Re: OpenBSD httpd: PCI - DSS Compliance

[Bob]

On 04/10/2019 20:22, Chris Cappuccio wrote:
> Kihaguru Gathura [pqscr...@gmail.com] wrote:
>> Hi,
>>
>> The message below refers. Has httpd met the particular requirement
>> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>>
>> "Requirement 6.5
>> Fingerprinted versions of web software used on the website may contain
>> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
>> as soon as possible.
>> Misconfiguration or weakness"
>>
> 
> I have no idea what 6.5.1 - 6.5.10 of PCI DSS means because I don't even know
> where to find what is says.
I am not a QSA, and I'm certainly not your QSA. That said: 

PCI-DSS 3.2.1 Requirement 6 is headed "Develop and maintain secure systems and 
applications". That's the right ballpark, but 6.5 is about coding 
vulnerabilities in the software development process. A web server isn't your 
software development process and can't meet those requirements for you. Whoever 
wrote this scanner likely means that the applications/sites you are running 
*on* that server should be developed in accordance with those requirements.

The requirements that more directly impact the web server process include: 6.1 
(vulnerability management), 6.2 (patch management), and any other specific 
system configuration requirements. Nothing in those requirements will exclude 
httpd from being used. An up-to-date httpd with a simple configuration and the 
right TLS ciphers should work in a PCI cardholder data environment just fine. 
The issue is going to be everything else that you're doing.

Re: pppd pty Input/output error

[Denis]

Fixed by using different pty (ptypA instead of ptyp0).

On 4/10/2019 2:13 PM, Denis wrote:
> 
> Trying to make ppp connection using pty - pseudo terminal driver:
> 
> /usr/sbin/pppd ptyp0 noccp novj novjccomp nopcomp coaccomp noauth debug
> passive updetach name -client connect 'stunnel /etc/stunnel/client.conf'
> 
> tail /var/log/messages
> pppd[12698]: pppd 2.3.5 started by user, uid 0
> pppd[12698]: Failed to open /dev/ptyp0: Input/output error
> pppd: Exit.
> 
> pty* in /dev
> 
> ls -alh /dev/pty*
> crw-rw-rw- 1 root wheel 6,  0 Apr 10 10:01 /dev/ptyp0
> crw-rw-rw- 1 root wheel 6,  1 Apr 10 10:01 /dev/ptyp1
> crw-rw-rw- 1 root wheel 6,  2 Apr 10 10:01 /dev/ptyp2
> 
> Please advice what can be wrong.
> 

Re: OpenBSD httpd: PCI - DSS Compliance

[Chris Cappuccio]

Kihaguru Gathura [pqscr...@gmail.com] wrote:
> Hi,
> 
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
> 
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
> 

I have no idea what 6.5.1 - 6.5.10 of PCI DSS means because I don't even know
where to find what is says.

Your message suggests that there may or may not be a vulnerability, based on
version numbers or other information obtained by this compliance scanner.

Since nobody except you knows what software is running here, I'm not sure what
to tell you. I don't think httpd itself has any known vulnerabilities,
especially in a mostly default configuration. It's easy to introduce
vulnerabilities.

Chris

Re: Viewing SFP diagnostic data in OpenBSD ?

[Mihai Popescu]

> The ISPs either give you a typical fritzbox CPE and/or a media converter 
> (like the TP-Link
> MC220L), but it also works fine with the mentioned SFP.  I now have 1Gbps 
> Internet, fixed
> IPv4+v6, simply with DHCP (dhcp6c is needed to get the assigned IPv6 prefix 
> for reassigning it > to rad(8) internally).

1 Gb/s on fiber is pretty much implemented where i live now (.ro). The
sad thing is the ISP is using GPON with ONT on client side. I wanted
to use some OpenBSD based router but I am not sure it is easy to put
together the necessary hardware and driver/pppoe configuration. There
are all kinds of settings involved even at ISP side and I am not sure
they are happy to set up for you.

What are they using there for authentification?

Re: RS-232 serial to ethernet

[LÉVAI Dániel]

Thank you everyone so much for the information! There are now some
interesting alternatives for me to look at!

Cheers,
Dani

LÉVAI Dániel @ 2019-04-08T18:04:37 +0200:
> Hi misc@!
> 
> I was wondering if I could use some budget solution to access my OpenBSD
> machine via its serial console over the network, and I stumbled upon
> this piece of hardware: [1] [2] [3] (the same device "USR-TCP232-302",
> I'm just not sure which one will be up at the time someone looks at
> them)
> 
> It basically should be able convert the serial port to TCP/IP
> networking. Is this something anyone else has used before -- or if you
> know something similar, I'm really interested!
> 
> 
> Thanks,
> Dani
> 
> [1] - 
> https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32683105763.html
> [2] - 
> https://www.aliexpress.com/item/USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter-Support/32899179930.html
> [3] - 
> https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32685599659.html
> 
> -- 
> LÉVAI Dániel
> PGP key ID = 0x83B63A8F
> Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: Viewing SFP diagnostic data in OpenBSD ?

