Wondering how to perform nfsv4 encryption with Stunnel TLS? Our NFS Support team is here to lend a hand with your queries and issues.
NFSv4 encryption with Stunnel TLS
At a minimum, the stunnel TLS server must present a keypair.
$ openssl req -newkey rsa:4096 -x509 -days 3650 -nodes \
-out nfs-tls.pem -keyout nfs-tls.pem
The above command generates a key similar to the following output. Move your file to the /etc/stunnel directory, and set it to 400 read-only permission for root.
On the file server, add an export for the same share to localhost.
Set the insecure option, which will allow for connections from client ports above 102.
If you want to remove the clear-text export, make sure the client has unmounted first:
$ cat /etc/exports
/home/share 5.6.7.8(fsid=0,ro)
/home/share 127.0.0.1(fsid=0,ro,insecure)
Run the following command to activate the share to localhost:
exportfs -a
Add an inetd-style socket activation unit on port 2363 to launch stunnel with a timeout of ten minutes:
$ cat /etc/systemd/system/MC-nfsd.socket
[Unit]
Description=NFS over stunnel/TLS server
[Socket]
ListenStream=2363
Accept=yes
TimeoutSec=600
[Install]
WantedBy=sockets.target
Configure the socket to launch stunnel with a settings file that you’ll define shortly:
$ cat /etc/systemd/system/MC-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS server
[Service]
ExecStart=-/bin/stunnel /etc/stunnel/MC-nfsd.conf
StandardInput=socket
Start the socket and enable it for automatic start at boot with the following commands:
systemctl start MC-nfsd.socket
systemctl enable MC-nfsd.socket
Open port 2363 to allow encrypted NFS through your firewall:
iptables -w -I INPUT -p tcp --dport 2363 --syn -j ACCEPT
Create the following stunnel control file for the NFS server:
$ cat /etc/stunnel/MC-nfsd.conf
#GLOBAL#######################################################
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 0
setuid = nobody
setgid = nobody
chroot = /var/empty/stunnel
libwrap = yes
service = MC-nfsd
; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;
; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+
AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
connect = 127.0.0.1:2049
Create the chroot() directory where stunnel will drop privileges:
# mkdir /var/empty/stunnel
Attempt a local clear-text socket connection to port 2363; stunnel configuration problems will appear here:
# nc localhost 2363
Clients allowed=500
stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Auth:LIBWRAP
Reading configuration from file /etc/stunnel/MC-nfsd.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /dev/urandom
PRNG seeded successfully
Initializing inetd mode configuration
Certificate: /etc/stunnel/nfs-tls.pem
Error reading certificate file: /etc/stunnel/nfs-tls.pem
error queue: 140DC002: error:140DC002:SSL
routines:SSL_CTX_use_certificate_chain_file:system lib
error queue: 20074002: error:20074002:BIO
routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D:
error:0200100D:system library:fopen:Permission denied
Service [MC-nfsd]: Failed to initialize SSL context
str_stats: 11 block(s), 355 data byte(s), 638 control byte(s)
In this case, SELinux is enabled, and the type on the key is preventing stunnel from reading it. A chcon command is required to fix this:
# cd /etc/stunnel
# ls -lZ
-rw-r--r--. root root XXX:XXX:stunnel_etc_t:s0 MC-nfsd.conf
-r--------. root root XXX:XXX:user_home_t:s0 nfs-tls.pem
# chcon -t stunnel_etc_t nfs-tls.pem
# ls -lZ
-rw-r--r--. root root XXX:XXX:stunnel_etc_t:s0 MC-nfsd.conf
-r--------. root root XXX:XXX:stunnel_etc_t:s0 nfs-tls.pem
When you can run the netcat without error, you’re ready to move to the client. Add the inetd-style socket activation unit on the NFS client:
$ cat /etc/systemd/system/3d-nfsd.socket
[Unit]
Description=NFS over stunnel/TLS client
[Socket]
ListenStream=2323
Accept=yes
TimeoutSec=300
[Install]
WantedBy=sockets.target
Configure the socket to launch stunnel with a settings file that you’ll define shortly:
$ cat /etc/systemd/system/3d-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS client
[Service]
ExecStart=-/bin/stunnel /etc/stunnel/3d-nfsd.conf
StandardInput=socket
Create a stunnel control file for the NFS client:
$ cat /etc/stunnel/3d-nfsd.conf
#GLOBAL#######################################################
sslVersion = TLSv1.2
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 0
setuid = nobody
setgid = nobody
chroot = /var/empty/stunnel
libwrap = yes
service = 3d-nfsd
; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
client = yes
connect = nfs-server.yourco.com:2363
if stunnel does not run with the NO_SSLv2 or either of the SINGLE_*_USE options (you must remove them), and the group “nogroup” should use there for the setgid option above.
