git: 72bf76d6b8c9 - main - rpc.tlsclntd: Add an option to force use of TLS version 1.2

Fri, 20 May 2022 14:59:54 -0700 

The branch main has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=72bf76d6b8c9e9de81661b68389e0035805b8606

commit 72bf76d6b8c9e9de81661b68389e0035805b8606
Author:     Rick Macklem <rmack...@freebsd.org>
AuthorDate: 2022-05-20 21:57:42 +0000
Commit:     Rick Macklem <rmack...@freebsd.org>
CommitDate: 2022-05-20 21:57:42 +0000

    rpc.tlsclntd: Add an option to force use of TLS version 1.2
    
    Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
    version 1.3 for NFS-over-TLS, as required by
    the draft (someday to be an RFC).
    Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
    NFS-over-TLS mounts, this command line option
    may be used so that NFS-over-TLS mounts to 13.0, 13.1
    servers will still work.
    
    Without the command line option, NFS-over-TLS mounts
    will use TLS version 1.3.
    
    The man page update will be a separate commit.
    
    MFC after:      2 weeks
---
 usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 39 ++++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c 
b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
index ac8a91589388..f650c42c539d 100644
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -96,6 +96,7 @@ static const char     *rpctls_ciphers = NULL;
 static uint64_t                rpctls_ssl_refno = 0;
 static uint64_t                rpctls_ssl_sec = 0;
 static uint64_t                rpctls_ssl_usec = 0;
+static int             rpctls_tlsvers = TLS1_3_VERSION;
 
 static void            rpctlscd_terminate(int);
 static SSL_CTX         *rpctls_setupcl_ssl(void);
@@ -106,6 +107,7 @@ static void         rpctls_huphandler(int sig __unused);
 extern void rpctlscd_1(struct svc_req *rqstp, SVCXPRT *transp);
 
 static struct option longopts[] = {
+       { "usetls1_2",          no_argument,            NULL,   '2' },
        { "certdir",            required_argument,      NULL,   'D' },
        { "ciphers",            required_argument,      NULL,   'C' },
        { "debuglevel",         no_argument,            NULL,   'd' },
@@ -154,9 +156,12 @@ main(int argc, char **argv)
        rpctls_ssl_usec = tm.tv_usec;
 
        rpctls_verbose = false;
-       while ((ch = getopt_long(argc, argv, "C:D:dl:mp:r:v", longopts,
+       while ((ch = getopt_long(argc, argv, "2C:D:dl:mp:r:v", longopts,
            NULL)) != -1) {
                switch (ch) {
+               case '2':
+                       rpctls_tlsvers = TLS1_2_VERSION;
+                       break;
                case 'C':
                        rpctls_ciphers = optarg;
                        break;
@@ -463,7 +468,6 @@ static SSL_CTX *
 rpctls_setupcl_ssl(void)
 {
        SSL_CTX *ctx;
-       long flags;
        char path[PATH_MAX];
        size_t len, rlen;
        int ret;
@@ -567,17 +571,30 @@ rpctls_setupcl_ssl(void)
                            SSL_load_client_CA_file(rpctls_verify_cafile));
        }
 
-       /* RPC-over-TLS must use TLSv1.3, according to the IETF draft.*/
-#ifdef notyet
-       flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
-           SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
-#else
-       flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
-#endif
+       /*
+        * The RFC specifies that RPC-over-TLS must use TLS1.3.
+        * However, early FreeBSD versions (13.0, 13.1) did not
+        * support RX for KTLS1.3, so TLS1.2 needs to be used for
+        * these servers.
+        */
+       ret = SSL_CTX_set_min_proto_version(ctx, rpctls_tlsvers);
+       if (ret == 0) {
+               rpctls_verbose_out("rpctls_setupcl_ssl: "
+                   "SSL_CTX_set_min_proto_version failed\n");
+               SSL_CTX_free(ctx);
+               return (NULL);
+       }
+       ret = SSL_CTX_set_max_proto_version(ctx, rpctls_tlsvers);
+       if (ret == 0) {
+               rpctls_verbose_out("rpctls_setupcl_ssl: "
+                   "SSL_CTX_set_max_proto_version failed\n");
+               SSL_CTX_free(ctx);
+               return (NULL);
+       }
+
 #ifdef SSL_OP_ENABLE_KTLS
-       flags |= SSL_OP_ENABLE_KTLS;
+       SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
 #endif
-       SSL_CTX_set_options(ctx, flags);
 #ifdef SSL_MODE_NO_KTLS_TX
        SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
 #endif

Reply via email to