Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports

Linux NFS development
 help / color / mirror / Atom feed

From: Chuck Lever <chuck.lever@oracle.com>
To: Rik Theys <Rik.Theys@esat.kuleuven.be>, NeilBrown <neil@brown.name>
Cc: Jeff Layton <jlayton@kernel.org>,
	Steve Dickson <steved@redhat.com>, Tom Haynes <loghyr@gmail.com>,
	linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Mon, 19 May 2025 16:51:45 -0400	[thread overview]
Message-ID: <d61fa10a-4c13-4c4f-b922-da541a7a1a1c@oracle.com> (raw)
In-Reply-To: <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>

On 5/19/25 3:35 PM, Rik Theys wrote:
> Hi,
> 
> On 5/19/25 4:16 PM, Chuck Lever wrote:
>>> Can you point me to any documentation about how the client certificate
>>> is interpreted by nfsd?
>> A TLS handshake is rejected if the server does not recognize the client
>> certificate's trust chain, as is standard practice for TLS with other
>> upper layer protocols. Therefore, when an export requires mtls, the
>> client must present a certificate and the server must recognize the
>> granting CA for that cert.
> 
> In the man page for tlshd.conf, I only see options to configure the CA
> and certificate. I don't see any options to configure a CRL? What's the
> procedure to prevent a specific client certificate from accessing the
> server if the certificate is believed to be stolen?

It isn't clear to me that CRLs are the preferred mechanism to reject a
certificate. But in any event, that support can be added to tlshd if
gnuTLS itself doesn't already handle that under the library API.

-- 
Chuck Lever

next prev parent reply	other threads:[~2025-05-19 20:54 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35   ` Jeff Layton
2025-05-13 16:11   ` Chuck Lever
2025-06-04 17:12     ` Cedric Blancher
2025-06-04 18:20       ` Chuck Lever
2025-05-14  2:16 ` NeilBrown
2025-05-14  2:28   ` NeilBrown
2025-05-14 11:17     ` Jeff Layton
2025-05-14 11:43       ` NeilBrown
2025-05-14 12:02         ` Jeff Layton
2025-05-14 21:58           ` NeilBrown
2025-05-14 12:56         ` Chuck Lever
2025-05-14 21:47           ` NeilBrown
2025-05-15 12:01             ` Chuck Lever
2025-05-15 21:44               ` NeilBrown
2025-05-16 12:09                 ` Chuck Lever
2025-05-19  6:02                   ` NeilBrown
2025-05-19 11:39                     ` Jeff Layton
2025-05-19 14:16                     ` Chuck Lever
     [not found]                       ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51                         ` Chuck Lever [this message]
2025-05-20  1:44                       ` Rick Macklem
2025-05-20 13:20                         ` Chuck Lever
2025-05-25 17:29                           ` Chuck Lever
2025-05-26  0:09                             ` NeilBrown
2025-05-26  1:47                               ` Rick Macklem
2025-05-26  1:52                                 ` Rick Macklem
2025-05-26  2:29                                 ` NeilBrown
2025-05-28  0:57                                   ` Rick Macklem
2025-05-27 13:28                                 ` Chuck Lever
2025-05-27 15:05                               ` Chuck Lever
2025-05-27 15:58                                 ` Rick Macklem
2025-05-27 16:29                                 ` Rick Macklem
2025-05-27 16:58                                   ` Chuck Lever
2025-05-28  1:06                                     ` Rick Macklem
2025-05-27 19:18                                 ` Benjamin Coddington
2025-05-27 19:41                                   ` Chuck Lever
2025-05-27 20:25                                     ` Benjamin Coddington
2025-05-28 14:07                                       ` Chuck Lever
2025-05-28  1:24                                     ` NeilBrown
2025-05-28  2:48                                       ` Rick Macklem
2025-05-14 11:46     ` Chuck Lever
2025-05-14 12:28   ` Thomas Haynes
2025-05-14 21:49     ` NeilBrown
2025-05-14  2:38 ` NeilBrown
2025-05-14 11:20   ` Jeff Layton
2025-05-15  1:32     ` Christopher Bii
2025-05-21  9:06 ` Sebastian Feld
2025-05-21 12:25   ` Jeff Layton
2025-05-21 13:14   ` Chuck Lever
2025-05-21 13:43     ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45   ` Cedric Blancher
2025-06-04 19:17   ` Jeff Layton
2025-06-04 19:53     ` Steve Dickson
2025-06-05 16:48       ` Trond Myklebust
2025-06-05 18:09         ` Chuck Lever
2025-06-05  8:20     ` Cedric Blancher
2025-06-05 13:54       ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d61fa10a-4c13-4c4f-b922-da541a7a1a1c@oracle.com \
    --to=chuck.lever@oracle.com \
    --cc=Rik.Theys@esat.kuleuven.be \
    --cc=jlayton@kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=loghyr@gmail.com \
    --cc=neil@brown.name \
    --cc=steved@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox