Changeset View
Standalone View
usr.sbin/rpc.tlsservd/rpc.tlsservd.8
Show All 20 Lines | |||||||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||||||
.\" | .\" | ||||||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||||||
.\" | .\" | ||||||||
.\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. | .\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. | ||||||||
.Dd January 29, 2021 | .Dd May 5, 2022 | ||||||||
.Dt RPC.TLSSERVD 8 | .Dt RPC.TLSSERVD 8 | ||||||||
.Os | .Os | ||||||||
.Sh NAME | .Sh NAME | ||||||||
.Nm rpc.tlsservd | .Nm rpc.tlsservd | ||||||||
.Nd "Sun RPC over TLS Server Daemon" | .Nd "Sun RPC over TLS Server Daemon" | ||||||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||||||
.Nm | .Nm | ||||||||
.Op Fl C Ar preferred_ciphers | |||||||||
.Op Fl D Ar certdir | .Op Fl D Ar certdir | ||||||||
.Op Fl d | .Op Fl d | ||||||||
.Op Fl h | .Op Fl h | ||||||||
.Op Fl l Ar CAfile | .Op Fl l Ar CAfile | ||||||||
.Op Fl m | .Op Fl m | ||||||||
.Op Fl n Ar domain | .Op Fl n Ar domain | ||||||||
.Op Fl p Ar CApath | .Op Fl p Ar CApath | ||||||||
.Op Fl r Ar CRLfile | .Op Fl r Ar CRLfile | ||||||||
▲ Show 20 Lines • Show All 90 Lines • ▼ Show 20 Lines | |||||||||
The daemon will log failed certificate verifications via | The daemon will log failed certificate verifications via | ||||||||
.Xr syslogd 8 | .Xr syslogd 8 | ||||||||
using LOG_INFO | LOG_DAEMON when the | using LOG_INFO | LOG_DAEMON when the | ||||||||
.Fl m | .Fl m | ||||||||
option has been specified. | option has been specified. | ||||||||
.Pp | .Pp | ||||||||
The options are as follows: | The options are as follows: | ||||||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||||||
.It Fl C Ar preferred_ciphers , Fl Fl ciphers= Ns Ar preferred_ciphers | |||||||||
Specify what preferred ciphers are to be used. | |||||||||
pauamma_gundo.com: Audience check: does this need to include "for the format of preferred_ciphers, see ciphers(1)"… | |||||||||
Done Inline ActionsHow does this look. I used openssl-ciphers(1), since that I also added a simple comment on what should work, rmacklem: How does this look. I used openssl-ciphers(1), since that
seems to be directly related to the… | |||||||||
Done Inline Actions
pauamma_gundo.com: | |||||||||
Done Inline ActionsI would perhaps s/what/which/. jhb: I would perhaps s/what/which/. | |||||||||
If this option is specified, | |||||||||
.Dq SSL_CTX_set_cipher_list() | |||||||||
will be called with | |||||||||
.Dq preferred_ciphers | |||||||||
as the argument. | |||||||||
If this option is not specified, the cipher will be chosen by | |||||||||
.Xr ssl 7 | |||||||||
and that should be adequate for most cases. | |||||||||
Done Inline Actionss/and that/which/ jhb: s/and that/which/ | |||||||||
The format for the preferred cipher list is described in | |||||||||
.Xr openssl-ciphers 1 , | |||||||||
but note that many of the ciphers listed do not work for the KTLS. | |||||||||
jhbUnsubmitted Not Done Inline ActionsI'm not sure if "many" is quite correct. All of the TLS 1.3 cipher suites that you get from openssl ciphers -s -tls1_3 work with KTLS for both send and receive. Of the TLS 1.2 ciphers listed in openssl ciphers -s -tls1_2, 16 are for AES-CBC and will not work, and 11 are for AES-GCM or ChaCha20-Poly1305 and will work with KTLS. However, using AES-CBC is a becoming more obscure. Most TLS 1.2 sessions use AES-GCM (as do most TLS 1.3 sessions). The other thing to perhaps consider is