Re: athn(4) and Atheros AR9462

2019-09-18 Thread Andreas Thulin 
Thank you, perfect answer! :)

BR, Andreas

ons 18 sep. 2019 kl. 13:01 skrev Antal Ispanovity :

> 2019-09-18 12:38 GMT+02:00, Andreas Thulin :
> > Hi!
> >
> > I just installed OpenBSD 6.5 on an Acer Aspire 5 laptop I got, and
> realised
> > after some googling that there is no driver available for the Atheros
> > AR9462 wifi card. This seems to have been covered in previous posts here.
> >
> > Any pointers on the right course of action? I haven’t yet set up mail on
> you can replace it with a supported chip or you can use an usb wireles
> chip. See supported devices in here: https://man.openbsd.org/urtwn
> Asus USB-N10 works for me.
> > the laptop so can’t include a dmesg. Will do once possible.
> >
> > BR, Andreas
> >
>

athn(4) and Atheros AR9462

2019-09-18 Thread Andreas Thulin 
Hi!

I just installed OpenBSD 6.5 on an Acer Aspire 5 laptop I got, and realised
after some googling that there is no driver available for the Atheros
AR9462 wifi card. This seems to have been covered in previous posts here.

Any pointers on the right course of action? I haven’t yet set up mail on
the laptop so can’t include a dmesg. Will do once possible.

BR, Andreas

Anyone got stickers for sale?

2019-02-15 Thread Andreas Thulin 
Hi!

Please forgive a very non-technical question: Does anyone in the list have
spare OpenBSD and/or RUN BSD stickers for sale (to Sweden)? I recently
changed jobs and failed to move stickers from one laptop to another. Feel
very naked now. Poor me.

In any case, TGIF.

/Andreas

Looking for discussions/threads on TLS v 1.3 (in OpenBSD context)

2018-05-16 Thread Andreas Thulin 
Hi all!

Just out of curious interest, I've been googling a bit to find discussions
or threads related to TLS 1.3, what "you guys" think of it, and what
benefits and drawbacks it brings to the OpenBSD world. However, I'm either
unlucky or a poor googler, because I can't seem to find any. If you know of
any, I'd be grateful if you could point me in the right direction.

Kind regards,
Andreas

Re: help understanding ikectl error messages

2018-01-15 Thread Andreas Thulin 
Thanks Stuart for replies! I can confirm that I could proceed without
issues on 6.2-current. :-)

BR, Andreas
mån 15 jan. 2018 kl. 10:31 skrev Stuart Henderson <s...@spacehopper.org>:

> On 2018/01/15 06:35, Andreas Thulin wrote:
> > Sorry, my bad!
> >
> > 6.2-stable. And after sending my e-mail, I found a post about this
> issue, that ended up in
> > ikeca.c (?) having been patched on 8 November last year to resolve the
> same issue, I believe. I
> > have installed 6.2-current on another machine to figure out if that
> solves the problem.
> >
> > BR, Andreas
>
> Thanks - -current should fix this. (I did think that it had been fixed
> before 6.2 which is why I asked about the version, but yes it looks like
> this one wasn't fixed until 8 Nov).
>
>

Re: help understanding ikectl error messages

2018-01-14 Thread Andreas Thulin 
Sorry, my bad!

6.2-stable. And after sending my e-mail, I found a post about this issue,
that ended up in ikeca.c (?) having been patched on 8 November last year to
resolve the same issue, I believe. I have installed 6.2-current on another
machine to figure out if that solves the problem.

BR, Andreas
sön 14 jan. 2018 kl. 23:03 skrev Stuart Henderson <s...@spacehopper.org>:

> On 2018-01-09, Andreas Thulin <andreasthu...@gmail.com> wrote:
> > Hi!
> >
> > Following the example on https://man.openbsd.org/ikectl, I
> >
> > # ikectl ca test create
> > ...and then
> > # ikectl ca test certificate sub.domain.com create
> > ...filled out "the form", but after that...
> > Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf
> > Check that the request matches the signature
> > Signature ok
> > The Subject's Distinguished Name is as follows
> > countryName   :PRINTABLE:'SE'
> > organizationName  :ASN.1 12:'cppm'
> > commonName:ASN.1 12:'sub.domain.com'
> > emailAddress  :IA5STRING:'webmas...@domain.com'
> > ERROR: adding extensions in section x509v3_FQDN
> > 2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> > 2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> >
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS:
> > 2198743120:error:22FFF080:X509 V3 routines:func(4095):error in
> > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> > value=DNS:
> >
> > I'm probably doing something stupid, so if anyone can point me in the
> right
> > direction, that would be highly appreciated.
> >
> > BR
> > Andreas
> >
>
> Which version are you running? (See "Include important information"
> on http://www.openbsd.org/mail.html).
>
>
>

Re: Writing "ones" instead of "zeroes" when wiping disk

2018-01-12 Thread Andreas Thulin 
Thanks to all of you for either useful tips or good-to-read rants. :-) I’ll
try out tips from Nick & Todd, let’s see where that takes me.

