nfs-over-tls ready for testing
Rick Macklem
rmacklem at uoguelph.ca
Sun May 10 00:52:14 UTC 2020
Hi,
I think the nfs-over-tls project is now ready for testing by others.
(This uses a TLS session to encrypt/decrypt NFS RPCs on the wire.
There is an internet draft called "Towards Remote Procedure
Call Encryption By Default" which should soon become an RFC
that describes what this implements.
The biggest caveat is that the KERN_TLS does not yet support TLS1.3,
so the code currently uses TLS1.2, which is not allowed by the above
draft. I know jhb@ is working on TLS1.3 support, so this should get
resolved.
There is a basic setup document here:
http://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt
(It can also be found on FreeBSD's subversion repository at
base/projects/nfs-over-tls.)
For now, the setup takes some fiddling, but that will get easier
as some of the code finds its way into head.
I do hope that this can make it into FreeBSD13.
Last, but not least, thanks go to jhb@ (and others, I'd guess?) for the KERN_TLS
work and for providing the ktls rx patch plus the patched openssl3
needed to make it work.
Let me know how it goes if you test it, rick
More information about the freebsd-fs
mailing list