Modify the fstab entry for /home/share to connect to the local stunnel:
$ grep share /etc/fstab
localhost:/ /home/share nfs noauto,vers=4.2,proto=tcp,port=2323 0 0
Mount the volume, and check for a stunnel process, and then examine the active network connections:
# mount /home/share
# pps stun
PID TTY STAT TIME COMMAND
5870 ? Ss 0:00 /bin/stunnel /etc/stunnel/3d-nfsd.conf
# netstat -ap | grep nfsd
tcp 0 0 localhost:860 localhost:3d-nfsd
ESTABLISHED -
tcp 0 0 squib:48804 192.168.:mediacntrlnfsd
ESTABLISHED 5870/stunnel
tcp6 0 0 [::]:3d-nfsd [::]:*
LISTEN 1/init
tcp6 0 0 localhost:3d-nfsd localhost:860
ESTABLISHED 1/init
# ls -l /home/share/
total 676
-rw-r--r-- 1 root root 158 May 21 18:58 hosts
-rw-rw-r-- 1 cfisher cfisher 5359 May 21 19:22 nfs-tls.pem
-rw-r--r-- 1 root root 1760 May 21 18:58 nsswitch.conf
-rw-r--r-- 1 nobody nogroup 1921 May 21 19:17 passwd
-rw-r--r-- 1 root root 670293 May 21 18:58 services
Also, examine the server’s stunnel process and network status:
# pps stun
PID TTY STAT TIME COMMAND
16282 ? Ss 0:00 /bin/stunnel /etc/stunnel/MC-nfsd.conf
# netstat -ap | grep nfsd
tcp6 0 0 [::]:mediacntrlnfsd [::]:*
LISTEN 1/systemd
tcp6 0 0 192.168.:mediacntrlnfsd 192.168.0.24:48824
ESTABLISHED 1/systemd
trol it.
To engage this wrapper, place the following file:
# cat /bin/pstunnel.c
#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>
int main(int argc, char *argv[], char *envp[])
{
struct sockaddr_storage addr;
socklen_t len = sizeof addr;
int port = 65535, bad = 0;
if(getpeername(fileno(stdin), (struct sockaddr *) &addr, &len)) bad = 1;
else if(addr.ss_family == AF_INET) //IPv4
{
struct sockaddr_in *s = (struct sockaddr_in *) &addr;
port = ntohs(s->sin_port);
}
else if(addr.ss_family == AF_INET6) //IPv6
{
struct sockaddr_in6 *s = (struct sockaddr_in6 *) &addr;
port = ntohs(s->sin6_port);
}
else bad = 1;
if(!bad && port < IPPORT_RESERVED) execve("/bin/stunnel", argv, envp);
else printf("Nope.\n");
}
Compile the privileged wrapper with the following commands:
# cd /bin
# cc -s -O2 -DFORTIFY_SOURCE=2 -Wall -o pstunnel pstunnel.c
Modify the socket unit file to call the privileged wrapper:
# cat /etc/systemd/system/3d-nfsd@.service
[Unit]
Description=NFS over stunnel/TLS client
[Service]
ExecStart=-/bin/pstunnel /etc/stunnel/3d-nfsd.conf
StandardInput=socket
Then reload systemd to recognize the modified unit:
# systemctl daemon-reload
Connections from non-privileged clients are now blocked, but mount requests still will pass:
# telnet localhost 2323
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Nope.
Connection closed by foreign host.
# mount /home/share
# pps stun
PID TTY STAT TIME COMMAND
2483 ? Ss 0:00 /bin/pstunnel /etc/stunnel/3d-nfsd.conf
# umount /home/share
Note that argv[0] will retain the name of the wrapper.
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
In conclusion, our Support Engineers demonstrated how perform nfsv4 encryption with Stunnel TLS. Furthermore, we went through different causes and solutions for this specific error.
0 Comments