Re: athn(4) and Atheros AR9462
Thank you, perfect answer! :) BR, Andreas ons 18 sep. 2019 kl. 13:01 skrev Antal Ispanovity : > 2019-09-18 12:38 GMT+02:00, Andreas Thulin : > > Hi! > > > > I just installed OpenBSD 6.5 on an Acer Aspire 5 laptop I got, and > realised > > after some googling that there is no driver available for the Atheros > > AR9462 wifi card. This seems to have been covered in previous posts here. > > > > Any pointers on the right course of action? I haven’t yet set up mail on > you can replace it with a supported chip or you can use an usb wireles > chip. See supported devices in here: https://man.openbsd.org/urtwn > Asus USB-N10 works for me. > > the laptop so can’t include a dmesg. Will do once possible. > > > > BR, Andreas > > >
athn(4) and Atheros AR9462
Hi! I just installed OpenBSD 6.5 on an Acer Aspire 5 laptop I got, and realised after some googling that there is no driver available for the Atheros AR9462 wifi card. This seems to have been covered in previous posts here. Any pointers on the right course of action? I haven’t yet set up mail on the laptop so can’t include a dmesg. Will do once possible. BR, Andreas
Anyone got stickers for sale?
Hi! Please forgive a very non-technical question: Does anyone in the list have spare OpenBSD and/or RUN BSD stickers for sale (to Sweden)? I recently changed jobs and failed to move stickers from one laptop to another. Feel very naked now. Poor me. In any case, TGIF. /Andreas
Looking for discussions/threads on TLS v 1.3 (in OpenBSD context)
Hi all! Just out of curious interest, I've been googling a bit to find discussions or threads related to TLS 1.3, what "you guys" think of it, and what benefits and drawbacks it brings to the OpenBSD world. However, I'm either unlucky or a poor googler, because I can't seem to find any. If you know of any, I'd be grateful if you could point me in the right direction. Kind regards, Andreas
Re: help understanding ikectl error messages
Thanks Stuart for replies! I can confirm that I could proceed without issues on 6.2-current. :-) BR, Andreas mån 15 jan. 2018 kl. 10:31 skrev Stuart Henderson <s...@spacehopper.org>: > On 2018/01/15 06:35, Andreas Thulin wrote: > > Sorry, my bad! > > > > 6.2-stable. And after sending my e-mail, I found a post about this > issue, that ended up in > > ikeca.c (?) having been patched on 8 November last year to resolve the > same issue, I believe. I > > have installed 6.2-current on another machine to figure out if that > solves the problem. > > > > BR, Andreas > > Thanks - -current should fix this. (I did think that it had been fixed > before 6.2 which is why I asked about the version, but yes it looks like > this one wasn't fixed until 8 Nov). > >
Re: help understanding ikectl error messages
Sorry, my bad! 6.2-stable. And after sending my e-mail, I found a post about this issue, that ended up in ikeca.c (?) having been patched on 8 November last year to resolve the same issue, I believe. I have installed 6.2-current on another machine to figure out if that solves the problem. BR, Andreas sön 14 jan. 2018 kl. 23:03 skrev Stuart Henderson <s...@spacehopper.org>: > On 2018-01-09, Andreas Thulin <andreasthu...@gmail.com> wrote: > > Hi! > > > > Following the example on https://man.openbsd.org/ikectl, I > > > > # ikectl ca test create > > ...and then > > # ikectl ca test certificate sub.domain.com create > > ...filled out "the form", but after that... > > Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf > > Check that the request matches the signature > > Signature ok > > The Subject's Distinguished Name is as follows > > countryName :PRINTABLE:'SE' > > organizationName :ASN.1 12:'cppm' > > commonName:ASN.1 12:'sub.domain.com' > > emailAddress :IA5STRING:'webmas...@domain.com' > > ERROR: adding extensions in section x509v3_FQDN > > 2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null > > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: > > 2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension > > > string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS: > > 2198743120:error:22FFF080:X509 V3 routines:func(4095):error in > > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, > > value=DNS: > > > > I'm probably doing something stupid, so if anyone can point me in the > right > > direction, that would be highly appreciated. > > > > BR > > Andreas > > > > Which version are you running? (See "Include important information" > on http://www.openbsd.org/mail.html). > > >
Re: Writing "ones" instead of "zeroes" when wiping disk
