On 5/19/25 3:35 PM, Rik Theys wrote: > Hi, > > On 5/19/25 4:16 PM, Chuck Lever wrote: >>> Can you point me to any documentation about how the client certificate >>> is interpreted by nfsd? >> A TLS handshake is rejected if the server does not recognize the client >> certificate's trust chain, as is standard practice for TLS with other >> upper layer protocols. Therefore, when an export requires mtls, the >> client must present a certificate and the server must recognize the >> granting CA for that cert. > > In the man page for tlshd.conf, I only see options to configure the CA > and certificate. I don't see any options to configure a CRL? What's the > procedure to prevent a specific client certificate from accessing the > server if the certificate is believed to be stolen? It isn't clear to me that CRLs are the preferred mechanism to reject a certificate. But in any event, that support can be added to tlshd if gnuTLS itself doesn't already handle that under the library API. -- Chuck Lever