BR, Andreas
fre 12 jan. 2018 kl. 05:22 skrev Todd C. Miller :

> On Thu, 11 Jan 2018 22:09:32 -0500, "trondd" wrote:
>
> > A 1 is too narrow to fully cover the original data.
>
> You need to use an 8 to wipe out all seven segments.
>
>  - todd
>
>

Writing "ones" instead of "zeroes" when wiping disk

2018-01-11 Thread Andreas Thulin 
Hi!

Again, an ignorant question (as usual):

How might I do something similar to

# dd if=/dev/one of=/dev/sd0 bs=1M

as a complement to the usual and well-described

# dd if=/dev/zero of=/dev/sd0 bs=1M

followed by

# dd if=/dev/urandom of=/dev/sd0 bs=1M

in order to achieve paranoid disk-wiping?

BR
Andreas

help understanding ikectl error messages

2018-01-09 Thread Andreas Thulin 
Hi!

Following the example on https://man.openbsd.org/ikectl, I

# ikectl ca test create
...and then
# ikectl ca test certificate sub.domain.com create
...filled out "the form", but after that...
Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName   :PRINTABLE:'SE'
organizationName  :ASN.1 12:'cppm'
commonName:ASN.1 12:'sub.domain.com'
emailAddress  :IA5STRING:'webmas...@domain.com'
ERROR: adding extensions in section x509v3_FQDN
2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null
value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension
string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS:
2198743120:error:22FFF080:X509 V3 routines:func(4095):error in
extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
value=DNS:

I'm probably doing something stupid, so if anyone can point me in the right
direction, that would be highly appreciated.

BR
Andreas

Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Andreas Thulin 
Hi all!

Thought I'd create an OpenBSD wiki somewhere, where anyone (especially
non-developers like myself) could create and edit tutorials for stuff
non-developers like myself would find useful. I find that sometimes
existing tutorials become outdated, and was thinking that a wiki would make
updates easier.

Before I go and create anything - are there already a place similar to what
I'm describing, where I could get myself involved? (I'm too junior to start
suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure
they should be used for what I want to achieve.)

I know this comes out as yet another "let's start another project no one is
asking for", but please be gentle with flaming me - I honestly want to
contribute to the community to the extent of my abilities.

Cheers,
Andreas

Re: Question on more concise httpd.conf setup for subdomain + https redirects

2017-12-22 Thread Andreas Thulin 
Hi!

I suppose you can script one config into ”httpd.foo.net”, another to ”
httpd.bar.com” etc.  and then include all individual files into httpd.conf
with the keyword ”include”?

BR, Andreas

fre 22 dec. 2017 kl. 03:39 skrev Ryan Flannery :

> Hi, I'm curious if there's a more concise/preferred way to accomplish the
> below. I'm hosting a number of sites that want to prefer https over http
> and strip any www subdomain from urls.
>
> E.g.
> www.foo.com/* -> https://foo.com/*
> https://www.foo.com/* -> https://foo.com/*
>
> I have this working (used acme-client to setup ssl - that was a breeze!)
> using the following setup, but I'm curious if there's a more
> concise/preferred way. I'll need to configure this for a number of sites,
> and would probably script the config.
>
> The first two server blocks setup the redirects, and the third is for the
> actual site.
>
> server "foo.net" {
>alias "www.foo.net"
>listen on * port 80
>block return 301 "https://foo.net$REQUEST_URI;
> }
> server "www.foo.net" {
>listen on * tls port 443
>tls certificate "/etc/ssl/foo.net.fullchain.pem"
>tls key "/etc/ssl/private/foo.net.key"
>block return 301 "https://foo.net$REQUEST_URI;
> }
> server "foo.net" {
>listen on * tls port 443
>tls certificate "/etc/ssl/foo.net.fullchain.pem"
>tls key "/etc/ssl/private/foo.net.key"
>root "/htdocs/foo.net"
> }
>
> Cheers,
> -Ryan
>

Re: ikectl errors

2017-11-02 Thread Andreas Thulin 
Hi again,

found this on cvsweb.openbsd.org:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date

”In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.”

