Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hello! Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS library in contrast to the OpenBSD one which is linked against openssl library. Recent GnuTLS versions have more strict settings - they won't allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 512bits DH params. There is a function gnutls_dh_set_prime_bits which overrides default GnuTLS settings, but it looks like it is not supported by openldap client yet. Here are some links regarding GnuTLS problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 The good fix for this would be setting dh params with strong (more than 512) bits on the ldapd server side, but it is not possible with current version of ldapd: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain there is a hardcoded 512bit DH value as you can see. And it would be nice if there was an option to set dh params like it is in OpenSMTPd (or at least set default bits for DH to be 1024 - as it is now in the same said OpenSMTPd): http://www.opensmtpd.org/smtpd.conf.5.html Host certificates may be used for these connections, and are searched for in the /etc/mail/certs directory. If certificate is specified, a certificate name.crt, a key name.key, a certificate authority name.ca and Diffie-Hellman parameters name.dh are searched for. If no certificate is specified, the default interface name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH parameters are provided, smtpd will use built-in parameters. Creation of certificates is documented in starttls(8). http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain And as for now, the real workaround, that I see, is either to allow insecure ldap connections or use third-party tools like stunnel - it has default dh params with long enough primes and also can be set to use your custom dh params file. JFYI, you can check dh params returned by the server using gnutls-cli utility. For example, the things should look like the following for 2048bits DH params: = $ gnutls-cli -s -p 636 ldap.your_cool_server.net Resolving 'ldap.your_cool_server.net'... Connecting to 'XX:636'... - Simple Client Mode: click ctrl+d *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2048 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: ... = Hope that sheds some light on this problem.. P.S. I CC'ed ldapd developers in order to have some hope this might be fixed one day.. --- thanks, VA On 2011-01-21 19:21, Joel Carnat wrote: Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo
Re: Does relayd(8) support TLS Server Name Initiation?
Interesting question for me either.. SNI is already supported by OpenSSL starting from version 0.9.8f and later, pound supports it from version 2.6 - which is not in packages yet (still 2.5 there), nginx in packages seems to be supporting it (not sure how it is in practice). Would be cool if relayd(8) had such feature... But I don't see any info regarding this in internet. Maybe somebody can shed some light on this ? thanks, VA On 23.09.2010 19:31, Christopher Dukes wrote: And if not is support planned? I'd like to make use of relayd's relays for URL based filtering of https requests. I already know for SSL2 I'm stuck to 1 IP address per cert. A scan of the relayd.conf(5) and ssl(8) and the daily change logs for 4.6 through current all say no, but for all I know someone might be working on something quietly :-). And since the current state of things appears to be No TLS Server Name Initiation, does anyone have any throughs as to whether or not using relayd redirects and lighttpd or nginx to negotiate TLS SNI would be a bad idea? And if it's a bad idea, what any better ideas are. Thanks, Chris Dukes
Re: PF Snort tutorial
Maybe you should try snort2pf from pkg ? Information for http://ftp.spline.de/pub/OpenBSD/5.0/packages/i386/snort2pf-4.5p0.tgz Comment: block nasty hosts with pf(4) based on Snort's rules Description: Snort2Pf is a small Perl daemon which greps Snort's alertfile and blocks the naughty hosts for a given amount of time using pfctl. Maintainer: The OpenBSD ports mailing-list po...@openbsd.org WWW: http://sourceforge.net/projects/snort2pf/ --- Thanks, Vadim Agarkov On Tue, 3 Jan 2012 17:56:13 -0500, Bentley, Dain wrote: ughthat's what I thought. I'm reading through some OSSEC docs right now and it seems pretty promising. Having trouble finding anything about having it read from pflog. From: Andres Genovez [andresgeno...@gmail.com] Sent: Tuesday, January 03, 2012 3:04 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: PF Snort tutorial 2012/1/3 Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance. Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: PF concurrent connection
Hi, You can read about states at http://en.wikipedia.org/wiki/Stateful_firewall for example. And concurrent connections for ipv4 can be viewed using netstat command: netstat -anfinet and ipv6: netstat -anfinet6 You can check for currently established connections with the command like this: netstat -anfinet | grep ESTABLISHED --- Thanks, Vadim Agarkov On Mon, 12 Dec 2011 17:37:30 +0800, co...@tetrachina.com wrote: Hi, OpenBSD PF as firewall , and i generated almost 150,000 states ( use the commandline check: pfctl -ss|wc -l), do the states mean concurrent connection ? if not , how to get the concurrent connection? thanks for your reply.Merry Christmas,Guys! Best Regards
