svn commit: r359619 - projects/nfs-over-tls/usr.sbin/rpctlscd
Rick Macklem
rmacklem at FreeBSD.org
Fri Apr 3 22:16:32 UTC 2020
Author: rmacklem
Date: Fri Apr 3 22:16:21 2020
New Revision: 359619
URL: https://svnweb.freebsd.org/changeset/base/359619
Log:
Bring the rpctlscd man page up to date.
Modified:
projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8
Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 Fri Apr 3 22:13:53 2020 (r359618)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8 Fri Apr 3 22:16:21 2020 (r359619)
@@ -36,12 +36,10 @@
.Nm
.Op Fl D Ar certdir
.Op Fl d
-.Op Fl h
.Op Fl l Ar CAfile
.Op Fl m
.Op Fl p Ar CApath
.Op Fl r Ar CRLfile
-.Op Fl V
.Op Fl v
.Sh DESCRIPTION
The
@@ -50,26 +48,56 @@ program provides support for the client side of the ke
implementation.
This daemon must be running for the kernel RPC to be able to do a TLS
connection to a server for an NFS over TLS mount.
+This daemon requires that the kernel be built with
+.Dq options KERNEL_TLS
+and be running on an architecture such as
+.Dq amd64
+that supports a direct map (not i386).
.Pp
+If either of the
+.Fl l
+or
+.Fl p
+options have been specified, the daemon will require the server's
+certificate to verify
+and have a Fully Qualified Domain Name (FQDN) in it.
+This FQDN must match
+the reverse DNS name for the IP address that
+the server is using for the TCP connection.
+The FQDN may be
+in either the DNS field of the subjectAltName or the CN field of the
+subjectName in the certificate and
+cannot have a wildcard
+.Dq *
+in it.
+.Pp
+If a SIGHUP signal is sent to the daemon it will reload the
+.Dq CRLfile .
+If the
+.Fl r
+option was not specified, the SIGHUP signal will be ignored.
+.Pp
+The daemon will log failed certificate verifications via
+.Xr syslogd 8
+using LOG_INFO | LOG_DAEMON when the
+.Fl l
+or
+.Fl p
+option has been specified.
+.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl D Ar certdir
-Use ``certdir'' instead of /etc/rpctlscd for the
-.Fl c
+Use
+.Dq certdir
+instead of /etc/rpctlscd for the
+.Fl m
option.
.It Fl d
Run in debug mode.
In this mode,
.Nm
will not fork when it starts.
-.It Fl h
-This option specifies that the certificate provided by the server during
-TLS handshake must have the Fully Qualified Domain Name for the server's
-IP address in either the subjectAltName or commonName field of the
-certificate.
-This option is meaningless unless the
-.FL V
-option is also specified.
.It Fl l Ar CAfile
This specifies the path name of a CAfile which holds the information
for server certificate verification.
@@ -77,19 +105,24 @@ This path name is used in
.Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL)
and
.Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file(CAfile))
-calls.
+openssl library calls.
Note that this is a path name for the file and is not assumed to be
-in ``certdir''.
-This option may need to be specified when the
-.Fl V
-option is specified.
+in
+.Dq certdir .
.It Fl m
Enable support for mutual authentication.
-A certificate must be found in /etc/rpctlscd (or the directory specified by
-.Fl D )
+A certificate and associated key must be found in /etc/rpctlscd
+(or the directory specified by the
+.Fl D
+option)
in case a server requests a peer certificate.
-The certificate needs to be in a file named ``cert.pem'' and a key in
-a file named ``key.pem'' in the directory for this option to work.
+The certificate needs to be in a file named
+.Dq cert.pem
+and the key in a file named
+.Dq key.pem .
+If there is a passphrase on the
+.Dq key.pem
+file, this daemon will prompt for the passphrase during startup.
.It Fl p Ar CApath
This option is similar to the
.Fl l
@@ -97,7 +130,7 @@ option, but specifies the path of a directory with CA
certificates in it.
When this option is used,
.Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file())
-is not called, so a list of CA names might not be passed
+is not called, so a list of CA names is not be passed
to the server during the TLS handshake.
The openssl documentation indicates this call is rarely needed.
(However, I was not able to determine if/when this matters, so
@@ -107,18 +140,12 @@ option instead of this option.)
.It Fl r Ar CRLfile
This option specifies a Certificate Revocation List (CRL) file
that is to be loaded into the verify certificate store and
-checked during verification.
+checked during verification of the server's certificate.
This option is meaningless unless either the
.Fl l
or
.Fl p
have been specified.
-.It Fl V
-This option specifies that the certificate provided by the server
-during the TLS handshake must verify.
-If this option is specified, the
-.Fl l
-option may also need to be specified.
.It Fl v
Run in verbose mode.
In this mode,
@@ -132,9 +159,9 @@ option has also been specified.
.Ex -std
.Sh SEE ALSO
.Xr openssl 1 ,
-.Xr syslog 3 ,
.Xr mount_nfs 8 ,
-.Xr rpctlssd 8
+.Xr rpctlssd 8 ,
+.Xr syslogd 8
.Sh BUGS
This daemon cannot be safely shut down and restarted if there are
any active RPC-over-TLS connections.
More information about the svn-src-projects
mailing list