Re: Router project on OpenBSD questions
On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20! %20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen Grüßen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de
Re: Router project on OpenBSD questions
Search the archives for the cisco nat-t problem, I sent a mail with more details and I think there was a patch with it. Pretty sure that would have affected older OpenBSD versions too though. Christoph Leser le...@sup-logistik.de wrote: On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20 !%20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen GrüÃen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de
Ldaps authentication from a php web page
Hello, I'm trying to get a php script to authenticate with ldaps but I can't make it work for some reason. A basic ldap query works in command line $ ldapsearch -x -H ldaps://myserver.mydomain.fr -W -D cn=admin,dc=mydomain,dc=fr -b '' -s base '(objectclass=*)' namingContexts So I'm 90% sure that my openldap server is properly configured more over I read that TLSVerifyClient never I think so the problem is on the client side. When I use the command line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that file I have: URI ldaps://myserver.mydomain.fr TLS_CACERT /etc/openldap/ssl/CA.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 On the server side I have in /etc/openldap/slapd.conf TLSRandFile /dev/urandom TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/openldap/ssl/CA.crt TLSCertificateFile /etc/openldap/ssl/openldap.crt TLSCertificateKeyFile /etc/openldap/ssl/private/openldap.key I use a self signed certificate The problem comes when I use a php script inside my chrooted Apache ?php $server = ldaps://192.168.1.1; $racine = dc=mydomain,dc=fr; $rootdn = cn=myadmin,dc=mydomain,dc=fr; $rootpw = mypassword; echo Connexion...br; $ds=ldap_connect($server) or die(Can't connect to LDAP $server2); if ($ds) { $r=ldap_bind($ds,$rootdn,$rootpw); if ($r) { echo LDAP Sucess...; } else { echo LDAP Failed...; } echo(msg:'.ldap_error($ds).'/br); echo Disconnect...br; ldap_close($ds); } ? If I use ldap://192.168.1.1 instead of ldaps://192.168.1.1, it works. When I use ldaps://192.168.1.1 I have the following message in slapd conn=1005 fd=14 ACCEPT from IP=192.168.1.1:45750 (IP=0.0.0.0:636) TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. conn=1005 fd=14 closed (TLS negotiation failure) And that message in PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /htdocs/ldap.php on line 17 If I add in the begining of my script putenv('LDAPTLS_REQCERT=never') or die('Failed to setup the env'); It works, so to me it shows that the problem was on the client side. My questions are these: - Where should I put this instruction LDAPTLS_REQCERT=never (I tried php.ini, ldap.ini) so that I won't have to add putenv in all my scripts ? - Where should I put some kind of TLS CACERT so that the client side will consider my certificate valid ? I hope someone will have an idea, thank you
ipsec / ospf / multihoming - looking for recommendations
hi all. i'm currently using two openbsd boxes to provide redundant site-to-site vpn connectivity between two geographically distant sites. each has both private (mpls ethernet handoff) and public (standard internet) connectivity. i have a pair of gif tunnels, one over each network, ospf to decide which route to take, and ipsec laid on top. this works so well that on more than one occasion we've been called by our provider (att for mpls) and given an apology for their circuit being down - our primary circuit - and we didn't even realize it had been down. we are thrilled with this. we are on the verge of rolling out several more remote sites, each with multiple network connections (one has three - one mpls and two separate isps). i want to cluster openbsd at each site for redundancy. i believe i can do this with relative ease by just extending my current method (doubling the gifs at each site). but i just received a request to allow the remote sites to talk directly with each other as well. that points to gifs between each site, adding further complexity. now this is starting to look like a mesh, and i've never attempted that before - so i'm here asking for recommendations from those of you who are experienced with this and have the time to help. just trying to extend my current method ... each cluster will have two openbsd boxes. with main office having a single isp and mpls, and one remote site having two isps and mpls - that alone yields 12 gif tunnels. and that's just two sites. suddenly i'm not so sure i'm headed in the right direction. so now i have lots of questions ... am i going about this all wrong? do i need separate route tables for each isp connection at the remote site so that the gif tunnels are assured of going out the correct path? should i be using (private) bgp instead of ospf? and if bgp, should i be using it to push out the ipsec stuff? (i just read that openbgp has ipsec-related capability, but haven't dug into that yet.) specific recommendations will be warmly welcomed, as i have a short timetable and a lot of these new requirements just came to light (scope creep at the last minute - gotta love that). thanks in advance!
[PATCH: pkg_add]: Sort ambiguous package names
Sort ambiguous package names from 'pkg_add' when not in interactive mode (which already sorts); e.g. `pkg_add autoconf`. Patch provided inline below based on OpenBSD 5.1 (i386). --- /usr/libdata/perl5/OpenBSD/AddDelete.pm +++ /usr/libdata/perl5/OpenBSD/AddDelete.pm @@ -326,7 +326,7 @@ return $h{$result}; } else { $state-errsay(Ambiguous: #1 could be #2, - $name, join(' ', keys %h)); + $name, join(' ', sort keys %h)); return undef; } }
Re: How to stress (performance?) test my PF rules?