Ignorant question: Does this mean a) that I should (try and probably fail
to) patch myself, b) that the change may become a syspatch, or c) that the
next release will include the patch? I’m running 6.2-stable.

Thanks again for the tip!

BR, Andreas


tors 2 nov. 2017 kl. 08:25 skrev Andreas Thulin <andreasthu...@gmail.com>:

> Ah! Thank you!
>
> BR, Andreas
> ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin <mlar...@azathoth.net>:
>
>> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote:
>> > Hi!
>> >
>> > I’m trying to set up iked on machine A, to create a tunnel between
>> machines
>> > A and B. ikectl produces errors when creating a certificate with my
>> ”test”
>> > ca, and I have failed to understans why:
>> >
>> > # ikectl ca test certificate 192.168.1.1 create
>> > Generating RSA private key, 2048 bit long modulus
>> > ..+++
>> > ..+++
>> > e is 65537 (0x10001)
>> > You are about to be asked to enter information that will be incorporated
>> > into your certificate request.
>> > What you are about to enter is what is called a Distinguished Name or a
>> DN.
>> > There are quite a few fields but you can leave some blankFor some fields
>> > there will be a default value,
>> > If you enter '.', the field will be left blank.
>> > -
>> > Country Name (2 letter code) [DE]:
>> > State or Province Name (full name) [Lower Saxony]:
>> > Locality Name (eg, city) [Hanover]:
>> > Organization Name (eg, company) [OpenBSD]:
>> > Organizational Unit Name (eg, section) [iked]:
>> > Common Name (eg, fully qualified host name) [192.168.1.1]:
>> > Email Address [r...@openbsd.org]:
>> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
>> > Check that the request matches the signature
>> > Signature ok
>> > The Subject's Distinguished Name is as follows
>> > countryName   :PRINTABLE:'DE'
>> > stateOrProvinceName   :ASN.1 12:'Lower Saxony'
>> > localityName  :ASN.1 12:'Hanover'
>> > organizationName  :ASN.1 12:'OpenBSD'
>> > organizationalUnitName:ASN.1 12:'iked'
>> > commonName:ASN.1 12:'192.168.1.1'
>> > emailAddress  :IA5STRING:'r...@openbsd.org'
>> > ERROR: adding extensions in section x509v3_IPAddr
>> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
>> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
>> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
>> >
>> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
>> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
>> >
>> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
>> > value=IP:
>> > #
>> >
>> > The machine is i386 running 6.2-stable.
>> >
>> > I assume I’m doing something wrong, or have missed something in previous
>> > steps (I followed the example steps from the ikectl man page). Any tips
>> on
>> > where to start digging/understanding/learning/fixing would be highly
>> > appreciated.
>> >
>> > BR, Andreas
>>
>> Search the archives, there's a diff to fix this from Oct 25 or so, but it
>> has not been committed yet.
>>
>> -ml
>>
>

Re: ikectl errors

2017-11-02 Thread Andreas Thulin 
Ah! Thank you!

BR, Andreas
ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin <mlar...@azathoth.net>:

> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote:
> > Hi!
> >
> > I’m trying to set up iked on machine A, to create a tunnel between
> machines
> > A and B. ikectl produces errors when creating a certificate with my
> ”test”
> > ca, and I have failed to understans why:
> >
> > # ikectl ca test certificate 192.168.1.1 create
> > Generating RSA private key, 2048 bit long modulus
> > ..+++
> > ..+++
> > e is 65537 (0x10001)
> > You are about to be asked to enter information that will be incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name or a
> DN.
> > There are quite a few fields but you can leave some blankFor some fields
> > there will be a default value,
> > If you enter '.', the field will be left blank.
> > -
> > Country Name (2 letter code) [DE]:
> > State or Province Name (full name) [Lower Saxony]:
> > Locality Name (eg, city) [Hanover]:
> > Organization Name (eg, company) [OpenBSD]:
> > Organizational Unit Name (eg, section) [iked]:
> > Common Name (eg, fully qualified host name) [192.168.1.1]:
> > Email Address [r...@openbsd.org]:
> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
> > Check that the request matches the signature
> > Signature ok
> > The Subject's Distinguished Name is as follows
> > countryName   :PRINTABLE:'DE'
> > stateOrProvinceName   :ASN.1 12:'Lower Saxony'
> > localityName  :ASN.1 12:'Hanover'
> > organizationName  :ASN.1 12:'OpenBSD'
> > organizationalUnitName:ASN.1 12:'iked'
> > commonName:ASN.1 12:'192.168.1.1'
> > emailAddress  :IA5STRING:'r...@openbsd.org'
> > ERROR: adding extensions in section x509v3_IPAddr
> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> >
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
> > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> > value=IP:
> > #
> >
> > The machine is i386 running 6.2-stable.
> >
> > I assume I’m doing something wrong, or have missed something in previous
> > steps (I followed the example steps from the ikectl man page). Any tips
> on
> > where to start digging/understanding/learning/fixing would be highly
> > appreciated.
> >
> > BR, Andreas
>
> Search the archives, there's a diff to fix this from Oct 25 or so, but it
> has not been committed yet.
>
> -ml
>

ikectl errors

2017-11-01 Thread Andreas Thulin 
Hi!

