Wondering how to perform nfsv4 encryption with Stunnel TLS? Our NFS Support team is here to lend a hand with your queries and issues.
NFSv4 encryption with Stunnel TLS
At a minimum, the stunnel TLS server must present a keypair.
$ openssl req -newkey rsa:4096 -x509 -days 3650 -nodes \
-out nfs-tls.pem -keyout nfs-tls.pem
Copy Code
The above command generates a key similar to the following output. Move your file to the /etc/stunnel directory, and set it to 400 read-only permission for root.
On the file server, add an export for the same share to localhost.
Set the
insecureCopy CodeIf you want to remove the clear-text export, make sure the client has unmounted first:
$ cat /etc/exports
/home/share 5.6.7.8(fsid=0,ro)
/home/share 127.0.0.1(fsid=0,ro,insecure)
Copy Code
Run the following command to activate the share to localhost:
exportfs -a
Copy Code
Add an inetd-style socket activation unit on port 2363 to launch stunnel with a timeout of ten minutes:
$ cat /etc/systemd/system/MC-nfsd.socket [Unit] Description=NFS over stunnel/TLS server [Socket] ListenStream=2363 Accept=yes TimeoutSec=600 [Install] WantedBy=sockets.targetCopy Code
Configure the socket to launch stunnel with a settings file that you’ll define shortly:
$ cat /etc/systemd/system/MC-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS server
[Service]
ExecStart=-/bin/stunnel /etc/stunnel/MC-nfsd.conf
StandardInput=socket
Copy Code
Start the socket and enable it for automatic start at boot with the following commands:
systemctl start MC-nfsd.socket
systemctl enable MC-nfsd.socket
Copy Code
Open port 2363 to allow encrypted NFS through your firewall:
iptables -w -I INPUT -p tcp --dport 2363 --syn -j ACCEPT
Copy Code
Create the following stunnel control file for the NFS server:
$ cat /etc/stunnel/MC-nfsd.conf
#GLOBAL#######################################################
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 0
setuid = nobody
setgid = nobody
chroot = /var/empty/stunnel
libwrap = yes
service = MC-nfsd
; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;
; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+
AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
connect = 127.0.0.1:2049
Copy Code
Create the
chroot()Copy Code
# mkdir /var/empty/stunnel
Copy Code
Attempt a local clear-text socket connection to port 2363; stunnel configuration problems will appear here:
# nc localhost 2363
Clients allowed=500
stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Auth:LIBWRAP
Reading configuration from file /etc/stunnel/MC-nfsd.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /dev/urandom
PRNG seeded successfully
Initializing inetd mode configuration
Certificate: /etc/stunnel/nfs-tls.pem
Error reading certificate file: /etc/stunnel/nfs-tls.pem
error queue: 140DC002: error:140DC002:SSL
routines:SSL_CTX_use_certificate_chain_file:system lib
error queue: 20074002: error:20074002:BIO
routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D:
error:0200100D:system library:fopen:Permission denied
Service [MC-nfsd]: Failed to initialize SSL context
str_stats: 11 block(s), 355 data byte(s), 638 control byte(s)
Copy Code
In this case, SELinux is enabled, and the type on the key is preventing stunnel from reading it. A
chconCopy Code
# cd /etc/stunnel
# ls -lZ
-rw-r--r--. root root XXX:XXX:stunnel_etc_t:s0 MC-nfsd.conf
-r--------. root root XXX:XXX:user_home_t:s0 nfs-tls.pem
# chcon -t stunnel_etc_t nfs-tls.pem
# ls -lZ
-rw-r--r--. root root XXX:XXX:stunnel_etc_t:s0 MC-nfsd.conf
-r--------. root root XXX:XXX:stunnel_etc_t:s0 nfs-tls.pem
Copy Code
When you can run the
netcatCopy Code$ cat /etc/systemd/system/3d-nfsd.socket [Unit] Description=NFS over stunnel/TLS client [Socket] ListenStream=2323 Accept=yes TimeoutSec=300 [Install] WantedBy=sockets.targetCopy Code
