Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable

2013-01-19 Thread Vadim Agarkov 

Hello!

Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS 
library in contrast to the OpenBSD one which is linked against openssl 
library. Recent GnuTLS versions have more strict settings - they won't 
allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 
512bits DH params. There is a function gnutls_dh_set_prime_bits which 
overrides default GnuTLS settings, but it looks like it is not supported 
by openldap client yet.


Here are some links regarding GnuTLS problem:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117

The good fix for this would be setting dh params with strong (more 
than 512) bits on the ldapd server side, but it is not possible with 
current version of ldapd:


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain

there is a hardcoded 512bit DH value as you can see. And it would be 
nice if there was an option to set dh params like it is in OpenSMTPd (or 
at least set default bits for DH to be 1024 - as it is now in the same 
said OpenSMTPd):


http://www.opensmtpd.org/smtpd.conf.5.html

Host certificates may be used for these connections, and are searched 
for in the /etc/mail/certs directory. If certificate is specified, a 
certificate name.crt, a key name.key, a certificate authority 
name.ca and Diffie-Hellman parameters name.dh are searched for. If 
no certificate is specified, the default interface name is instead used, 
for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH 
parameters are provided, smtpd will use built-in parameters. Creation of 
certificates is documented in starttls(8).


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain


And as for now, the real workaround, that I see, is either to allow 
insecure ldap connections or use third-party tools like stunnel - it has 
default dh params with long enough primes and also can be set to use 
your custom dh params file.


JFYI, you can check dh params returned by the server using gnutls-cli 
utility. For example, the things should look like the following for 
2048bits DH params:

=
$ gnutls-cli -s -p 636 ldap.your_cool_server.net
Resolving 'ldap.your_cool_server.net'...
Connecting to 'XX:636'...

- Simple Client Mode:

click ctrl+d
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2048 bits
 - Secret key: 2047 bits
 - Peer's public key: 2048 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
...
=


Hope that sheds some light on this problem..

P.S. I CC'ed ldapd developers in order to have some hope this might be 
fixed one day..


---
thanks,
VA

On 2011-01-21 19:21, Joel Carnat wrote:

Hello,

On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 
ldapd(8).

It works from the local OpenBSD and from a remote NetBSD server.
All machines have the CA file installed in the OpenSSL directory
and the ldap.conf file configured to use that particular CA file.

Here's what I get on the Linux box:
$ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D
cn=email,dc=tumfatig,dc=net \
-W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net
ldap_url_parse_ext(ldaps://ldap.tumfatig.net)
ldap_create
ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.tumfatig.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.50:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: The Diffie Hellman prime sent by the server is
not acceptable \
(not long enough)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Not sure if that matters, but the OpenBSD's openssl.cnf (which was
used to generate
and sign the CA and certificate files) contains:
default_bits = 4096

Is there a way to tell ldapd(8) to use a bigger DH value ?

TIA,
  Jo

Re: Does relayd(8) support TLS Server Name Initiation?

2012-04-11 Thread Vadim Agarkov 
Interesting question for me either.. SNI is already supported by OpenSSL 
starting from version 0.9.8f and later, pound supports it from version 
2.6 - which is not in packages yet (still 2.5 there), nginx in packages 
seems to be supporting it (not sure how it is in practice). Would be 
cool if relayd(8) had such feature... But I don't see any info regarding 
this in internet. Maybe somebody can shed some light on this ?


thanks,
VA

On 23.09.2010 19:31, Christopher Dukes wrote:

And if not is support planned?
I'd like to make use of relayd's relays for URL based filtering of https
requests.  I already know for SSL2 I'm stuck to 1 IP address per cert.
A scan of the relayd.conf(5) and ssl(8) and the daily change logs for
4.6 through current all say no, but for all I know someone might be
working on something quietly :-).

And since the current state of things appears to be No TLS Server Name
Initiation, does anyone have any throughs as to whether or not using
relayd redirects and lighttpd or nginx to negotiate TLS SNI would be a
bad idea?  And if it's a bad idea, what any better ideas are.

Thanks,
Chris Dukes

Re: PF Snort tutorial

2012-01-03 Thread Vadim Agarkov 

Maybe you should try snort2pf from pkg ?

Information for 
http://ftp.spline.de/pub/OpenBSD/5.0/packages/i386/snort2pf-4.5p0.tgz


Comment:
block nasty hosts with pf(4) based on Snort's rules

Description:
Snort2Pf is a small Perl daemon which greps Snort's alertfile and 
blocks

the naughty hosts for a given amount of time using pfctl.

Maintainer: The OpenBSD ports mailing-list po...@openbsd.org

WWW: http://sourceforge.net/projects/snort2pf/


---
Thanks,
Vadim Agarkov

On Tue, 3 Jan 2012 17:56:13 -0500, Bentley, Dain wrote:

ughthat's what I thought.
I'm reading through some OSSEC docs right now and it seems pretty 
promising.

Having trouble finding anything about having it read from pflog.

From: Andres Genovez [andresgeno...@gmail.com]
Sent: Tuesday, January 03, 2012 3:04 PM
To: Bentley, Dain
Cc: misc@openbsd.org
Subject: Re: PF Snort tutorial

2012/1/3 Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu
I've been looking around for a good tutorial on implementing snort 
with PF

and
everything I see is old, does anyone know of or have implemented a 
solution
using an IDS/IPS with PF on the same box?  If possible I'd like snort 
of some
other IDS inspect packets and have pf drop them based on the fact 
they match

certain signatures.  Thanks in advance.


Implimenting that is really a Pain in the hell out..I did it on a 
4.9, i
need to do it from sources, there is no complete tutorial, it works 
on 4.9,

not implemented with PF tought...