I’m trying to set up iked on machine A, to create a tunnel between machines
A and B. ikectl produces errors when creating a certificate with my ”test”
ca, and I have failed to understans why:

# ikectl ca test certificate 192.168.1.1 create
Generating RSA private key, 2048 bit long modulus
..+++
..+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields
there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Lower Saxony]:
Locality Name (eg, city) [Hanover]:
Organization Name (eg, company) [OpenBSD]:
Organizational Unit Name (eg, section) [iked]:
Common Name (eg, fully qualified host name) [192.168.1.1]:
Email Address [r...@openbsd.org]:
Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName   :PRINTABLE:'DE'
stateOrProvinceName   :ASN.1 12:'Lower Saxony'
localityName  :ASN.1 12:'Hanover'
organizationName  :ASN.1 12:'OpenBSD'
organizationalUnitName:ASN.1 12:'iked'
commonName:ASN.1 12:'192.168.1.1'
emailAddress  :IA5STRING:'r...@openbsd.org'
ERROR: adding extensions in section x509v3_IPAddr
2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
value=IP:
#

The machine is i386 running 6.2-stable.

I assume I’m doing something wrong, or have missed something in previous
steps (I followed the example steps from the ikectl man page). Any tips on
where to start digging/understanding/learning/fixing would be highly
appreciated.

BR, Andreas

Re: Need help setting http headers using relayd (and httpd)

2017-10-27 Thread Andreas Thulin 
Hi again!

So, read the book as suggested, got relayd working, headers set, HTTP
methods blocked just like I wanted (on my "test" box). However, when
starting to use TLS-by-relayd rather than by httpd, it seems I lost OCSP
stapling support. Does relayd.conf understand a line like

tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp"

or are there other ways of resolving this?

Cheers,
Andreas

--- httpd.conf ---

# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $
# Made from /etc/examples/httpd.conf 2015-03-19

# --

# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}

# pejorative.andreasthulin.se - HTTP
server "pejorative.andreasthulin.se" {
listen on * port 8080
block return 301 "https://$SERVER_NAME$REQUEST_URI;
log syslog
}

# pejorative.andreasthulin.se - HTTPS
server "pejorative.andreasthulin.se" {
hsts subdomains
listen on * tls port 8082
tls certificate "/etc/ssl/pejorative.andreasthulin.se.fullchain.pem"
tls key "/etc/ssl/private/pejorative.andreasthulin.se.key"
tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp"
root "/htdocs/andreasthulin.se"
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
directory { index "index.php" }
log syslog
}

--- relayd.conf ---

# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $

# /etc/relayd.conf 2017-10-12

table  { 127.0.0.1 }
ext_ip = "192.168.1.40"

http protocol https {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block method CONNECT
block method DELETE
block method HEAD
block method OPTIONS
block method PUT
match response header remove "X-Powered-By"
match response header set "X-Bogus-Header" value "False"
match response header set "X-Frame-Options" value "deny"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header append "Content-Security-Policy" value
"default-src 'none'"
match response header append "Content-Security-Policy" value
"script-src 'self'"
match response header append "Content-Security-Policy" value "style-src
'self'"
match response header append "Content-Security-Policy" value "img-src
'self'"
match response header append "Content-Security-Policy" value
"connect-src 'self'"
match response header append "Content-Security-Policy" value
"frame-ancestors 'none'"
}

relay "tlsforward" {
listen on $ext_ip port 4433 tls
protocol https
forward with tls to  port 8082 mode loadbalance check tcp
}

fre 13 okt. 2017 kl 09:28 skrev Andreas Thulin <andreasthu...@gmail.com>:

> Thank you, I just bought the Kindle version. :-)
>
> BR, Andreas
> fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris <bryanlhar...@gmail.com>:
>
>> There is a book called relayd and httpd. I think it has what you need.
>>
>> V/r,
>> Bryan
>>
>>
>>
>> > On Oct 12, 2017, at 1:33 PM, Andreas Thulin <andreasthu...@gmail.com>
>> wrote:
>> >
>> > Hi!
>> >
>> > Before anything, thanks for yet another awesome OpenBSD release! I’ll
>> > extend my gratitude into the pockets of the Foundation and finally
>> donate
>> > this time.
>> >
>> > Then:
>> >
>> > I’m a relayd virgin. Consider all the following a lab exercise, I want
>> to
>> > learn and understand more.
>> >
>> > My target:
>> > Understanding how to score an A+ on the htbridge web server security
>> test.
>> > https://www.htbridge.com/websec/?id=BT1UmswV
>> >
>> > First objective:
>> > Set HTTP headers, such as
>> >
>> > CONTENT-SECURITY-POLICY
>> > X-CONTENT-TYPE-OPTIONS
>> > X-XSS-PROTECTION
>> >
>> > using relayd (since httpd can’t help out here).
>> >
>> > Assumptions etc:
>> > - I suppose only https traffic is in scope, since all http traffic is
>> > redirected to https.
>> > - Both httpd and relayd are (will be) run on the same 6.2 machine.
>> > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test
>> > more or less out of the box. The web server test, however, was a
>> > disappointing F. :-)
>> >
>> > I’m only a mortal, so simply reading the relayd.conf man page and do
>> some
>> > trial-and-error has so far only made me go all CAPS. I seek examples (of
>> > something similar to the above use-case), a guide, turorial, or even a
>> > how-to to make this happen. I can learn all the config options and
>> settings
>> > afterwards, and keep tweaking and understanding.
>> >
>> > Anyone?
>> >
>> > Humbly,
>> > Andreas
>>
>

Re: Need help setting http headers using relayd (and httpd)

2017-10-13 Thread Andreas Thulin 
Thank you, I just bought the Kindle version. :-)

BR, Andreas
fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris <bryanlhar...@gmail.com>:

> There is a book called relayd and httpd. I think it has what you need.
>
> V/r,
> Bryan
>
>
>
> > On Oct 12, 2017, at 1:33 PM, Andreas Thulin <andreasthu...@gmail.com>
> wrote:
> >
> > Hi!
> >
> > Before anything, thanks for yet another awesome OpenBSD release! I’ll
> > extend my gratitude into the pockets of the Foundation and finally donate
> > this time.
> >
> > Then:
> >
> > I’m a relayd virgin. Consider all the following a lab exercise, I want to
> > learn and understand more.
> >
> > My target:
> > Understanding how to score an A+ on the htbridge web server security
> test.
> > https://www.htbridge.com/websec/?id=BT1UmswV
> >
> > First objective:
> > Set HTTP headers, such as
> >
> > CONTENT-SECURITY-POLICY
> > X-CONTENT-TYPE-OPTIONS
> > X-XSS-PROTECTION
> >
> > using relayd (since httpd can’t help out here).
> >
> > Assumptions etc:
> > - I suppose only https traffic is in scope, since all http traffic is
> > redirected to https.
> > - Both httpd and relayd are (will be) run on the same 6.2 machine.
> > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test
> > more or less out of the box. The web server test, however, was a
> > disappointing F. :-)
> >
> > I’m only a mortal, so simply reading the relayd.conf man page and do some
> > trial-and-error has so far only made me go all CAPS. I seek examples (of
> > something similar to the above use-case), a guide, turorial, or even a
> > how-to to make this happen. I can learn all the config options and
> settings
> > afterwards, and keep tweaking and understanding.
> >
> > Anyone?
> >
> > Humbly,
> > Andreas
>

Need help setting http headers using relayd (and httpd)

2017-10-12 Thread Andreas Thulin 
Hi!

Before anything, thanks for yet another awesome OpenBSD release! I’ll
extend my gratitude into the pockets of the Foundation and finally donate
this time.

Then:

I’m a relayd virgin. Consider all the following a lab exercise, I want to
learn and understand more.

My target:
Understanding how to score an A+ on the htbridge web server security test.
https://www.htbridge.com/websec/?id=BT1UmswV

First objective:
Set HTTP headers, such as

CONTENT-SECURITY-POLICY
X-CONTENT-TYPE-OPTIONS
X-XSS-PROTECTION

using relayd (since httpd can’t help out here).

Assumptions etc:
- I suppose only https traffic is in scope, since all http traffic is
redirected to https.
- Both httpd and relayd are (will be) run on the same 6.2 machine.
- httpd runs just fine and scores an A+ on the htbridge TLS Server Test
more or less out of the box. The web server test, however, was a
disappointing F. :-)

I’m only a mortal, so simply reading the relayd.conf man page and do some
trial-and-error has so far only made me go all CAPS. I seek examples (of
something similar to the above use-case), a guide, turorial, or even a
how-to to make this happen. I can learn all the config options and settings
afterwards, and keep tweaking and understanding.

