Date: Fri, 3 Apr 2020 22:16:22 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359619 - projects/nfs-over-tls/usr.sbin/rpctlscd Message-ID: <202004032216.033MGMcO005755@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Fri Apr 3 22:16:21 2020 New Revision: 359619 URL: https://svnweb.freebsd.org/changeset/base/359619 Log: Bring the rpctlscd man page up to date. Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 Fri Apr 3 22:13:53 2020 (r359618) +++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 Fri Apr 3 22:16:21 2020 (r359619) @@ -36,12 +36,10 @@ .Nm .Op Fl D Ar certdir .Op Fl d -.Op Fl h .Op Fl l Ar CAfile .Op Fl m .Op Fl p Ar CApath .Op Fl r Ar CRLfile -.Op Fl V .Op Fl v .Sh DESCRIPTION The @@ -50,26 +48,56 @@ program provides support for the client side of the ke implementation. This daemon must be running for the kernel RPC to be able to do a TLS connection to a server for an NFS over TLS mount. +This daemon requires that the kernel be built with +.Dq options KERNEL_TLS +and be running on an architecture such as +.Dq amd64 +that supports a direct map (not i386). .Pp +If either of the +.Fl l +or +.Fl p +options have been specified, the daemon will require the server's +certificate to verify +and have a Fully Qualified Domain Name (FQDN) in it. +This FQDN must match +the reverse DNS name for the IP address that +the server is using for the TCP connection. +The FQDN may be +in either the DNS field of the subjectAltName or the CN field of the +subjectName in the certificate and +cannot have a wildcard +.Dq * +in it. +.Pp +If a SIGHUP signal is sent to the daemon it will reload the +.Dq CRLfile . +If the +.Fl r +option was not specified, the SIGHUP signal will be ignored. +.Pp +The daemon will log failed certificate verifications via +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON when the +.Fl l +or +.Fl p +option has been specified. +.Pp The options are as follows: .Bl -tag -width indent .It Fl D Ar certdir -Use ``certdir'' instead of /etc/rpctlscd for the -.Fl c +Use +.Dq certdir +instead of /etc/rpctlscd for the +.Fl m option. .It Fl d Run in debug mode. In this mode, .Nm will not fork when it starts. -.It Fl h -This option specifies that the certificate provided by the server during -TLS handshake must have the Fully Qualified Domain Name for the server's -IP address in either the subjectAltName or commonName field of the -certificate. -This option is meaningless unless the -.FL V -option is also specified. .It Fl l Ar CAfile This specifies the path name of a CAfile which holds the information for server certificate verification. @@ -77,19 +105,24 @@ This path name is used in .Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL) and .Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file(CAfile)) -calls. +openssl library calls. Note that this is a path name for the file and is not assumed to be -in ``certdir''. -This option may need to be specified when the -.Fl V -option is specified. +in +.Dq certdir . .It Fl m Enable support for mutual authentication. -A certificate must be found in /etc/rpctlscd (or the directory specified by -.Fl D ) +A certificate and associated key must be found in /etc/rpctlscd +(or the directory specified by the +.Fl D +option) in case a server requests a peer certificate. -The certificate needs to be in a file named ``cert.pem'' and a key in -a file named ``key.pem'' in the directory for this option to work. +The certificate needs to be in a file named +.Dq cert.pem +and the key in a file named +.Dq key.pem . +If there is a passphrase on the +.Dq key.pem +file, this daemon will prompt for the passphrase during startup. .It Fl p Ar CApath This option is similar to the .Fl l @@ -97,7 +130,7 @@ option, but specifies the path of a directory with CA certificates in it. When this option is used, .Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file()) -is not called, so a list of CA names might not be passed +is not called, so a list of CA names is not be passed to the server during the TLS handshake. The openssl documentation indicates this call is rarely needed. (However, I was not able to determine if/when this matters, so @@ -107,18 +140,12 @@ option instead of this option.) .It Fl r Ar CRLfile This option specifies a Certificate Revocation List (CRL) file that is to be loaded into the verify certificate store and -checked during verification. +checked during verification of the server's certificate. This option is meaningless unless either the .Fl l or .Fl p have been specified. -.It Fl V -This option specifies that the certificate provided by the server -during the TLS handshake must verify. -If this option is specified, the -.Fl l -option may also need to be specified. .It Fl v Run in verbose mode. In this mode, @@ -132,9 +159,9 @@ option has also been specified. .Ex -std .Sh SEE ALSO .Xr openssl 1 , -.Xr syslog 3 , .Xr mount_nfs 8 , -.Xr rpctlssd 8 +.Xr rpctlssd 8 , +.Xr syslogd 8 .Sh BUGS This daemon cannot be safely shut down and restarted if there are any active RPC-over-TLS connections.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004032216.033MGMcO005755>