On Fri, Sep 21, 2012 at 09:33:04AM -0700, Ed Flecko wrote: Does anyone have any suggestions on how to best test the performance of my PF ruleset? Maybe iperf? Well, the traffic to your machine will be highly unique based on what you use it for, so pre-made testing tools will not be adapted to your situation. Type pfctl -vs rules. You'll get some useful output that tells how often each rule is checked etc. based on your actual network traffic. Although, pf is pretty lightweight. IMO you should first learn correct rule syntax and making good rules (eg, don't block all of icmp because you're scared of it -- this will break things). You'll get far greater returns. The pf.conf manpage is a Unix treasure and incidentally it explains what you're looking for. Nicolai
no output from /etc/daily
Hello. For several days I have not been getting mail from /etc/daily, including when I run it manually. /var/log/security.out* are empty. What could cause this?
Re: no output from /etc/daily
On 09/22/12 20:45, Robert Connolly wrote: Hello. For several days I have not been getting mail from /etc/daily, including when I run it manually. /var/log/security.out* are empty. Unless there are security related issues detected, it should be. What could cause this? Maybe - VERBOSESTATUS=0 in /etc/daily.local - misconfigured mailer Check /var/mail/* if it ends up there /Alexander
Re: Ldaps authentication from a php web page
On Sat, Sep 22, 2012 at 7:55 AM, Mik J mikyde...@yahoo.fr wrote: ... I think so the problem is on the client side. When I use the command line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that file I have: URI ldaps://myserver.mydomain.fr TLS_CACERT /etc/openldap/ssl/CA.crt ... The problem comes when I use a php script inside my chrooted Apache ... - Where should I put some kind of TLS CACERT so that the client side will consider my certificate valid ? Since you have a working set up outside of the chroot, I would think the easiest thing would be to copy that set up into the chroot, with /etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot. Philip Guenther
Re: no output from /etc/daily
My local mail is not working, and I don't know how to diagnose it. I'm using OpenSMTP. On Sat, Sep 22, 2012 at 11:50 AM, Alexander Hall alexan...@beard.se wrote: On 09/22/12 20:45, Robert Connolly wrote: Hello. For several days I have not been getting mail from /etc/daily, including when I run it manually. /var/log/security.out* are empty. Unless there are security related issues detected, it should be. What could cause this? Maybe - VERBOSESTATUS=0 in /etc/daily.local - misconfigured mailer Check /var/mail/* if it ends up there /Alexander
Re: Ldaps authentication from a php web page
De : Philip Guenther guent...@gmail.com On Sat, Sep 22, 2012 at 7:55 AM, Mik J mikyde...@yahoo.fr wrote: ... I think so the problem is on the client side. When I use the command line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that file I have: URI ldaps://myserver.mydomain.fr TLS_CACERT /etc/openldap/ssl/CA.crt ... The problem comes when I use a php script inside my chrooted Apache ... - Where should I put some kind of TLS CACERT so that the client side will consider my certificate valid ? Since you have a working set up outside of the chroot, I would think the easiest thing would be to copy that set up into the chroot, with /etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot. Philip Guenther Hello Philip, I've tried that but no success. I'm wondering if there could be something done in httpd.conf
Seems my previous message didn't get though.
Test. Sorry
Re: Ldaps authentication from a php web page
On Sat, Sep 22, 2012 at 3:33 PM, Mik J mikyde...@yahoo.fr wrote: De : Philip Guenther guent...@gmail.com Since you have a working set up outside of the chroot, I would think the easiest thing would be to copy that set up into the chroot, with /etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot. Hello Philip, I've tried that but no success. Same errors or different? What were the results when you tried using the CLI ldapsearch tool from inside the chroot, via chroot -u www /var/chroot ? I'm wondering if there could be something done in httpd.conf What's your hypothesis about why it's not finding the CA.crt that you put in the chroot? How are you going to test it? Philip Guenther
XVIII Ateneo 2012 : Hoy no tengo ganas, mañana tampoco
Escuela Sistémica Argentina Institución dedicada a la formación, asistencia e investigación psicológica. Hoy nos acercamos a Uds. para invitarlos a la realización del XVIII Ateneo 2012 Hoy no tengo ganas, mañana tampoco Problemas del deseo sexual. Día: Viernes 28 de Septiembre de 2012, 19hs. Coordina: Guido Fischer Presentador: Lic. Claudio Fontana ENTRADA LIBRE Y GRATUITA (Sin inscripción previa) Escuela Sistémica Argentina Fray J. S. María de Oro 1843 (C1414DBC) Telf: (5411) 4774-2875/ 6112 / 4899-1053 ATENEOS 2012 Fecha Nombre de Ateneo Disertante Presentador 19-oct La capacidad del terapeuta para recrearse Equipo Adherentes Lic. Marina Perrone