From nobody Fri May 20 21:48:25 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CE5971AE525A;
	Fri, 20 May 2022 21:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L4gMY5KZZz3rpJ;
	Fri, 20 May 2022 21:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1653083305;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=z4KaCWiOu6nsZxm717g8cU+S60kvHEi5ZU5b9t3W4y4=;
	b=RuYgx+fZRO6yWvsrLZ3fqwBBPq+Iq0YHSf/x6V+t7MnJDjTJG4nPbr1+1sxCpEPWS1sz+6
	dAkAmZ7hUbuJ3eCqG4z68FcW7eZepTKkORyDP4JXYwacrmKauchOFsUFJRp8o2ZOysT+1o
	zDBcqiMEjc05+KBlEstF3ItPv5NY9dnZmZpyoteZtEIlotSCbFnwixiLyDlRXhTUWtpcYJ
	nNvU8KH5frUSfPfOR8SOsXv6PVh9cvja39uoJBIJ6qnbOI5hr8EKSCifJmNbjGDz0wiVI0
	smG87CkgLQvhbD43K0NPxKXnYHj5jVkg6aamQ6ZpGWvBbcvRTgHb4QbIF8Fvmw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 87B8D19E4C;
	Fri, 20 May 2022 21:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24KLmPQR010080;
	Fri, 20 May 2022 21:48:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24KLmPCS010079;
	Fri, 20 May 2022 21:48:25 GMT
	(envelope-from git)
Date: Fri, 20 May 2022 21:48:25 GMT
Message-Id: <202205202148.24KLmPCS010079@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 0637b12b13be - main - rpc.tlsservd: Add an option to allow TLS version 1.2
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0637b12b13be442aacda808bb937d45e538dd98f
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1653083305;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=z4KaCWiOu6nsZxm717g8cU+S60kvHEi5ZU5b9t3W4y4=;
	b=EWNhS9tZMPEY8ACNcw6ceb1OPhDIXsrdv1MaEov0XfdLP8bXkeT3l5HOLiwZcCb2M+rTRC
	8gTaaisiFP/rCE0lORXnjJQ8i3MgpQAdwqxKwf+v2UlDZ2cSgKZmTTYruvismK8W5kWEif
	b/DwYLzUWThS598jViuiND3/Jzo3WfTy6ACP7ixhfXxWpbpDtJ+S51zG6hNNnjPDrcvb+3
	3zXk1DgbkvZ3+rL8APj3q1uG7HxkQewGtKNCsydqy6w00VecVGPm8C0TsTaGDhj7WwdeAu
	KtDvmMka3QLGdSjNA5frzRuF4AZ9ejiKlM0dA77XHPgUancQDly8sA37LF8SZw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653083305; a=rsa-sha256; cv=none;
	b=WWqMMZllgcp4jLVIzutlLMXcyms/ilgbGOkot98iQZ+1DztgM1wRR9o3ecn9DHDKzDhOvG
	rQZlcZuowudjP1zKG++W8wgMQLsxQctyBFs6xB0qyOMwQHgu2HfmA6dmBph8IscS81O9Ca
	DpUG2Ee3nLsrD1STBikAqgZBf+cUcRUxXXAxpfTxZclWLrdVbfpMMaNuY861b+UyCXzOck
	Q8FNi9NcHOkGMGddPEAiXR+IVj+LErrUSXE1NcQmT6Ku318Y++Ziu+luFDCLW7F0b5PIks
	NW/bUbtchNOUk6zhQZraKLyDLdApKzIULev7cHrP5nij/KLbjWw87X7ZE3C/zQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=0637b12b13be442aacda808bb937d45e538dd98f

commit 0637b12b13be442aacda808bb937d45e538dd98f
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-20 21:44:50 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-05-20 21:47:36 +0000

    rpc.tlsservd: Add an option to allow TLS version 1.2
    
    Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
    version 1.3 for NFS-over-TLS, as required by
    the draft (someday to be an RFC).
    Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
    NFS-over-TLS mounts, this command line option
    may be used so that mounts from 13.0, 13.1 will still work.
    
    Without the command line option, only TLS version 1.3
    mounts are permitted.
    
    The man page update will be a separate commit.
    
    MFC after:      2 weeks
---
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index ca0d329078aa..bbcdba319353 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -105,6 +105,7 @@ static bool		rpctls_cnuser = false;
 static char		*rpctls_dnsname;
 static const char	*rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
 static const char	*rpctls_ciphers = NULL;
+static int		rpctls_mintls = TLS1_3_VERSION;
 
 static void		rpctlssd_terminate(int);
 static SSL_CTX		*rpctls_setup_ssl(const char *certdir);
@@ -119,6 +120,7 @@ static void		rpctls_huphandler(int sig __unused);
 extern void		rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
 
 static struct option longopts[] = {
+	{ "allowtls1_2",	no_argument,		NULL,	'2' },
 	{ "ciphers",		required_argument,	NULL,	'C' },
 	{ "certdir",		required_argument,	NULL,	'D' },
 	{ "debuglevel",		no_argument,		NULL,	'd' },
@@ -180,9 +182,12 @@ main(int argc, char **argv)
 	}
 
 	rpctls_verbose = false;
-	while ((ch = getopt_long(argc, argv, "C:D:dhl:n:mp:r:uvWw", longopts,
+	while ((ch = getopt_long(argc, argv, "2C:D:dhl:n:mp:r:uvWw", longopts,
 	    NULL)) != -1) {
 		switch (ch) {
+		case '2':
+			rpctls_mintls = TLS1_2_VERSION;
+			break;
 		case 'C':
 			rpctls_ciphers = optarg;
 			break;
@@ -579,6 +584,21 @@ rpctls_setup_ssl(const char *certdir)
 		}
 	}
 
+	ret = SSL_CTX_set_min_proto_version(ctx, rpctls_mintls);
+	if (ret == 0) {
+		rpctls_verbose_out("rpctls_setup_ssl: "
+		    "SSL_CTX_set_min_proto_version failed\n");
+		SSL_CTX_free(ctx);
+		return (NULL);
+	}
+	ret = SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+	if (ret == 0) {
+		rpctls_verbose_out("rpctls_setup_ssl: "
+		    "SSL_CTX_set_max_proto_version failed\n");
+		SSL_CTX_free(ctx);
+		return (NULL);
+	}
+
 	/* Get the cert.pem and certkey.pem files from the directory certdir. */
 	len = strlcpy(path, certdir, sizeof(path));
 	rlen = sizeof(path) - len;