Relayd with TLS and non-TLS backends - bug

2020-06-11 Thread Toyam Cox 
Hello Misc,

Full config at end of email.

I've discussed the below in #openbsd on freenode, and was told to come
here. At present, I have a setup where I need multiple unrelated
servers under a single IP address. I used relayd to do https
interception, read the Host header, and make decisions.

The very relevant part of my config is this:

forward to  port 80
forward with tls to  port 443

The order here does not matter (unlike most relayd configs, I know,
but I've tested in my configuration and it works).

When I have "with tls" on that second line, I see error lines like:
relay web, session 3 (1 active), 0, [redacted] -> 10.0.0.102:80, TLS
handshake error: handshake failed: error:14FFF3E7:SSL
routines:(UNKNOWN)SSL_internal:unknown failure occurred, GET:
Undefined error: 0

and, unhelpfully, relayd responds with no response. There is no
return. Or, as curl puts it: curl: (52) Empty reply from server

When I remove "with tls" then I successfully reach the http backend,
but since the https backend requires ssl, that connection no longer
works. So it seems that 'with tls" affects all "forward" clauses, not
just the one to which it's attached.

I believe this to be a bug.

cat >/etc/relayd.conf < { "10.0.0.101" }
table  { "10.0.0.102" }
# obviously obfuscated some values

interval 5
timeout 1000

log connection

http protocol web {
return error

match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

http websockets
pass request quick header "Host" value "myhost.example.com" path
"/Client/*" forward to 
pass request quick header "Host" value "otherhost.example.com" forward
to 

block
}

relay web {
listen on 10.0.0.100 port 443 tls
protocol web

forward to  port 80 check http "/webservice.asmx" code 405
forward with tls to  port 443 check https
"/Client/SupportedBrowsers.html" host "myhost.example.com" code 200
}
EOF

Adding An Authentication Provider

2018-09-21 Thread Toyam Cox 
I am trying to hook up a different authentication provider to
OpenBSD's auth. At present, I can not find out how to "fake" the
passwd database for groups. I know that Linux and NetBSD use nss,
with tools such as nslookup and functions such as nsdispatch, but I
can't find such things for OpenBSD. Am I on a fool's errand?

Thank you.

Triggering automatic upgrade (not over network) not working

2016-07-18 Thread Toyam Cox 
On my macppc, the presence of /auto_upgrade.conf doesn't actually
cause bsd.rd to pretend it's been netbooted. The file is present at
the root of my disk, under /dev/wda0. The documentation in
autoinstall(8)  says that the presence of /auto_{upgrade,install}.conf
tells bsd.rd to treat it like an autoinstall. So far my macppc boots
bsd.rd, but stays at the prompt without doing a timeout of any kind or
trying /auto_upgrade.conf, even if I do select Autoinstall at the
prompt.

If I am to put /auto_upgrade.conf in the root of the file system in
bsd.rd, how could I do so? If not, how could I use the automatic
upgrade system without netbooting?

Thank you

Re: Iked, ca_getreq: no valid local certificate found

2015-11-05 Thread Toyam Cox 
This got me past that error pretty handidly.

However, now it is complaining about no index.txt. The path given
doesn't help me know where to put the index.txt

Getting Private key
Using configuration from /etc/ssl/ikeca.cnf
index.txt: No such file or directory
unable to open 'index.txt'
250120122244:error:02001002:system library:fopen:No such file or
directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
'r')
250120122244:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:

On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
> Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
>
> The openssl.cnf version broke and we somehow didn't install ikeca.cnf by 
> default.
>
> Reyk
>
>> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
>>
>> Ho misc@,
>>
>> I have been (loosely) following the guide at
>> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
>> a roadblock.
>>
>> I have packets going between my two hosts on different networks, the
>> configuration files on both are good, and both have the ca installed.
>>
>> However on my remote host, I get (ips and hostnames redacted):
>> Nov  5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
>> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
>> Nov  5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
>> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
>> bytes
>> Nov  5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
>> certificate found
>>
>> This is coupled with, as I create the ca key...
>> # ikectl ca vpn1 create
>> CA passphrase:
>> Retype CA passphrase:
>> [stuff-happens-and-inputs]
>> Getting Private key
>> Using configuration from /etc/ssl/openssl.cnf
>> variable lookup failed for ca::default_ca
>> 24387713617796:error:0E06D06C:configuration file
>> routines:NCONF_get_string:no
>> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
>> name=default_ca
>>
>> I've checked the mail logs for misc@ and found a person in August with
>> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
>>
>> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
>> Variable lookup still failed.
>>
>> Thank you for any help.