OpenSMTPD + milter
Hello, according to one of replies on article at undeadly (http://undeadly.org/cgi?action=articlesid=20081112084647pid=8) , there were plans on implementing sendmail-like milter capability in OpenSMTPD, could someone please provide any status/update on this ? Gilles ? -- Thanks, Vadim Agarkov
Re: Mysql connection from within php
01.06.2010 16:45, L. V. Lammert P?P8QP5Q: On Tue, 1 Jun 2010, What you get is Not what you see wrote: Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages. Done the configs. Now php and mysql works. But I couldnt make it connect to mysql from within php with such a command mysql_connect(localhost,user,pass) It used to give Cant connect to mysql through socket error till I change the command to mysql_connect(127.0.0.1,user,pass) I want to learn why? Because the socket is in /var, .. and default apache chroot's to /var/www. I believe there are tricks to make it work, but it's simpler to just connect @127.0.0.1. Lee try to create hosts file for chrooted apache. $ cat /var/www/etc/hosts 127.0.0.1 localhost $ -- thanks. VA
Re: PF logging into a file
24.01.2010 13:36, Paolo Supino P?P8QP5Q: Hi I've often used the command tcpdump -n -e -ttt -i pflog0 to view PF log in real time. I've decided to try and use it in order to log in real time PF through syslog. The solution described in the PF FAQ to log to syslog works in time intervals, which doesn't meet my needs in my current setup. I tried piping the output of tcpdump -n -e -ttt -i pflog0 through logger(1), and send it to syslog(8) using the complete command: tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice. I setup syslog.conf: local7.* /var/log/firewall.log, but the file /var/log/firewall.log remains empty. trying the command: tcpdump -n -e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log also leaves the file empty. As a last resort I tried: tcpdump -n -e -ttt -i pflog0 /var/log/firewall.log, but that also didn't work and left the file /var/log/firewall.log empty). Running tcpdump with -l (output buffering) solve the clear text redirection into a file, but doesn't work with logger(1) (it simply ends the process silently after 1 second or so). Does anyone have a suggestion how to fix this so I can have real time PF logging sent to syslog? Please try and help me solve the problem and don't try to convince me to drop either the real time logging and/or the use of syslog (I can't). -- TIA Paolo hi Paolo! try pflogd_flags=-d 5 in /etc/rc.conf.local according to pflogd(8) man page, pflogd closes and then re-opens the log file when it receives SIGHUP, permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes pflogd to flush the current logfile buffers to the disk, thus making the most recent logs available. The buffers are also flushed every delay seconds. . -d delay Time in seconds to delay between automatic flushes of the file. This may be specified with a value between 5 and 3600 seconds. If not specified, the default is 60 seconds. not a real time, but might be helpfull somehow ? -- thanks, VA
Re: PF logging into a file
but why? :-) -- thanks, VA 24.01.2010 14:33, Paolo Supino P?P8QP5Q: Hi Vadim pflogd is writing the A small detail I forgot to mention: I need the log to be in text (readable) format. pflogd write pcap format files, which isn't suitable for me ... -- TIA Paolo On 1/24/10 2:17 PM, Vadim Agarkov wrote: 24.01.2010 13:36, Paolo Supino P?P8QP5Q: Hi I've often used the command tcpdump -n -e -ttt -i pflog0 to view PF log in real time. I've decided to try and use it in order to log in real time PF through syslog. The solution described in the PF FAQ to log to syslog works in time intervals, which doesn't meet my needs in my current setup. I tried piping the output of tcpdump -n -e -ttt -i pflog0 through logger(1), and send it to syslog(8) using the complete command: tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice. I setup syslog.conf: local7.* /var/log/firewall.log, but the file /var/log/firewall.log remains empty. trying the command: tcpdump -n -e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log also leaves the file empty. As a last resort I tried: tcpdump -n -e -ttt -i pflog0 /var/log/firewall.log, but that also didn't work and left the file /var/log/firewall.log empty). Running tcpdump with -l (output buffering) solve the clear text redirection into a file, but doesn't work with logger(1) (it simply ends the process silently after 1 second or so). Does anyone have a suggestion how to fix this so I can have real time PF logging sent to syslog? Please try and help me solve the problem and don't try to convince me to drop either the real time logging and/or the use of syslog (I can't). -- TIA Paolo hi Paolo! try pflogd_flags=-d 5 in /etc/rc.conf.local according to pflogd(8) man page, pflogd closes and then re-opens the log file when it receives SIGHUP, permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes pflogd to flush the current logfile buffers to the disk, thus making the most recent logs available. The buffers are also flushed every delay seconds. . -d delay Time in seconds to delay between automatic flushes of the file. This may be specified with a value between 5 and 3600 seconds. If not specified, the default is 60 seconds. not a real time, but might be helpfull somehow ? -- thanks, VA