Thanks to all of you for either useful tips or good-to-read rants. :-) I’ll try out tips from Nick & Todd, let’s see where that takes me. BR, Andreas fre 12 jan. 2018 kl. 05:22 skrev Todd C. Miller: > On Thu, 11 Jan 2018 22:09:32 -0500, "trondd" wrote: > > > A 1 is too narrow to fully cover the original data. > > You need to use an 8 to wipe out all seven segments. > > - todd > >
Writing "ones" instead of "zeroes" when wiping disk
Hi! Again, an ignorant question (as usual): How might I do something similar to # dd if=/dev/one of=/dev/sd0 bs=1M as a complement to the usual and well-described # dd if=/dev/zero of=/dev/sd0 bs=1M followed by # dd if=/dev/urandom of=/dev/sd0 bs=1M in order to achieve paranoid disk-wiping? BR Andreas
help understanding ikectl error messages
Hi! Following the example on https://man.openbsd.org/ikectl, I # ikectl ca test create ...and then # ikectl ca test certificate sub.domain.com create ...filled out "the form", but after that... Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SE' organizationName :ASN.1 12:'cppm' commonName:ASN.1 12:'sub.domain.com' emailAddress :IA5STRING:'webmas...@domain.com' ERROR: adding extensions in section x509v3_FQDN 2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: 2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS: 2198743120:error:22FFF080:X509 V3 routines:func(4095):error in extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, value=DNS: I'm probably doing something stupid, so if anyone can point me in the right direction, that would be highly appreciated. BR Andreas
Community-driven OpenBSD tutorials wiki?
Hi all! Thought I'd create an OpenBSD wiki somewhere, where anyone (especially non-developers like myself) could create and edit tutorials for stuff non-developers like myself would find useful. I find that sometimes existing tutorials become outdated, and was thinking that a wiki would make updates easier. Before I go and create anything - are there already a place similar to what I'm describing, where I could get myself involved? (I'm too junior to start suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure they should be used for what I want to achieve.) I know this comes out as yet another "let's start another project no one is asking for", but please be gentle with flaming me - I honestly want to contribute to the community to the extent of my abilities. Cheers, Andreas
Re: Question on more concise httpd.conf setup for subdomain + https redirects
Hi! I suppose you can script one config into ”httpd.foo.net”, another to ” httpd.bar.com” etc. and then include all individual files into httpd.conf with the keyword ”include”? BR, Andreas fre 22 dec. 2017 kl. 03:39 skrev Ryan Flannery: > Hi, I'm curious if there's a more concise/preferred way to accomplish the > below. I'm hosting a number of sites that want to prefer https over http > and strip any www subdomain from urls. > > E.g. > www.foo.com/* -> https://foo.com/* > https://www.foo.com/* -> https://foo.com/* > > I have this working (used acme-client to setup ssl - that was a breeze!) > using the following setup, but I'm curious if there's a more > concise/preferred way. I'll need to configure this for a number of sites, > and would probably script the config. > > The first two server blocks setup the redirects, and the third is for the > actual site. > > server "foo.net" { >alias "www.foo.net" >listen on * port 80 >block return 301 "https://foo.net$REQUEST_URI; > } > server "www.foo.net" { >listen on * tls port 443 >tls certificate "/etc/ssl/foo.net.fullchain.pem" >tls key "/etc/ssl/private/foo.net.key" >block return 301 "https://foo.net$REQUEST_URI; > } > server "foo.net" { >listen on * tls port 443 >tls certificate "/etc/ssl/foo.net.fullchain.pem" >tls key "/etc/ssl/private/foo.net.key" >root "/htdocs/foo.net" > } > > Cheers, > -Ryan >
Re: ikectl errors