[Reyk Floeter]

On Wed, Apr 10, 2019 at 12:11:34PM +0100, Stuart Henderson wrote:
> On 2019/04/10 12:43, Reyk Floeter wrote:
> > I have an em(4) with SFP in my FTTH gateway, a Lanner LEB-6032.  I'd
> > be happy to test any em(4) diff for it.
> > 
> > I had to get a special SFP that is compatible with the FTTH specs here
> > in Zurich.  It is using an asymmetric wavelength, Tx1310nm and
> > Rx1460-1580nm, and I am wondering if your code could show this fact
> > somehow.
> 
> There is really nothing in the spec for bidi optiocs. If you can plug it
> into a supported nic (ix/ixl for now) you should see the Tx wavelength
> but there's nowhere to retrieve the Rx wavelength.
> 
> Nice to have an FTTH setup that just lets you use your own kit! The few
> UK providers doing ethernet FTTH are mostly using Genexis boxes I think
> (probably for laser safety reasons, their fibre management makes it hard
> to look straight into a disconnected fibre).
> 

I heard that a few years ago the people in Zurich voted that everyone
gets FTTH.  So the network is now provided by ewz, the local
electricity company, or by Swisscom and almost every household is
about to get an OTO wall outlet with two possible fiber ports.

You can choose between a number of professional and consumer-grade
ISPs, so they don't even lock you in.  The ISPs either give you a
typical fritzbox CPE and/or a media converter (like the TP-Link
MC220L), but it also works fine with the mentioned SFP.  I now have
1Gbps Internet, fixed IPv4+v6, simply with DHCP (dhcp6c is needed to
get the assigned IPv6 prefix for reassigning it to rad(8) internally).
At least one (consumer-grade) ISP even offers 10G, at least
theoretically, but I didn't dare to try them out.

Reyk

pppd pty Input/output error

[Denis]

Trying to make ppp connection using pty - pseudo terminal driver:

/usr/sbin/pppd ptyp0 noccp novj novjccomp nopcomp coaccomp noauth debug
passive updetach name -client connect 'stunnel /etc/stunnel/client.conf'

tail /var/log/messages
pppd[12698]: pppd 2.3.5 started by user, uid 0
pppd[12698]: Failed to open /dev/ptyp0: Input/output error
pppd: Exit.

pty* in /dev

ls -alh /dev/pty*
crw-rw-rw- 1 root wheel 6,  0 Apr 10 10:01 /dev/ptyp0
crw-rw-rw- 1 root wheel 6,  1 Apr 10 10:01 /dev/ptyp1
crw-rw-rw- 1 root wheel 6,  2 Apr 10 10:01 /dev/ptyp2

Please advice what can be wrong.

Re: Viewing SFP diagnostic data in OpenBSD ?

[Stuart Henderson]

On 2019/04/10 12:43, Reyk Floeter wrote:
> I have an em(4) with SFP in my FTTH gateway, a Lanner LEB-6032.  I'd
> be happy to test any em(4) diff for it.
> 
> I had to get a special SFP that is compatible with the FTTH specs here
> in Zurich.  It is using an asymmetric wavelength, Tx1310nm and
> Rx1460-1580nm, and I am wondering if your code could show this fact
> somehow.

There is really nothing in the spec for bidi optiocs. If you can plug it
into a supported nic (ix/ixl for now) you should see the Tx wavelength
but there's nowhere to retrieve the Rx wavelength.

Nice to have an FTTH setup that just lets you use your own kit! The few
UK providers doing ethernet FTTH are mostly using Genexis boxes I think
(probably for laser safety reasons, their fibre management makes it hard
to look straight into a disconnected fibre).

Re: Viewing SFP diagnostic data in OpenBSD ?