Anyone?

Humbly,
Andreas

Re: (Possibly OT) Trouble installing kanboard

2017-09-12 Thread Andreas Thulin 
Ah. Awesome, thank you!

BR, Andreas
tis 12 sep. 2017 kl. 16:14 skrev Martijn van Duren <
openbsd+m...@list.imperialat.at>:

> On 09/12/17 15:38, Andreas Thulin wrote:
> > Hi all!
> >
> > This may be OT, and if so I apologise (and appreciate being pushed in the
> > right direction). I'm trying to install and run kanboard (
> > https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php
> 7.0.16 +
> > php-fpm-7.0.
> >
> > At first, the web GUI installer complained (Internal Error: PHP extension
> > required: "gd"), so I installed php-gd, and
> >
> > # rcctl restart php70_fpm
> > as well as
> > # rcctl restart httpd
> >
> > but I still get the same error message. My php_info() page claims I have
> gd
> > ("shared", whatever that means) support.
> Extensions aren't loaded in by default.
>
> # cp /etc/php-7.0.sample/gd.ini /etc/php-7.0
> # rcctl restart php70_fpm
> >
> > There are a few different components involved here, so I'm not sure where
> > to start trouble-shooting. Any pointers would help.
> >
> > BR
> > Andreas
> >
>
> martijn@
>

(Possibly OT) Trouble installing kanboard

2017-09-12 Thread Andreas Thulin 
Hi all!

This may be OT, and if so I apologise (and appreciate being pushed in the
right direction). I'm trying to install and run kanboard (
https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php 7.0.16 +
php-fpm-7.0.

At first, the web GUI installer complained (Internal Error: PHP extension
required: "gd"), so I installed php-gd, and

# rcctl restart php70_fpm
as well as
# rcctl restart httpd

but I still get the same error message. My php_info() page claims I have gd
("shared", whatever that means) support.

There are a few different components involved here, so I'm not sure where
to start trouble-shooting. Any pointers would help.

BR
Andreas

Re: ftp.eu.openbsd.org no longer accepts anonymous ftp?

2017-08-19 Thread Andreas Thulin 
Also, yesterday's

# pkg_add -u

failed for me, apparently for that same reason.

BR, Andreas
lör 19 aug. 2017 kl. 11:06 skrev Peter N. M. Hansteen :

> About to do my few-times-a-week upgrade to the most recent snapshot for
> one of my systems earlier this week, I discovered that
> ftp.eu.openbsd.org apparently has dropped support for anonymous ftp:
>
> $ ncftp eu-openbsd
> NcFTP 3.2.6 (Dec 04, 2016) by Mike Gleason (http://www.NcFTP.com/contact/
> ).
> Connecting to 193.156.26.18...
>
>
> jj-prod-obsdmirror.inet6.se FTP server ready.
> User anonymous unknown.
>
>
> Sleeping 20 seconds...
>
> - after a few iterations of which I Ctrl-C out and just download the
> bsd.rd over http and use that to install sets, again via http, from the
> same mirror.
>
> I don't see downloading bsd.rd only and then doing an http install as
> much of a hardship (the process takes only a few minutes total either
> way), but if the change was intentional it would probably be a good
> thing to update the relevant web pages.
>
> - Peter
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>

Re: Question about httpd tls config

2017-08-15 Thread Andreas Thulin 
Ah. Thank you! :-)
tis 15 aug. 2017 kl. 14:06 skrev Ronan Viel <ronanv...@orange.fr>:

> Hi,
>
> SSL Labs don’t like 3DES whose key length is considered 112 bits and not
> 168 bits because it may be subject to meet-in-the-middle attack.
> Remove it by adding the line below to your server definition:
> tls cipher "HIGH:!aNULL:!3DES"
>
> Ronan
>
> > Le 15 août 2017 à 09:54, Andreas Thulin <andreasthu...@gmail.com> a
> écrit :
> >
> > Hi!
> >
> > I run httpd on 6.1-stable (thanks to all of you who make that possible!),
> > with a pretty vanilla tls setup. When testing the server on ssllabs.com,
> > results say that
> >
> > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> >
> > is considered weak. How should I interpret that information, as you see
> it?
> > And shouldn't default cipher strengths be >= 128? I have probably
> > misunderstood something, so any pointers in the right direction would be
> > lovely.
> >
> > Link to my test result:
> > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se
> >
> > My httpd.conf (which I'd like to keep very simple):
> > # www.andreasthulin.se - HTTP
> > server "www.andreasthulin.se" {
> >alias "esoteric.andreasthulin.se"
> >hsts subdomains
> >listen on * port 80
> >listen on * tls port 443
> >tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem"
> >tls key "/etc/ssl/private/esoteric.andreasthulin.se.key"
> >root "/htdocs/andreasthulin.se"
> >location "*.php" {
> >fastcgi socket "/run/php-fpm.sock"
> >}
> >location "/.well-known/acme-challenge/*" {
> >root "/acme"
> >root strip 2
> >}
> >directory { index "index.php" }
> > }
> >
> > BR, Andreas
>
>