Hi again, found this on cvsweb.openbsd.org: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date ”In the subjectAltName comparison, the bzero before the while-loop was lost while applying the diff. This is means sanid could be passed uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() could try to release a pointer which is essentially stack garbage. While there I realized that the bzero() in the loop is essentially fatal, since every mismatch leads to a silent leak of ibufs. Since ca_x509_subjectaltname_cmp() releases and initializes the passed iked_id, we can safely call it multiple times after initializing sanid once before the loop.” Ignorant question: Does this mean a) that I should (try and probably fail to) patch myself, b) that the change may become a syspatch, or c) that the next release will include the patch? I’m running 6.2-stable. Thanks again for the tip! BR, Andreas tors 2 nov. 2017 kl. 08:25 skrev Andreas Thulin <andreasthu...@gmail.com>: > Ah! Thank you! > > BR, Andreas > ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin <mlar...@azathoth.net>: > >> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote: >> > Hi! >> > >> > I’m trying to set up iked on machine A, to create a tunnel between >> machines >> > A and B. ikectl produces errors when creating a certificate with my >> ”test” >> > ca, and I have failed to understans why: >> > >> > # ikectl ca test certificate 192.168.1.1 create >> > Generating RSA private key, 2048 bit long modulus >> > ..+++ >> > ..+++ >> > e is 65537 (0x10001) >> > You are about to be asked to enter information that will be incorporated >> > into your certificate request. >> > What you are about to enter is what is called a Distinguished Name or a >> DN. >> > There are quite a few fields but you can leave some blankFor some fields >> > there will be a default value, >> > If you enter '.', the field will be left blank. >> > - >> > Country Name (2 letter code) [DE]: >> > State or Province Name (full name) [Lower Saxony]: >> > Locality Name (eg, city) [Hanover]: >> > Organization Name (eg, company) [OpenBSD]: >> > Organizational Unit Name (eg, section) [iked]: >> > Common Name (eg, fully qualified host name) [192.168.1.1]: >> > Email Address [r...@openbsd.org]: >> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf >> > Check that the request matches the signature >> > Signature ok >> > The Subject's Distinguished Name is as follows >> > countryName :PRINTABLE:'DE' >> > stateOrProvinceName :ASN.1 12:'Lower Saxony' >> > localityName :ASN.1 12:'Hanover' >> > organizationName :ASN.1 12:'OpenBSD' >> > organizationalUnitName:ASN.1 12:'iked' >> > commonName:ASN.1 12:'192.168.1.1' >> > emailAddress :IA5STRING:'r...@openbsd.org' >> > ERROR: adding extensions in section x509v3_IPAddr >> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null >> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: >> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension >> > >> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: >> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in >> > >> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, >> > value=IP: >> > # >> > >> > The machine is i386 running 6.2-stable. >> > >> > I assume I’m doing something wrong, or have missed something in previous >> > steps (I followed the example steps from the ikectl man page). Any tips >> on >> > where to start digging/understanding/learning/fixing would be highly >> > appreciated. >> > >> > BR, Andreas >> >> Search the archives, there's a diff to fix this from Oct 25 or so, but it >> has not been committed yet. >> >> -ml >> >
Re: ikectl errors
Ah! Thank you! BR, Andreas ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin <mlar...@azathoth.net>: > On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote: > > Hi! > > > > I’m trying to set up iked on machine A, to create a tunnel between > machines > > A and B. ikectl produces errors when creating a certificate with my > ”test” > > ca, and I have failed to understans why: > > > > # ikectl ca test certificate 192.168.1.1 create > > Generating RSA private key, 2048 bit long modulus > > ..+++ > > ..+++ > > e is 65537 (0x10001) > > You are about to be asked to enter information that will be incorporated > > into your certificate request. > > What you are about to enter is what is called a Distinguished Name or a > DN. > > There are quite a few fields but you can leave some blankFor some fields > > there will be a default value, > > If you enter '.', the field will be left blank. > > - > > Country Name (2 letter code) [DE]: > > State or Province Name (full name) [Lower Saxony]: > > Locality Name (eg, city) [Hanover]: > > Organization Name (eg, company) [OpenBSD]: > > Organizational Unit Name (eg, section) [iked]: > > Common Name (eg, fully qualified host name) [192.168.1.1]: > > Email Address [r...@openbsd.org]: > > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf > > Check that the request matches the signature > > Signature ok > > The Subject's Distinguished Name is as follows > > countryName :PRINTABLE:'DE' > > stateOrProvinceName :ASN.1 12:'Lower Saxony' > > localityName :ASN.1 12:'Hanover' > > organizationName :ASN.1 12:'OpenBSD' > > organizationalUnitName:ASN.1 12:'iked' > > commonName:ASN.1 12:'192.168.1.1' > > emailAddress :IA5STRING:'r...