[Reyk Floeter]

On Mon, Apr 08, 2019 at 02:25:28PM +1000, David Gwynne wrote:
> 
> 
> > On 6 Apr 2019, at 01:54, Rachel Roch  wrote:
> > 
> > 
> > 
> > 
> > Apr 2, 2019, 11:19 PM by da...@gwynne.id.au:
> > 
> >> 
> >> 
> >>> On 3 Apr 2019, at 04:52, Stuart Henderson <>> s...@spacehopper.org 
> >>> >> > wrote:
> >>> 
> >>> On 2019-04-02, Rachel Roch <>> rr...@tutanota.de 
> >>> >> > wrote:
> >>> 
>  Hi,
>  
>  Hopefully I'm just searching the man pages wrong but I can't seem to 
>  find any hints as to how I can view SFP diagnostics in OpenBSD (i.e. 
>  light power etc.)
>  
>  Perhaps someone could kindly point me in the right direction ?
>  
>  Rachel
>  
> >>> 
> >>> I don't think that code has been written yet.
> >>> 
> >> 
> >> You're right, it hasn't.
> >> 
> >> Rachel, which nic are you interested in having this on?
> >> 
> >> dlg
> >> 
> > 
> > Just spotted this email.
> > 
> > An Intel I350 based NIC made by HotLava  
> > (https://hotlavasystems.com/products_gbe.html) 
> > 
> 
> OK. I made a start on this. Have a look for "sfp module info and diagnostics" 
> on tech@, or click on https://marc.info/?l=openbsd-tech&m=155469738013008&w=2
> 
> We don't have an em(4) here with optics, but a diff doesn't look too bad if 
> you're willing to test it.
> 
> dlg
> 

I have an em(4) with SFP in my FTTH gateway, a Lanner LEB-6032.  I'd
be happy to test any em(4) diff for it.

I had to get a special SFP that is compatible with the FTTH specs here
in Zurich.  It is using an asymmetric wavelength, Tx1310nm and
Rx1460-1580nm, and I am wondering if your code could show this fact
somehow.

https://www.flexoptix.net/en/wideband-sfp-bidi-transceiver-1-gigabit-sm-tx1310nm-rx1550nm-10km-12db-ddm-dom.html?co8658=83928

em6: flags=208843 mtu 1500
lladdr 00:90:0b:55:3d:e4
index 7 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseSX full-duplex)
status: active

But I also have many different "regular" SFPs here that I can plug
into the second em(4) fiber port test the diff.

The attached dmesg is a few days old.

Reyk

OpenBSD 6.5-beta (GENERIC.MP) #768: Sun Mar  3 23:58:33 MST 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4181184512 (3987MB)
avail mem = 4044509184 (3857MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf30 (15 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 06/24/2016
bios0: Lanner Electronics LEB-6032
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT LPIT MCFG HPET SSDT SSDT SSDT UEFI CSRT
acpi0: wakeup devices PS2K(S4) XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.99 MHz, 06-37-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu3: 1MB 64b

Re: 40G ixl nics

[Hrvoje Popovski]

On 3.2.2019. 19:09, Tony Sarendal wrote:
> Good evening,
> 
> We inserted a 2x40G NIC into one of our old franken-pc's, and got this:
> 
> ixl0 at pci2 dev 0 function 0 "Intel XL710 QSFP+" rev 0x02: port 0, FW
> 5.0.40043 API 1.5, msi, address 0c:c4:7a:5e:f9:c8
> ixl0: unable to query phy types
> ixl1 at pci2 dev 0 function 1 "Intel XL710 QSFP+" rev 0x02: port 1, FW
> 5.0.40043 API 1.5, msi, address 0c:c4:7a:5e:f9:c9
> ixl1: unable to query phy types

Hi,

could you update firmware on ixl nics and try -current or wait for 6.5
release.. i think that your nics should work ...

https://downloadcenter.intel.com/product/83967/Intel-Ethernet-Converged-Network-Adapter-XL710-QDA2

Re: OpenBSD httpd: PCI - DSS Compliance

[Janne Johansson]

I think that point was badly made by the site, they don't list what they
did look at or how they deduced it, only that "it may" even though that
same report later says no version string was sent as if that was a good
thing. I guess this means "because you did as expected and did not send a
version, we think it may be super old and could be bad but we can't tell".

I did not sign up to get a more detailed report, but from what I could see
it was kind of a blunt report sweeping in broad terms, as presented.

I'm sure PCI auditors would be glad to spend a lot of your money to look at
the version and file a report taking days to write about how it actually
seems ok, for now. 8-(


Den ons 10 apr. 2019 kl 09:20 skrev Kihaguru Gathura :

> Hi,
>
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
>
> actual report here:
>
> https://www.htbridge.com/websec/?id=cGZfIatq
>
> Thanks,
>
> Kihaguru.
>
>

-- 
May the most significant bit of your life be positive.

OpenBSD httpd: PCI - DSS Compliance

[Kihaguru Gathura]

Hi,

The message below refers. Has httpd met the particular requirement
6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.

"Requirement 6.5
Fingerprinted versions of web software used on the website may contain
publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
as soon as possible.
Misconfiguration or weakness"

actual report here:

https://www.htbridge.com/websec/?id=cGZfIatq

Thanks,

Kihaguru.