl D Ar certdir | .Op Fl D Ar certdir | ||||||||
| .Op Fl d | .Op Fl d | ||||||||
| .Op Fl h | .Op Fl h | ||||||||
| .Op Fl l Ar CAfile | .Op Fl l Ar CAfile | ||||||||
| .Op Fl m | .Op Fl m | ||||||||
| .Op Fl n Ar domain | .Op Fl n Ar domain | ||||||||
| .Op Fl p Ar CApath | .Op Fl p Ar CApath | ||||||||
| .Op Fl r Ar CRLfile | .Op Fl r Ar CRLfile | ||||||||
| ▲ Show 20 Lines • Show All 90 Lines • ▼ Show 20 Lines | |||||||||
| The daemon will log failed certificate verifications via | The daemon will log failed certificate verifications via | ||||||||
| .Xr syslogd 8 | .Xr syslogd 8 | ||||||||
| using LOG_INFO | LOG_DAEMON when the | using LOG_INFO | LOG_DAEMON when the | ||||||||
| .Fl m | .Fl m | ||||||||
| option has been specified. | option has been specified. | ||||||||
| .Pp | .Pp | ||||||||
| The options are as follows: | The options are as follows: | ||||||||
| .Bl -tag -width indent | .Bl -tag -width indent | ||||||||
| .It Fl C Ar preferred_ciphers , Fl Fl ciphers= Ns Ar preferred_ciphers | |||||||||
| Specify what preferred ciphers are to be used. | |||||||||
pauamma_gundo.com: Audience check: does this need to include "for the format of preferred_ciphers, see ciphers(1)"… | |||||||||
Done Inline ActionsHow does this look. I used openssl-ciphers(1), since that I also added a simple comment on what should work, rmacklem: How does this look. I used openssl-ciphers(1), since that
seems to be directly related to the… | |||||||||
Done Inline Actions
pauamma_gundo.com: | |||||||||
Done Inline ActionsI would perhaps s/what/which/. jhb: I would perhaps s/what/which/. | |||||||||
| If this option is specified, | |||||||||
| .Dq SSL_CTX_set_cipher_list() | |||||||||
| will be called with | |||||||||
| .Dq preferred_ciphers | |||||||||
| as the argument. | |||||||||
| If this option is not specified, the cipher will be chosen by | |||||||||
| .Xr ssl 7 | |||||||||
| and that should be adequate for most cases. | |||||||||
Done Inline Actionss/and that/which/ jhb: s/and that/which/ | |||||||||
| The format for the preferred cipher list is described in | |||||||||
| .Xr openssl-ciphers 1 , | |||||||||
| but note that many of the ciphers listed do not work for the KTLS. | |||||||||
jhbUnsubmitted Not Done Inline ActionsI'm not sure if "many" is quite correct. All of the TLS 1.3 cipher suites that you get from openssl ciphers -s -tls1_3 work with KTLS for both send and receive. Of the TLS 1.2 ciphers listed in openssl ciphers -s -tls1_2, 16 are for AES-CBC and will not work, and 11 are for AES-GCM or ChaCha20-Poly1305 and will work with KTLS. However, using AES-CBC is a becoming more obscure. Most TLS 1.2 sessions use AES-GCM (as do most TLS 1.3 sessions). The other thing to perhaps consider is that SSL_CTX_set_cipher_list only affects TLS <= 1.2. TLS 1.3 uses SSL_CTX_set_ciphersuites. (Sorry, I didn't realize this yesterday.) If NFS over TLS is supposed to only use TLS 1.3, then it's probably not worth letting users configure the TLS 1.2 cipher list. jhb: I'm not sure if "many" is quite correct. All of the TLS 1.3 cipher suites that you get from… | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsThanks John. Obviously, the "-C" option should be changed to use https://manpages.debian.org/experimental/libssl-doc/SSL_CTX_set_ciphersuites.3ssl.en.html rmacklem: Thanks John. Obviously, the "-C" option should be changed to use
SSL_CTX_ciphersuites() soon. | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsThis variant references SSL_CTX_set_ciphersuites() and How does this variant sound? rmacklem: This variant references SSL_CTX_set_ciphersuites() and
describes the list, plus using "openssl… | |||||||||
| At this time AES-GCM and Chacha20-poly1305 ciphers should work | |||||||||
jhbUnsubmitted Not Done Inline ActionsI wasn't quite precise in my e-mail, so probably replace Chacha20-poly1305 with either "ChaCha20-Poly1305" or "Chacha20-Poly1305". crypto(7) uses the former (both C's capitalized). jhb: I wasn't quite precise in my e-mail, so probably replace Chacha20-poly1305 with either… | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsI got rid of this sentence and replaced it with rmacklem: I got rid of this sentence and replaced it with
a note to do the openssl command.
| |||||||||
| for the KTLS. | |||||||||
| .It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir | .It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir | ||||||||
| Use | Use | ||||||||
| .Dq certdir | .Dq certdir | ||||||||
Done Inline ActionsMaybe "lists valid ciphers" or "lists available ciphers" jhb: Maybe "lists valid ciphers" or "lists available ciphers" | |||||||||
| instead of /etc/rpc.tlsservd as the location for the | instead of /etc/rpc.tlsservd as the location for the | ||||||||
| certificate in a file called | certificate in a file called | ||||||||
| .Dq cert.pem | .Dq cert.pem | ||||||||
| and associated key in | and associated key in | ||||||||
| .Dq certkey.pem . | .Dq certkey.pem . | ||||||||
| .It Fl d , Fl Fl debuglevel | .It Fl d , Fl Fl debuglevel | ||||||||
| Run in debug mode. | Run in debug mode. | ||||||||
| In this mode, | In this mode, | ||||||||
| ▲ Show 20 Lines • Show All 163 Lines • ▼ Show 20 Lines | |||||||||
| and | and | ||||||||
| .Fl w | .Fl w | ||||||||
| options is allowed. | options is allowed. | ||||||||
| .El | .El | ||||||||
| .Sh EXIT STATUS | .Sh EXIT STATUS | ||||||||
| .Ex -std | .Ex -std | ||||||||
| .Sh SEE ALSO | .Sh SEE ALSO | ||||||||
| .Xr openssl 1 , | .Xr openssl 1 , | ||||||||
| .Xr openssl-ciphers 1 , | |||||||||
| .Xr ktls 4 , | .Xr ktls 4 , | ||||||||
| .Xr exports 5 , | .Xr exports 5 , | ||||||||
| .Xr ssl 7 , | |||||||||
| .Xr mount_nfs 8 , | .Xr mount_nfs 8 , | ||||||||
| .Xr nfsuserd 8 , | .Xr nfsuserd 8 , | ||||||||
| .Xr rpc.tlsclntd 8 , | .Xr rpc.tlsclntd 8 , | ||||||||
| .Xr syslogd 8 | .Xr syslogd 8 | ||||||||
| .Sh STANDARDS | .Sh STANDARDS | ||||||||
| The implementation is based on the specification in | The implementation is based on the specification in | ||||||||
| .Rs | .Rs | ||||||||
| .%B "RFC NNNN" | .%B "RFC NNNN" | ||||||||
| Show All 14 Lines | |||||||||
Audience check: does this need to include "for the format of preferred_ciphers, see ciphers(1)" with the appropriate .Xr here and in SEE ALSO?