Question about httpd tls config

2017-08-15 Thread Andreas Thulin 
Hi!

I run httpd on 6.1-stable (thanks to all of you who make that possible!),
with a pretty vanilla tls setup. When testing the server on ssllabs.com,
results say that

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

is considered weak. How should I interpret that information, as you see it?
And shouldn't default cipher strengths be >= 128? I have probably
misunderstood something, so any pointers in the right direction would be
lovely.

Link to my test result:
https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se

My httpd.conf (which I'd like to keep very simple):
# www.andreasthulin.se - HTTP
server "www.andreasthulin.se" {
alias "esoteric.andreasthulin.se"
hsts subdomains
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem"
tls key "/etc/ssl/private/esoteric.andreasthulin.se.key"
root "/htdocs/andreasthulin.se"
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
directory { index "index.php" }
}

BR, Andreas

Re: Openup and stable

2017-03-27 Thread Andreas Thulin 
Thanks - I do, too. My questions were more about whether _I_ can be
trusted. :-)
lör 25 mars 2017 kl. 21:07 skrev Maurice McCarthy :

> On Sat, Mar 25, 2017 at 11:53:35AM +0100 or thereabouts, ludovic coues
> wrote:
> > You might have missed the email from Antoine Jacoutot about syspatch,
> > on the first december last year
> >
> > See http://man.openbsd.org/syspatch
> >
>
> The same Antoine Jacoutot also maintained openup. I believe several of the
> OpenBSD developers work for M:Tier. Therefore I think they can be trusted.

Re: Openup and stable

2017-03-25 Thread Andreas Thulin 
Fantastic, thanks for info! I'll look into syspatch, of course. :-)

BR, Andreas
lör 25 mars 2017 kl. 12:11 skrev Hiltjo Posthuma <hil...@codemadness.org>:

> On Sat, Mar 25, 2017 at 08:49:22AM +, Andreas Thulin wrote:
> > Hi all!
> >
>
> Hey!,
>
> > I'm running 6.0 -stable using openup for patching. I think it works very
> > well since it's so convenient. At the same time I realise there are trust
> > and security concerns with people like myself, who "blindly" install
> > patches without understanding the details. I suppose my problem is that
> I'm
> > not a developer and cannot make a fair assessment just by reading code,
> so
> > neither patch method would be secure for me. I'm the risk, so to speak.
> >
>
> I'm not familiar with openup, but the official patches are always described
> at: https://www.openbsd.org/errata60.html (for 6.0). The official patches
> are
> cryptographically signed.
>
> > Anyway, to my question(s): Is openup considered good or bad practise, and
> > for what reasons, as you see them? Has there ever been plans among
> OpenBSD
> > developers to make following -stable easier for "users" such as myself?
> >
> > I failed to find enough info about this topic in the archives, but please
> > point me in the right direction if you happen to know about applicable
> > threads.
> >
>
> OpenBSD 6.1 will have the (new) syspatch(8) tool for base system binary
> patches: http://man.openbsd.org/syspatch.8 .
>
> > Humbly,
> > Andreas
> >
>
> --
> Kind regards,
> Hiltjo

Openup and stable

2017-03-25 Thread Andreas Thulin 
Hi all!

I'm running 6.0 -stable using openup for patching. I think it works very
well since it's so convenient. At the same time I realise there are trust
and security concerns with people like myself, who "blindly" install
patches without understanding the details. I suppose my problem is that I'm
not a developer and cannot make a fair assessment just by reading code, so
neither patch method would be secure for me. I'm the risk, so to speak.

Anyway, to my question(s): Is openup considered good or bad practise, and
for what reasons, as you see them? Has there ever been plans among OpenBSD
developers to make following -stable easier for "users" such as myself?

I failed to find enough info about this topic in the archives, but please
point me in the right direction if you happen to know about applicable
threads.

Humbly,
Andreas

Can I run OpenBSD on an ASUS RT-AC88U?