Greetings...



--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: PF concurrent connection

2011-12-12 Thread Vadim Agarkov 

Hi,

You can read about states at 
http://en.wikipedia.org/wiki/Stateful_firewall for example. And 
concurrent connections for ipv4 can be viewed using netstat command:


netstat -anfinet

and ipv6:

netstat -anfinet6


You can check for currently established connections with the command 
like this:


netstat -anfinet | grep ESTABLISHED



---
Thanks,
Vadim Agarkov

On Mon, 12 Dec 2011 17:37:30 +0800, co...@tetrachina.com wrote:

Hi,
 OpenBSD PF as firewall , and i generated almost 150,000 states (
use the commandline check: pfctl -ss|wc -l),

do the states mean concurrent connection ? if not , how to get the
concurrent connection?

thanks for your reply.Merry Christmas,Guys!

Best Regards

OpenSMTPD + milter

2011-12-11 Thread Vadim Agarkov 

Hello,

according to one of replies on article at undeadly 
(http://undeadly.org/cgi?action=articlesid=20081112084647pid=8) , 
there were plans on implementing sendmail-like milter capability in 
OpenSMTPD, could someone please provide any status/update on this ? 
Gilles ?


--
Thanks,
Vadim Agarkov

Re: Mysql connection from within php

2010-06-01 Thread Vadim Agarkov 
01.06.2010 16:45, L. V. Lammert P?P8QP5Q:
 On Tue, 1 Jun 2010, What you get is Not what you see wrote:


 Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages.
 Done the configs. Now php and mysql works. But I couldnt make it
 connect to mysql from within php with such a command
 mysql_connect(localhost,user,pass)
 It used to give Cant connect to mysql through socket error till I
 change the command to
 mysql_connect(127.0.0.1,user,pass)
 I want to learn why?


 Because the socket is in /var, .. and default apache chroot's to /var/www.
 I believe there are tricks to make it work, but it's simpler to
 just connect @127.0.0.1.

   Lee



try to create hosts file for chrooted apache.

$ cat /var/www/etc/hosts
127.0.0.1 localhost
$

--
thanks.
VA

Re: PF logging into a file

2010-01-24 Thread Vadim Agarkov 

24.01.2010 13:36, Paolo Supino P?P8QP5Q:

Hi

I've often used the command tcpdump -n -e -ttt -i pflog0 to view PF
log in real time.
I've decided to try and use it in order to log in real time PF through
syslog. The solution described in the PF FAQ to log to syslog works in
time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of tcpdump -n -e -ttt -i pflog0 through
logger(1), and send it to syslog(8) using the complete command:
tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice. I
setup syslog.conf: local7.* /var/log/firewall.log, but the file
/var/log/firewall.log remains empty. trying the command: tcpdump -n
-e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log also leaves
the file empty. As a last resort I tried: tcpdump -n -e -ttt -i
pflog0  /var/log/firewall.log, but that also didn't work and left
the file /var/log/firewall.log empty). Running tcpdump with -l
(output buffering) solve the clear text redirection into a file, but
doesn't work with logger(1) (it simply ends the process silently after
1 second or so).
Does anyone have a suggestion how to fix this so I can have real time
PF logging sent to syslog?

Please try and help me solve the problem and don't try to convince me
to drop either the real time logging and/or the use of syslog (I can't).


--
TIA
Paolo



hi Paolo!

try

pflogd_flags=-d 5

in /etc/rc.conf.local


according to pflogd(8) man page,

pflogd closes and then re-opens the log file when it receives SIGHUP,
permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the
most recent logs available. The buffers are also flushed every delay
seconds.
.
-d delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.

not a real time, but might be helpfull somehow ?

--
thanks,
VA

Re: PF logging into a file

2010-01-24 Thread Vadim Agarkov 

but why?  :-)

--
thanks,
VA

24.01.2010 14:33, Paolo Supino P?P8QP5Q:

Hi Vadim

  pflogd is writing the A small detail I forgot to mention: I need the
log to be in text (readable) format. pflogd write pcap format files,
which isn't suitable for me ...



--
TIA
Paolo





On 1/24/10 2:17 PM, Vadim Agarkov wrote:

24.01.2010 13:36, Paolo Supino P?P8QP5Q:

Hi

I've often used the command tcpdump -n -e -ttt -i pflog0 to view PF
log in real time.
I've decided to try and use it in order to log in real time PF through
syslog. The solution described in the PF FAQ to log to syslog works in
time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of tcpdump -n -e -ttt -i pflog0 through
logger(1), and send it to syslog(8) using the complete command:
tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice. I
setup syslog.conf: local7.* /var/log/firewall.log, but the file
/var/log/firewall.log remains empty. trying the command: tcpdump -n
-e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log also leaves
the file empty. As a last resort I tried: tcpdump -n -e -ttt -i
pflog0  /var/log/firewall.log, but that also didn't work and left
the file /var/log/firewall.log empty). Running tcpdump with -l
(output buffering) solve the clear text redirection into a file, but
doesn't work with logger(1) (it simply ends the process silently after
1 second or so).
Does anyone have a suggestion how to fix this so I can have real time
PF logging sent to syslog?

Please try and help me solve the problem and don't try to convince me
to drop either the real time logging and/or the use of syslog (I
can't).


--
TIA
Paolo



hi Paolo!

try

pflogd_flags=-d 5

in /etc/rc.conf.local


according to pflogd(8) man page,

pflogd closes and then re-opens the log file when it receives SIGHUP,
permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the
most recent logs available. The buffers are also flushed every delay
seconds.
.
-d delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.

not a real time, but might be helpfull somehow ?

--
thanks,
VA