On Wed, 4 Jun 2025 at 22:21, Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > On Wed, Jun 4, 2025 at 10:36 AM Cedric Blancher > <cedric.blancher@xxxxxxxxx> wrote: > > > > On Mon, 2 Jun 2025 at 02:45, Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > > > > > On Sun, Jun 1, 2025 at 3:53 PM Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > > > > > > > On Wed, May 21, 2025 at 12:20 AM Lionel Cons <lionelcons1972@xxxxxxxxx> wrote: > > > > > > > > > > On Wed, 21 May 2025 at 01:53, Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > > > > > > > > > > > Hi, > > > > > > > > > > > > If the Google AI is correct, MS does not provide a full > > > > > > TLS implementation in the kernel and their kTLS only > > > > > > handles record level encryption/decryption, similar to > > > > > > FreeBSD. > > > > > > > > > > Could you first look into adding TLS support to steved-libtirpc in a > > > > > generic fashion via openssl, please? > > > > Ok, I finally got around to doing this. The tarball is attached and it can > > > > also be found at... > > > > https://people.freebsd.org/~rmacklem/tirpc-tls.tar > > > > How are uid and - more important gid - information passed to the NFS/RPC server? > Normally, no differently than it is now. Either krb5 or auth_sys. > RPC-over-TLS encrypts > the RPC header, but does not change it. > > There is a "special case" where a <user@domain> string is set in the otherName > component of subjectAltName. For that specific case, the NFS server generates > credentials based on that user (uid+gid list for POSIX servers) and uses those, > ignoring whatever is in the RPC header (presumably auth_sys with any old uid > and gid list). > --> This is entirely an option for an NFS server and really has > nothing to do with > NFS-over-TLS except that it is embedded in the client's X.509 > cert. by whoever > created it. It is meant for laptops and similar that are only > used by one user. I see a problem here, because <user@domain> is not sufficient. Users can have multiple primary groups, e.g. in case of /bin/newgrp, Windows winsg and so on. TLS must have a way to specify a primary group for POSIX newgrp(1) support. Ced -- Cedric Blancher <cedric.blancher@xxxxxxxxx> [https://plus.google.com/u/0/+CedricBlancher/] Institute Pasteur
