Date: Sun, 30 Aug 2020 01:09:16 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r364971 - in projects/nfs-over-tls: . usr.sbin/rpctlssd Message-ID: <202008300109.07U19G9E076897@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Sun Aug 30 01:09:15 2020 New Revision: 364971 URL: https://svnweb.freebsd.org/changeset/base/364971 Log: Set the OID for a user@domain subjAltName otherName component to one assigned under the FreeBSD MIB registry. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Sun Aug 30 01:09:15 2020 (r364971) @@ -212,10 +212,10 @@ to nfsv4-server.uoguelph.ca and the other to nfsv4-ser For a client where you wish all RPCs to be done as the user rmacklem on the above server: -# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem For a client similar to the above, but has a FQDN of nfsv4-client.uoguelph.ca: -# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem If you want to look at the CSR: # openssl req -in req.pem -noout -text Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sun Aug 30 01:09:15 2020 (r364971) @@ -75,7 +75,7 @@ The option in the .Xr exports 5 file specifies that the client must provide a certificate -that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of +that verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of subjectAltName of the form .Dq user@dns_domain that maps to a <uid, gid_list>. @@ -237,7 +237,7 @@ have been specified. .It Fl u This option specifies that if the client provides a certificate that both verifies and has a subjectAltName with an otherName of the form -.Dq otherName:1.2.3.4.6.9;UTF8:user@dns_domain +.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user@dns_domain the daemon will attempt to map .Dq user@dns_domain in the above Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun Aug 30 01:09:15 2020 (r364971) @@ -94,7 +94,7 @@ static uint64_t rpctls_ssl_usec = 0; static bool rpctls_gothup = false; static bool rpctls_cnuser = false; static char *rpctls_dnsname; -static const char *rpctls_cnuseroid = "1.2.3.4.6.9"; +static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; /* * A linked list of all current "SSL *"s and socket "fd"s
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008300109.07U19G9E076897>