@openbsd.org' > > ERROR: adding extensions in section x509v3_IPAddr > > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null > > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: > > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension > > > string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: > > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in > > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, > > value=IP: > > # > > > > The machine is i386 running 6.2-stable. > > > > I assume I’m doing something wrong, or have missed something in previous > > steps (I followed the example steps from the ikectl man page). Any tips > on > > where to start digging/understanding/learning/fixing would be highly > > appreciated. > > > > BR, Andreas > > Search the archives, there's a diff to fix this from Oct 25 or so, but it > has not been committed yet. > > -ml >
ikectl errors
Hi! I’m trying to set up iked on machine A, to create a tunnel between machines A and B. ikectl produces errors when creating a certificate with my ”test” ca, and I have failed to understans why: # ikectl ca test certificate 192.168.1.1 create Generating RSA private key, 2048 bit long modulus ..+++ ..+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [192.168.1.1]: Email Address [r...@openbsd.org]: Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :ASN.1 12:'Lower Saxony' localityName :ASN.1 12:'Hanover' organizationName :ASN.1 12:'OpenBSD' organizationalUnitName:ASN.1 12:'iked' commonName:ASN.1 12:'192.168.1.1' emailAddress :IA5STRING:'r...@openbsd.org' ERROR: adding extensions in section x509v3_IPAddr 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, value=IP: # The machine is i386 running 6.2-stable. I assume I’m doing something wrong, or have missed something in previous steps (I followed the example steps from the ikectl man page). Any tips on where to start digging/understanding/learning/fixing would be highly appreciated. BR, Andreas
Re: Need help setting http headers using relayd (and httpd)
Hi again! So, read the book as suggested, got relayd working, headers set, HTTP methods blocked just like I wanted (on my "test" box). However, when starting to use TLS-by-relayd rather than by httpd, it seems I lost OCSP stapling support. Does relayd.conf understand a line like tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp" or are there other ways of resolving this? Cheers, Andreas --- httpd.conf --- # $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $ # Made from /etc/examples/httpd.conf 2015-03-19 # -- # Include MIME types instead of the built-in ones types { include "/usr/share/misc/mime.types" } # pejorative.andreasthulin.se - HTTP server "pejorative.andreasthulin.se" { listen on * port 8080 block return 301 "https://$SERVER_NAME$REQUEST_URI; log syslog } # pejorative.andreasthulin.se - HTTPS server "pejorative.andreasthulin.se" { hsts subdomains listen on * tls port 8082 tls certificate "/etc/ssl/pejorative.andreasthulin.se.fullchain.pem" tls key "/etc/ssl/private/pejorative.andreasthulin.se.key" tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp" root "/htdocs/andreasthulin.se" location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } directory { index "index.php" } log syslog } --- relayd.conf --- # $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $ # /etc/relayd.conf 2017-10-12 table { 127.0.0.1 } ext_ip = "192.168.1.40" http protocol https { tcp { nodelay, sack, socket buffer 65536, backlog 100 } return error block method CONNECT block method DELETE block method HEAD block method OPTIONS block method PUT match response header remove "X-Powered-By" match response header set "X-Bogus-Header" value "False" match response header set "X-Frame-Options" value "deny" match response header set "X-Content-Type-Options" value "nosniff" match response header set "X-XSS-Protection" value "1; mode=block" match response header append "Content-Security-Policy" value "default-src 'none'" match response header append "Content-Security-Policy" value "script-src 'self'" match response header append "Content-Security-Policy" value "style-src 'self'" match response header append "Content-Security-Policy" value "img-src 'self'" match response header append "Content-Security-Policy" value "connect-src 'self'" match response header append "Content-Security-Policy" value "frame-ancestors 'none'" } relay "tlsforward" { listen on $ext_ip port 4433 tls protocol https forward with tls to port 8082 mode loadbalance check tcp } fre 13 okt. 2017 kl 09:28 skrev Andreas Thulin <andreasthu...