rfc: should extant TLS connections be closed when a CRL is updated?
Rick Macklem
rmacklem at uoguelph.ca
Sat Sep 5 02:28:08 UTC 2020
John-Mark Gurney wrote:
>Rick Macklem wrote this message on Fri, Sep 04, 2020 at 01:20 +0000:
>> The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated
>> CRL (Certificate Revocation List) when a SIGHUP is posted to it.
>> However, it does not SSL_shutdown()/close() extant TCP connections using TLS.
>> (Those would only be closed if the daemon is restarted.)
>>
>> I am now thinking that, maybe, an SSL_shutdown()/close() should be done on
>> all extant TCP connections using NFS over TLS when an updated CRL is loaded,
>> since a connection might have used a revoked certificate for its handshake.
>>
>> What do others think?
>
>IMO, this should scan the existing connections, and only shut them
>down if they are using a revoked Cert. This is the correct way to
>do things.
Yes. I agree with you and Stefan that this is the way to go.
(When I test with a single client, I sometimes forget that there might be
1000s of connections on a production server.)
>I do realize that this is likely not possible, and in reality, the
>ssl library in use should do this automatically, but likely does not.
>As the library likely does not, we should probably make this an
>option to close all connections upon CRL reload, with it being well
>documented.
Well, I haven't looked yet, but I suspect that there are lower level OpenSSL
library functions that can be used to read each entry from the CRL.
If I can do that, it is just comparing the Issuer and Serial# with the ones
associated with the connection (captured when the handshake is done).
So long as the lower level ssl library functions are not internal ones,
I am comfortable doing that. (It might make the code a little harder
to maintain, but I suspect what is in OpenSSL3 will be around for a while,
API wise?)
>Now that option should likely be set to default on, but documented
>such that if you do regular/often CRL reloads, that a user may want
>to turn that off if it's disruptive to their server.
I think this is the fallback, if I can't easily read the entries out of the CRL.
Thanks for the good comments (Stefan too), rick
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-current
mailing list