that SSL_CTX_set_cipher_list only affects TLS <= 1.2. TLS 1.3 uses SSL_CTX_set_ciphersuites. (Sorry, I didn't realize this yesterday.) If NFS over TLS is supposed to only use TLS 1.3, then it's probably not worth letting users configure the TLS 1.2 cipher list. jhb: I'm not sure if "many" is quite correct. All of the TLS 1.3 cipher suites that you get from… | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsThanks John. Obviously, the "-C" option should be changed to use https://manpages.debian.org/experimental/libssl-doc/SSL_CTX_set_ciphersuites.3ssl.en.html rmacklem: Thanks John. Obviously, the "-C" option should be changed to use
SSL_CTX_ciphersuites() soon. | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsThis variant references SSL_CTX_set_ciphersuites() and How does this variant sound? rmacklem: This variant references SSL_CTX_set_ciphersuites() and
describes the list, plus using "openssl… | |||||||||
At this time AES-GCM and Chacha20-poly1305 ciphers should work | |||||||||
jhbUnsubmitted Not Done Inline ActionsI wasn't quite precise in my e-mail, so probably replace Chacha20-poly1305 with either "ChaCha20-Poly1305" or "Chacha20-Poly1305". crypto(7) uses the former (both C's capitalized). jhb: I wasn't quite precise in my e-mail, so probably replace Chacha20-poly1305 with either… | |||||||||
rmacklemAuthorUnsubmitted Done Inline ActionsI got rid of this sentence and replaced it with rmacklem: I got rid of this sentence and replaced it with
a note to do the openssl command.
| |||||||||
for the KTLS. | |||||||||
.It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir | .It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir | ||||||||
Use | Use | ||||||||
.Dq certdir | .Dq certdir | ||||||||
Done Inline ActionsMaybe "lists valid ciphers" or "lists available ciphers" jhb: Maybe "lists valid ciphers" or "lists available ciphers" | |||||||||
instead of /etc/rpc.tlsservd as the location for the | instead of /etc/rpc.tlsservd as the location for the | ||||||||
certificate in a file called | certificate in a file called | ||||||||
.Dq cert.pem | .Dq cert.pem | ||||||||
and associated key in | and associated key in | ||||||||
.Dq certkey.pem . | .Dq certkey.pem . | ||||||||
.It Fl d , Fl Fl debuglevel | .It Fl d , Fl Fl debuglevel | ||||||||
Run in debug mode. | Run in debug mode. | ||||||||
In this mode, | In this mode, | ||||||||
▲ Show 20 Lines • Show All 163 Lines • ▼ Show 20 Lines | |||||||||
and | and | ||||||||
.Fl w | .Fl w | ||||||||
options is allowed. | options is allowed. | ||||||||
.El | .El | ||||||||
.Sh EXIT STATUS | .Sh EXIT STATUS | ||||||||
.Ex -std | .Ex -std | ||||||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||||||
.Xr openssl 1 , | .Xr openssl 1 , | ||||||||
.Xr openssl-ciphers 1 , | |||||||||
.Xr ktls 4 , | .Xr ktls 4 , | ||||||||
.Xr exports 5 , | .Xr exports 5 , | ||||||||
.Xr ssl 7 , | |||||||||
.Xr mount_nfs 8 , | .Xr mount_nfs 8 , | ||||||||
.Xr nfsuserd 8 , | .Xr nfsuserd 8 , | ||||||||
.Xr rpc.tlsclntd 8 , | .Xr rpc.tlsclntd 8 , | ||||||||
.Xr syslogd 8 | .Xr syslogd 8 | ||||||||
.Sh STANDARDS | .Sh STANDARDS | ||||||||
The implementation is based on the specification in | The implementation is based on the specification in | ||||||||
.Rs | .Rs | ||||||||
.%B "RFC NNNN" | .%B "RFC NNNN" | ||||||||
Show All 14 Lines |
Audience check: does this need to include "for the format of preferred_ciphers, see ciphers(1)" with the appropriate .Xr here and in SEE ALSO?