@gmail.com>: > Thank you, I just bought the Kindle version. :-) > > BR, Andreas > fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris <bryanlhar...@gmail.com>: > >> There is a book called relayd and httpd. I think it has what you need. >> >> V/r, >> Bryan >> >> >> >> > On Oct 12, 2017, at 1:33 PM, Andreas Thulin <andreasthu...@gmail.com> >> wrote: >> > >> > Hi! >> > >> > Before anything, thanks for yet another awesome OpenBSD release! I’ll >> > extend my gratitude into the pockets of the Foundation and finally >> donate >> > this time. >> > >> > Then: >> > >> > I’m a relayd virgin. Consider all the following a lab exercise, I want >> to >> > learn and understand more. >> > >> > My target: >> > Understanding how to score an A+ on the htbridge web server security >> test. >> > https://www.htbridge.com/websec/?id=BT1UmswV >> > >> > First objective: >> > Set HTTP headers, such as >> > >> > CONTENT-SECURITY-POLICY >> > X-CONTENT-TYPE-OPTIONS >> > X-XSS-PROTECTION >> > >> > using relayd (since httpd can’t help out here). >> > >> > Assumptions etc: >> > - I suppose only https traffic is in scope, since all http traffic is >> > redirected to https. >> > - Both httpd and relayd are (will be) run on the same 6.2 machine. >> > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test >> > more or less out of the box. The web server test, however, was a >> > disappointing F. :-) >> > >> > I’m only a mortal, so simply reading the relayd.conf man page and do >> some >> > trial-and-error has so far only made me go all CAPS. I seek examples (of >> > something similar to the above use-case), a guide, turorial, or even a >> > how-to to make this happen. I can learn all the config options and >> settings >> > afterwards, and keep tweaking and understanding. >> > >> > Anyone? >> > >> > Humbly, >> > Andreas >> >
Re: Need help setting http headers using relayd (and httpd)
Thank you, I just bought the Kindle version. :-) BR, Andreas fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris <bryanlhar...@gmail.com>: > There is a book called relayd and httpd. I think it has what you need. > > V/r, > Bryan > > > > > On Oct 12, 2017, at 1:33 PM, Andreas Thulin <andreasthu...@gmail.com> > wrote: > > > > Hi! > > > > Before anything, thanks for yet another awesome OpenBSD release! I’ll > > extend my gratitude into the pockets of the Foundation and finally donate > > this time. > > > > Then: > > > > I’m a relayd virgin. Consider all the following a lab exercise, I want to > > learn and understand more. > > > > My target: > > Understanding how to score an A+ on the htbridge web server security > test. > > https://www.htbridge.com/websec/?id=BT1UmswV > > > > First objective: > > Set HTTP headers, such as > > > > CONTENT-SECURITY-POLICY > > X-CONTENT-TYPE-OPTIONS > > X-XSS-PROTECTION > > > > using relayd (since httpd can’t help out here). > > > > Assumptions etc: > > - I suppose only https traffic is in scope, since all http traffic is > > redirected to https. > > - Both httpd and relayd are (will be) run on the same 6.2 machine. > > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test > > more or less out of the box. The web server test, however, was a > > disappointing F. :-) > > > > I’m only a mortal, so simply reading the relayd.conf man page and do some > > trial-and-error has so far only made me go all CAPS. I seek examples (of > > something similar to the above use-case), a guide, turorial, or even a > > how-to to make this happen. I can learn all the config options and > settings > > afterwards, and keep tweaking and understanding. > > > > Anyone? > > > > Humbly, > > Andreas >
Need help setting http headers using relayd (and httpd)
Hi! Before anything, thanks for yet another awesome OpenBSD release! I’ll extend my gratitude into the pockets of the Foundation and finally donate this time. Then: I’m a relayd virgin. Consider all the following a lab exercise, I want to learn and understand more. My target: Understanding how to score an A+ on the htbridge web server security test. https://www.htbridge.com/websec/?id=BT1UmswV First objective: Set HTTP headers, such as CONTENT-SECURITY-POLICY X-CONTENT-TYPE-OPTIONS X-XSS-PROTECTION using relayd (since httpd can’t help out here). Assumptions etc: - I suppose only https traffic is in scope, since all http traffic is redirected to https. - Both httpd and relayd are (will be) run on the same 6.2 machine. - httpd runs just fine and scores an A+ on the htbridge TLS Server Test more or less out of the box. The web server test, however, was a disappointing F. :-) I’m only a mortal, so simply reading the relayd.conf man page and do some trial-and-error has so far only made me go all CAPS. I seek examples (of something similar to the above use-case), a guide, turorial, or even a how-to to make this happen. I can learn all the config options and settings afterwards, and keep tweaking and understanding. Anyone? Humbly, Andreas