Configure the socket to launch stunnel with a settings file that you’ll define shortly:
$ cat /etc/systemd/system/3d-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS client
[Service]
ExecStart=-/bin/stunnel /etc/stunnel/3d-nfsd.conf
StandardInput=socket
Copy Code
Create a stunnel control file for the NFS client:
$ cat /etc/stunnel/3d-nfsd.conf
#GLOBAL#######################################################
sslVersion = TLSv1.2
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 0
setuid = nobody
setgid = nobody
chroot = /var/empty/stunnel
libwrap = yes
service = 3d-nfsd
; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
client = yes
connect = nfs-server.yourco.com:2363
Copy Code
if stunnel does not run with the
NO_SSLv2Copy CodeSINGLE_*_USECopy CodesetgidCopy CodeModify the
fstabCopy Code$ grep share /etc/fstab localhost:/ /home/share nfs noauto,vers=4.2,proto=tcp,port=2323 0 0Copy Code
Mount the volume, and check for a stunnel process, and then examine the active network connections:
# mount /home/share
# pps stun
PID TTY STAT TIME COMMAND
5870 ? Ss 0:00 /bin/stunnel /etc/stunnel/3d-nfsd.conf
# netstat -ap | grep nfsd
tcp 0 0 localhost:860 localhost:3d-nfsd
ESTABLISHED -
tcp 0 0 squib:48804 192.168.:mediacntrlnfsd
ESTABLISHED 5870/stunnel
tcp6 0 0 [::]:3d-nfsd [::]:*
LISTEN 1/init
tcp6 0 0 localhost:3d-nfsd localhost:860
ESTABLISHED 1/init
# ls -l /home/share/
total 676
-rw-r--r-- 1 root root 158 May 21 18:58 hosts
-rw-rw-r-- 1 cfisher cfisher 5359 May 21 19:22 nfs-tls.pem
-rw-r--r-- 1 root root 1760 May 21 18:58 nsswitch.conf
-rw-r--r-- 1 nobody nogroup 1921 May 21 19:17 passwd
-rw-r--r-- 1 root root 670293 May 21 18:58 services
Copy Code
Also, examine the server’s stunnel process and network status:
# pps stun
PID TTY STAT TIME COMMAND
16282 ? Ss 0:00 /bin/stunnel /etc/stunnel/MC-nfsd.conf
# netstat -ap | grep nfsd
tcp6 0 0 [::]:mediacntrlnfsd [::]:*
LISTEN 1/systemd
tcp6 0 0 192.168.:mediacntrlnfsd 192.168.0.24:48824
ESTABLISHED 1/systemd
Copy Code
trol it.
To engage this wrapper, place the following file:
# cat /bin/pstunnel.c
#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>
int main(int argc, char *argv[], char *envp[])
{
struct sockaddr_storage addr;
socklen_t len = sizeof addr;
int port = 65535, bad = 0;
if(getpeername(fileno(stdin), (struct sockaddr *) &addr, &len)) bad = 1;
else if(addr.ss_family == AF_INET) //IPv4
{
struct sockaddr_in *s = (struct sockaddr_in *) &addr;
port = ntohs(s->sin_port);
}
else if(addr.ss_family == AF_INET6) //IPv6
{
struct sockaddr_in6 *s = (struct sockaddr_in6 *) &addr;
port = ntohs(s->sin6_port);
}
else bad = 1;
if(!bad && port < IPPORT_RESERVED) execve("/bin/stunnel", argv, envp);
else printf("Nope.\n");
}
Copy Code
Compile the privileged wrapper with the following commands:
# cd /bin
# cc -s -O2 -DFORTIFY_SOURCE=2 -Wall -o pstunnel pstunnel.c
Copy Code
Modify the socket unit file to call the privileged wrapper:
# cat /etc/systemd/system/3d-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS client
[Service]
ExecStart=-/bin/pstunnel /etc/stunnel/3d-nfsd.conf
StandardInput=socket
Copy Code
Then reload systemd to recognize the modified unit:
# systemctl daemon-reload
Copy Code
Connections from non-privileged clients are now blocked, but mount requests still will pass:
# telnet localhost 2323
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Nope.
Connection closed by foreign host.
# mount /home/share
# pps stun
PID TTY STAT TIME COMMAND
2483 ? Ss 0:00 /bin/pstunnel /etc/stunnel/3d-nfsd.conf
# umount /home/share
Copy Code
Note that
argv[0]Copy Code[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
In conclusion, our Support Engineers demonstrated how perform nfsv4 encryption with Stunnel TLS. Furthermore, we went through different causes and solutions for this specific error.
0 Comments