2017-01-09 Thread Andreas Thulin 
Hi!

Aplogies in advance if this post comes out as tremendously stupid - I'm not
very experienced.

I bought an ASUS RT-AC88U wireless router. Performance is great, but I lack
the configurability I'm used to from working with on other boxes. Started
out exploring options for making it a NAS by attaching an external HDD, and
then thought I'd back that up to my friends' NAS nightly. Turns out I need
to install something called optware to be able to install packages on the
(presumed) minix installation, which I can reach by ssh.

At some point I thought that hey, OpenBSD is great at networking. Could I
install that instead, and work with an environment I know better than a
commersial web interface or crippled terminal?

So - could I?

BR
Andreas

Newbie question: Proxy for appearing in Sweden for on demand streaming?

2016-01-04 Thread Andreas Thulin 
Hi all!

My mom lives in Sweden but spends loads of time in Spain. She likes the
public service online TV streaming service, which cannot be watched abroad
for various reasons. I thought I'd try to setup a proxy of some sort that
she could turn her iPad to, and appear as if in Sweden while in fact in
Spain. I live in Sweden and have a 5.8-stable box handy.

How would I do that? Can relayd help here? What do I need in terms of
network setup etc?

Any pointers would be appreciated (except flames).

Happy new year!
Andreas

mount smbfs (sharity-light is uncooperative)

2015-10-22 Thread Andreas Thulin 
Hi!

After some googling, I couldn't find answers to my questions so I turn to
this list. Please forgive me if this is a worn-out topic etc.


   - Is there a specific reason there's no "mount -t smbfs" or similar
   option in OpenBSD that let's me mount an smb filesystem easily, and on boot
   time (which fails using sharity-light)?
   - Do I have other options but sharity-light to mount an smb filesystem
   automatically on boot?
   - How is all this related to fuse and do you have any pointers to things
   I can read in order to understand the topic better? I'm not a developer
   unfortunately.

BR
Andreas

Re: mount smbfs (sharity-light is uncooperative)

2015-10-22 Thread Andreas Thulin 
On Thu, Oct 22, 2015 at 2:47 PM Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2015-10-22, Andreas Thulin <andreasthu...@gmail.com> wrote:
> > Hi!
> >
> > After some googling, I couldn't find answers to my questions so I turn to
> > this list. Please forgive me if this is a worn-out topic etc.
> >
> >
> >- Is there a specific reason there's no "mount -t smbfs" or similar
> >option in OpenBSD that let's me mount an smb filesystem easily, and
> on boot
> >time (which fails using sharity-light)?
>
> Nobody's sent a diff with a suitable implementation.
>
>
Haha, yes that's indeed a specific reason. What I meant was "is there
anything related to the focus areas of OpenBSD, such as security and
stability, that argues for not having included a 'mount_smbfs' thingy?".
But you're absulutely right. :-)


> >- Do I have other options but sharity-light to mount an smb filesystem
> >automatically on boot?
> >- How is all this related to fuse and do you have any pointers to
> things
> >I can read in order to understand the topic better? I'm not a
> developer
> >unfortunately.
>
> FUSE is an interface for writing a filesystem in userland code rather
> than the kernel. There are various ports providing programs doing this
> for various things (ntfs, sshfs etc), you might like to look at usmb.
> It's not perfect but may work better than sharity-light.
>
> All right, thanks for the tip! I'll look into that.

Cheers,
Andreas

How to create "paranoid" cipher list in httpd.conf

2015-09-01 Thread Andreas Thulin 
Hi misc readers!

This is my first attempt to ask for help using misc@openbsd.org, so please
bear with me if I'm making mistakes. Also, apologies if I'm asking about
something recently discussed.

I want to limit the number of tls ciphers​ in httpd.conf so that only
strong (>128 bit) ciphers with Forward Secrecy capabilities (ECDHE) are
accepted. I'm also only using TLSv1.2.

My current httpd.conf contains a line saying

tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH"

which renders out "Configuration OK" with '# /usr/sbin/httpd -n'.
Also, when testing that string using

# openssl ciphers -v 'STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH'

I get a nice, acceptable list of the ciphers. However, when running a
server test
(https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se),
there's a much longer list of ciphers, including both non-FS and medium
strength ciphers.

I'm thinking that either

   1. my assumption that my httpd.conf is all dandy is wrong (highly
   probable),
   2. SSL Labs is lying to me (improbable), or
   3. there's some sort of bug in httpd (improbable).

Does anyone have any pointers?

OpenBSD 5.8-current (GENERIC) #1095: Mon Aug 24. i386.

BR
Andreas