Re: (Possibly OT) Trouble installing kanboard
Ah. Awesome, thank you! BR, Andreas tis 12 sep. 2017 kl. 16:14 skrev Martijn van Duren < openbsd+m...@list.imperialat.at>: > On 09/12/17 15:38, Andreas Thulin wrote: > > Hi all! > > > > This may be OT, and if so I apologise (and appreciate being pushed in the > > right direction). I'm trying to install and run kanboard ( > > https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php > 7.0.16 + > > php-fpm-7.0. > > > > At first, the web GUI installer complained (Internal Error: PHP extension > > required: "gd"), so I installed php-gd, and > > > > # rcctl restart php70_fpm > > as well as > > # rcctl restart httpd > > > > but I still get the same error message. My php_info() page claims I have > gd > > ("shared", whatever that means) support. > Extensions aren't loaded in by default. > > # cp /etc/php-7.0.sample/gd.ini /etc/php-7.0 > # rcctl restart php70_fpm > > > > There are a few different components involved here, so I'm not sure where > > to start trouble-shooting. Any pointers would help. > > > > BR > > Andreas > > > > martijn@ >
(Possibly OT) Trouble installing kanboard
Hi all! This may be OT, and if so I apologise (and appreciate being pushed in the right direction). I'm trying to install and run kanboard ( https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php 7.0.16 + php-fpm-7.0. At first, the web GUI installer complained (Internal Error: PHP extension required: "gd"), so I installed php-gd, and # rcctl restart php70_fpm as well as # rcctl restart httpd but I still get the same error message. My php_info() page claims I have gd ("shared", whatever that means) support. There are a few different components involved here, so I'm not sure where to start trouble-shooting. Any pointers would help. BR Andreas
Re: ftp.eu.openbsd.org no longer accepts anonymous ftp?
Also, yesterday's # pkg_add -u failed for me, apparently for that same reason. BR, Andreas lör 19 aug. 2017 kl. 11:06 skrev Peter N. M. Hansteen: > About to do my few-times-a-week upgrade to the most recent snapshot for > one of my systems earlier this week, I discovered that > ftp.eu.openbsd.org apparently has dropped support for anonymous ftp: > > $ ncftp eu-openbsd > NcFTP 3.2.6 (Dec 04, 2016) by Mike Gleason (http://www.NcFTP.com/contact/ > ). > Connecting to 193.156.26.18... > > > jj-prod-obsdmirror.inet6.se FTP server ready. > User anonymous unknown. > > > Sleeping 20 seconds... > > - after a few iterations of which I Ctrl-C out and just download the > bsd.rd over http and use that to install sets, again via http, from the > same mirror. > > I don't see downloading bsd.rd only and then doing an http install as > much of a hardship (the process takes only a few minutes total either > way), but if the change was intentional it would probably be a good > thing to update the relevant web pages. > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > >
Re: Question about httpd tls config
Ah. Thank you! :-) tis 15 aug. 2017 kl. 14:06 skrev Ronan Viel <ronanv...@orange.fr>: > Hi, > > SSL Labs don’t like 3DES whose key length is considered 112 bits and not > 168 bits because it may be subject to meet-in-the-middle attack. > Remove it by adding the line below to your server definition: > tls cipher "HIGH:!aNULL:!3DES" > > Ronan > > > Le 15 août 2017 à 09:54, Andreas Thulin <andreasthu...@gmail.com> a > écrit : > > > > Hi! > > > > I run httpd on 6.1-stable (thanks to all of you who make that possible!), > > with a pretty vanilla tls setup. When testing the server on ssllabs.com, > > results say that > > > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > > > is considered weak. How should I interpret that information, as you see > it? > > And shouldn't default cipher strengths be >= 128? I have probably > > misunderstood something, so any pointers in the right direction would be > > lovely. > > > > Link to my test result: > > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se > > > > My httpd.conf (which I'd like to keep very simple): > > # www.andreasthulin.se - HTTP > > server "www.andreasthulin.se" { > >alias "esoteric.andreasthulin.se" > >hsts subdomains > >listen on * port 80 > >listen on * tls port 443 > >tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" > >tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" > >root "/htdocs/andreasthulin.se" > >location "*.php" { > >fastcgi socket "/run/php-fpm.sock" > >} > >location "/.well-known/acme-challenge/*" { > >root "/acme" > >root strip 2 > >} > >directory { index "index.php" } > > } > > > > BR, Andreas > >