Re: Iked, ca_getreq: no valid local certificate found

2015-11-05 Thread Toyam Cox 
I'm running 5.8-release.

On Thu, Nov 5, 2015 at 8:07 PM, Jonathan Gray <j...@jsg.id.au> wrote:
> Which release or snapshot are you running?  For the version of the file
> Reyk pointed you at you'll need a -current snapshot.
>
> On Thu, Nov 05, 2015 at 12:58:29PM -0500, Toyam Cox wrote:
>> This got me past that error pretty handidly.
>>
>> However, now it is complaining about no index.txt. The path given
>> doesn't help me know where to put the index.txt
>>
>> Getting Private key
>> Using configuration from /etc/ssl/ikeca.cnf
>> index.txt: No such file or directory
>> unable to open 'index.txt'
>> 250120122244:error:02001002:system library:fopen:No such file or
>> directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
>> 'r')
>> 250120122244:error:20074002:BIO routines:FILE_CTRL:system
>> lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:
>>
>> On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
>> > Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
>> >
>> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
>> >
>> > The openssl.cnf version broke and we somehow didn't install ikeca.cnf by 
>> > default.
>> >
>> > Reyk
>> >
>> >> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
>> >>
>> >> Ho misc@,
>> >>
>> >> I have been (loosely) following the guide at
>> >> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
>> >> a roadblock.
>> >>
>> >> I have packets going between my two hosts on different networks, the
>> >> configuration files on both are good, and both have the ca installed.
>> >>
>> >> However on my remote host, I get (ips and hostnames redacted):
>> >> Nov  5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
>> >> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
>> >> Nov  5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
>> >> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
>> >> bytes
>> >> Nov  5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
>> >> certificate found
>> >>
>> >> This is coupled with, as I create the ca key...
>> >> # ikectl ca vpn1 create
>> >> CA passphrase:
>> >> Retype CA passphrase:
>> >> [stuff-happens-and-inputs]
>> >> Getting Private key
>> >> Using configuration from /etc/ssl/openssl.cnf
>> >> variable lookup failed for ca::default_ca
>> >> 24387713617796:error:0E06D06C:configuration file
>> >> routines:NCONF_get_string:no
>> >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
>> >> name=default_ca
>> >>
>> >> I've checked the mail logs for misc@ and found a person in August with
>> >> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
>> >>
>> >> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
>> >> Variable lookup still failed.
>> >>
>> >> Thank you for any help.

Iked, ca_getreq: no valid local certificate found

2015-11-04 Thread Toyam Cox 
Ho misc@,

I have been (loosely) following the guide at
http://puffysecurity.com/wiki/openikedoffshore.html and have run into
a roadblock.

I have packets going between my two hosts on different networks, the
configuration files on both are good, and both have the ca installed.

However on my remote host, I get (ips and hostnames redacted):
Nov  5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
Nov  5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
bytes
Nov  5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
certificate found

This is coupled with, as I create the ca key...
# ikectl ca vpn1 create
CA passphrase:
Retype CA passphrase:
[stuff-happens-and-inputs]
Getting Private key
Using configuration from /etc/ssl/openssl.cnf
variable lookup failed for ca::default_ca
24387713617796:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
name=default_ca

I've checked the mail logs for misc@ and found a person in August with
this problem, http://marc.info/?l=openbsd-misc=133675466519976=2

Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
Variable lookup still failed.

Thank you for any help.

Re: quick question about unbound

2015-11-04 Thread Toyam Cox 
The default setting for "do-not-query-localhost" is "yes".
You may want to add "do-not-query-localhost: no" to your config in the
"server" section.

On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov  wrote:
> Hello,
>
> Trying to make unbound and nsd co-exist on one server, the goal is to have
> unbound listen for all requests redirecting requests for local zones to nsd:
> nsd.conf
>
> server:
> server-count: 1
> database: "/var/lib/nsd3/nsd.db"
> username: nsd
> ip-address:  127.0.0.1@9053
> logfile: "/var/log/nsd.log"
> pidfile: "/var/run/nsd.pid"
> xfrdfile: "/var/lib/nsd3/xfrd.state"
>
> zone:
> name:   somezone.org
> zonefile: /etc/nsd/zones/somezone.org
>
> dig -p9053 somezone.org soa @127.0.0.1 works as expected.
>
> now unbound's turn:
>
> server:
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
> interface: 0.0.0.0
> logfile: /var/log/unbound.log
>
> stub-zone:
> name:  somezone.org. # also tried without point with the same
> result...
> stub-addr: 127.0.0.1@9053
>
> dig somezone.org soa @127.0.0.1 yields SERVFAIL.
> also tried with forward-zone: - with the same result.
>
> is that at all possible? Where am I wrong?