RPC.TLSCLNTD(8)         FreeBSD System Manager's Manual        RPC.TLSCLNTD(8)

NAME
     rpc.tlsclntd - Sun RPC over TLS Client Daemon

SYNOPSIS
     rpc.tlsclntd [-C preferred_ciphers] [-D certdir] [-d] [-l CAfile] [-m]
                  [-p CApath] [-r CRLfile] [-v]

DESCRIPTION
     The rpc.tlsclntd program provides support for the client side of the
     kernel Sun RPC over TLS implementation.  This daemon must be running for
     the kernel RPC to be able to do a TLS connection to a server for an NFS
     over TLS mount.  This daemon requires that the kernel be built with
     "options KERNEL_TLS" and be running on an architecture such as "amd64"
     that supports a direct map (not i386) with ktls(4) enabled.

     If either of the -l or -p options have been specified, the daemon will
     require the server's certificate to verify and have a Fully Qualified
     Domain Name (FQDN) in it.  This FQDN must match the reverse DNS name for
     the IP address that the server is using for the TCP connection.  The FQDN
     may be in either the DNS field of the subjectAltName or the CN field of
     the subjectName in the certificate and cannot have a wildcard "*" in it.

     If a SIGHUP signal is sent to the daemon it will reload the "CRLfile" and
     will shut down any extant connections that presented certificates during
     TLS handshake that have been revoked.  If the -r option was not
     specified, the SIGHUP signal will be ignored.

     The daemon will log failed certificate verifications via syslogd(8) using
     LOG_INFO | LOG_DAEMON when the -l or -p option has been specified.

     The options are as follows:

     -C preferred_ciphers, --ciphers=preferred_ciphers
             Specify what preferred ciphers are to be used.  If this option is
             specified, "SSL_CTX_set_cipher_list()" will be called with
             "preferred_ciphers" as the argument.  If this option is not
             specified, the cipher will be chosen by ssl(7).

     -D certdir, --certdir=certdir
             Use "certdir" instead of /etc/rpc.tlsclntd for the -m option.

     -d, --debuglevel
             Run in debug mode.  In this mode, rpc.tlsclntd will not fork when
             it starts.

     -l CAfile, --verifylocs=CAfile
             This specifies the path name of a CAfile which holds the
             information for server certificate verification.  This path name
             is used in "SSL_CTX_load_verify_locations(ctx,CAfile,NULL)" and
             "SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file(CAfile))"
             openssl library calls.  Note that this is a path name for the
             file and is not assumed to be in "certdir".

     -m, --mutualverf
             Enable support for mutual authentication.  A certificate and
             associated key must be found in /etc/rpc.tlsclntd (or the
             directory specified by the -D option) in case a server requests a
             peer certificate.  The first certificate needs to be in a file
             named "cert.pem" and the associated key in a file named
             "certkey.pem".  The mount_nfs(8) option -tlscertname can be used
             to override the default certificate for a given NFS mount, where
             the files use the alternate naming specified by the option.  If
             there is a passphrase on the "certkey.pem" file, this daemon will
             prompt for the passphrase during startup.  The keys for alternate
             certificates cannot have passphrases.

     -p CApath, --verifydir=CApath
             This option is similar to the -l option, but specifies the path
             of a directory with CA certificates in it.  When this option is
             used, "SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file())" is
             not called, so a list of CA names is not be passed to the server
             during the TLS handshake.  The openssl documentation indicates
             this call is rarely needed.

     -r CRLfile, --crl=CRLfile
             This option specifies a Certificate Revocation List (CRL) file
             that is to be loaded into the verify certificate store and
             checked during verification of the server's certificate.  This
             option is meaningless unless either the -l or -p have been
             specified.

     -v, --verbose
             Run in verbose mode.  In this mode, rpc.tlsclntd will log
             activity messages to syslog using LOG_INFO | LOG_DAEMON or to
             stderr, if the -d option has also been specified.

EXIT STATUS
     The rpc.tlsclntd utility exits 0 on success, and >0 if an error occurs.

SEE ALSO
     openssl(1), ktls(4), mount_nfs(8), rpc.tlsservd(8), ssl(7), syslogd(8)

STANDARDS
     The implementation is based on the specification in Towards Remote
     Procedure Call Encryption By Default, RFC NNNN.

HISTORY
     The rpc.tlsclntd manual page first appeared in FreeBSD 13.0.

BUGS
     This daemon cannot be safely shut down and restarted if there are any
     active RPC-over-TLS connections.  Doing so will orphan the KERNEL_TLS
     connections, so that they can no longer do upcalls successfully, since
     the "SSL *" structures in userspace have been lost.

FreeBSD 13.1-RELEASE-p6        February 17, 2021       FreeBSD 13.1-RELEASE-p6