Question about httpd tls config
Hi! I run httpd on 6.1-stable (thanks to all of you who make that possible!), with a pretty vanilla tls setup. When testing the server on ssllabs.com, results say that TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is considered weak. How should I interpret that information, as you see it? And shouldn't default cipher strengths be >= 128? I have probably misunderstood something, so any pointers in the right direction would be lovely. Link to my test result: https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se My httpd.conf (which I'd like to keep very simple): # www.andreasthulin.se - HTTP server "www.andreasthulin.se" { alias "esoteric.andreasthulin.se" hsts subdomains listen on * port 80 listen on * tls port 443 tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" root "/htdocs/andreasthulin.se" location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } directory { index "index.php" } } BR, Andreas
Re: Openup and stable
Thanks - I do, too. My questions were more about whether _I_ can be trusted. :-) lör 25 mars 2017 kl. 21:07 skrev Maurice McCarthy: > On Sat, Mar 25, 2017 at 11:53:35AM +0100 or thereabouts, ludovic coues > wrote: > > You might have missed the email from Antoine Jacoutot about syspatch, > > on the first december last year > > > > See http://man.openbsd.org/syspatch > > > > The same Antoine Jacoutot also maintained openup. I believe several of the > OpenBSD developers work for M:Tier. Therefore I think they can be trusted.
Re: Openup and stable
Fantastic, thanks for info! I'll look into syspatch, of course. :-) BR, Andreas lör 25 mars 2017 kl. 12:11 skrev Hiltjo Posthuma <hil...@codemadness.org>: > On Sat, Mar 25, 2017 at 08:49:22AM +, Andreas Thulin wrote: > > Hi all! > > > > Hey!, > > > I'm running 6.0 -stable using openup for patching. I think it works very > > well since it's so convenient. At the same time I realise there are trust > > and security concerns with people like myself, who "blindly" install > > patches without understanding the details. I suppose my problem is that > I'm > > not a developer and cannot make a fair assessment just by reading code, > so > > neither patch method would be secure for me. I'm the risk, so to speak. > > > > I'm not familiar with openup, but the official patches are always described > at: https://www.openbsd.org/errata60.html (for 6.0). The official patches > are > cryptographically signed. > > > Anyway, to my question(s): Is openup considered good or bad practise, and > > for what reasons, as you see them? Has there ever been plans among > OpenBSD > > developers to make following -stable easier for "users" such as myself? > > > > I failed to find enough info about this topic in the archives, but please > > point me in the right direction if you happen to know about applicable > > threads. > > > > OpenBSD 6.1 will have the (new) syspatch(8) tool for base system binary > patches: http://man.openbsd.org/syspatch.8 . > > > Humbly, > > Andreas > > > > -- > Kind regards, > Hiltjo
Openup and stable
Hi all! I'm running 6.0 -stable using openup for patching. I think it works very well since it's so convenient. At the same time I realise there are trust and security concerns with people like myself, who "blindly" install patches without understanding the details. I suppose my problem is that I'm not a developer and cannot make a fair assessment just by reading code, so neither patch method would be secure for me. I'm the risk, so to speak. Anyway, to my question(s): Is openup considered good or bad practise, and for what reasons, as you see them? Has there ever been plans among OpenBSD developers to make following -stable easier for "users" such as myself? I failed to find enough info about this topic in the archives, but please point me in the right direction if you happen to know about applicable threads. Humbly, Andreas
Can I run OpenBSD on an ASUS RT-AC88U?
Hi! Aplogies in advance if this post comes out as tremendously stupid - I'm not very experienced. I bought an ASUS RT-AC88U wireless router. Performance is great, but I lack the configurability I'm used to from working with on other boxes. Started out exploring options for making it a NAS by attaching an external HDD, and then thought I'd back that up to my friends' NAS nightly. Turns out I need to install something called optware to be able to install packages on the (presumed) minix installation, which I can reach by ssh. At some point I thought that hey, OpenBSD is great at networking. Could I install that instead, and work with an environment I know better than a commersial web interface or crippled terminal? So - could I? BR Andreas
Newbie question: Proxy for appearing in Sweden for on demand streaming?
Hi all! My mom lives in Sweden but spends loads of time in Spain. She likes the public service online TV streaming service, which cannot be watched abroad for various reasons. I thought I'd try to setup a proxy of some sort that she could turn her iPad to, and appear as if in Sweden while in fact in Spain. I live in Sweden and have a 5.8-stable box handy. How would I do that? Can relayd help here? What do I need in terms of network setup etc? Any pointers would be appreciated (except flames). Happy new year! Andreas
mount smbfs (sharity-light is uncooperative)
Hi! After some googling, I couldn't find answers to my questions so I turn to this list. Please forgive me if this is a worn-out topic etc. - Is there a specific reason there's no "mount -t smbfs" or similar option in OpenBSD that let's me mount an smb filesystem easily, and on boot time (which fails using sharity-light)? - Do I have other options but sharity-light to mount an smb filesystem automatically on boot? - How is all this related to fuse and do you have any pointers to things I can read in order to understand the topic better? I'm not a developer unfortunately. BR Andreas
Re: mount smbfs (sharity-light is uncooperative)
On Thu, Oct 22, 2015 at 2:47 PM Stuart Henderson <s...@spacehopper.org> wrote: > On 2015-10-22, Andreas Thulin <andreasthu...@gmail.com> wrote: > > Hi! > > > > After some googling, I couldn't find answers to my questions so I turn to > > this list. Please forgive me if this is a worn-out topic etc. > > > > > >- Is there a specific reason there's no "mount -t smbfs" or similar > >option in OpenBSD that let's me mount an smb filesystem easily, and > on boot > >time (which fails using sharity-light)? > > Nobody's sent a diff with a suitable implementation. > > Haha, yes that's indeed a specific reason. What I meant was "is there anything related to the focus areas of OpenBSD, such as security and stability, that argues for not having included a 'mount_smbfs' thingy?". But you're absulutely right. :-) > >- Do I have other options but sharity-light to mount an smb filesystem > >automatically on boot? > >- How is all this related to fuse and do you have any pointers to > things > >I can read in order to understand the topic better? I'm not a > developer > >unfortunately. > > FUSE is an interface for writing a filesystem in userland code rather > than the kernel. There are various ports providing programs doing this > for various things (ntfs, sshfs etc), you might like to look at usmb. > It's not perfect but may work better than sharity-light. > > All right, thanks for the tip! I'll look into that. Cheers, Andreas
How to create "paranoid" cipher list in httpd.conf
Hi misc readers! This is my first attempt to ask for help using misc@openbsd.org, so please bear with me if I'm making mistakes. Also, apologies if I'm asking about something recently discussed. I want to limit the number of tls ciphersâ in httpd.conf so that only strong (>128 bit) ciphers with Forward Secrecy capabilities (ECDHE) are accepted. I'm also only using TLSv1.2. My current httpd.conf contains a line saying tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH" which renders out "Configuration OK" with '# /usr/sbin/httpd -n'. Also, when testing that string using # openssl ciphers -v 'STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH' I get a nice, acceptable list of the ciphers. However, when running a server test (https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se), there's a much longer list of ciphers, including both non-FS and medium strength ciphers. I'm thinking that either 1. my assumption that my httpd.conf is all dandy is wrong (highly probable), 2. SSL Labs is lying to me (improbable), or 3. there's some sort of bug in httpd (improbable). Does anyone have any pointers? OpenBSD 5.8-current (GENERIC) #1095: Mon Aug 24. i386. BR Andreas