Re: How to enable TLS 1.3?
‐‐‐ Original Message ‐‐‐ On Thursday 30. April 2020 kl. 16:38, Kevin Chadwick wrote: > On 2020-04-30 13:55, Chad Hoolie wrote: > > > Any idea about relayd though? I don't see any mentioning of 1.3 in man > > relayd.conf: > > I'm not a dev but tls1.3 dropped RSA and I think requires ecdsa key support > that > relayd currently lacks. > > Although httpd was originally based on relayd. I assume the code is different > here because of relayds more complex tls interception and acceleration > abilities. > > Pound and nginx may be alternatives, but they likely won't protect the key so > well, if an exploit is found. Hello, Is there any chance we can have TLS 1.3 support in relayd in the upcoming 6.7 release? There seems to be clear indication that Google and other search engines do favor TLS 1.3 sites over 1.2: The Era of TLS 1.3: Measuring Deployment and Usewith Active and Passive Methods: https://arxiv.org/pdf/1907.12762.pdf --Cheers, Chad Sent with ProtonMail Secure Email.
Re: rc.d: Webserver is removing daemonization - now what?
Thank you Marcus, and the rest of you :) --Chad Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Sunday 3. May 2020 kl. 16:53, Marcus MERIGHI wrote: > chad.hoo...@protonmail.com (Chad Hoolie), 2020.05.03 (Sun) 15:43 (CEST): > > > So the folks over at my webserver is removing its daemonization > > feature, telling its users to use systemd/upstart/a process supervisor > > instead. > > Ugly move by upstream! > > > But what does this mean to my webserver's startup script in /etc/rc.d, > > isn't it dependent on the webserver's ability to daemonize? > > You could have shown the content of that rc.d(8) script...? > > > Pretty sure I can't manually daemonize it by adding a "&" to the end > > of my rcexecs so... > > Read rc.subr(8), look for "rc_bg". > > Marcus
rc.d: Why is it reindenting my startup scripts?
Hello, Noticed my startup scripts are being reindented from 2 spaces to 4 whenever I run rcctl, just wondering what the point of that was? Thanks! --Chad Sent with ProtonMail Secure Email.
rc.d: Webserver is removing daemonization - now what?
Hi, So the folks over at my webserver is removing its daemonization feature, telling its users to use systemd/upstart/a process supervisor instead. But what does this mean to my webserver's startup script in /etc/rc.d, isn't it dependent on the webserver's ability to daemonize? Pretty sure I can't manually daemonize it by adding a "&" to the end of my rcexecs so... --Chad Sent with ProtonMail Secure Email.
Re: relayd: Why doesn't "tls keypair" look for the fullchain certificate?
Hello,
Great idea - thanks a bunch!
--Chad
‐‐‐ Original Message ‐‐‐
On Thursday 30. April 2020 kl. 19:07, Anthony J. Bentley
wrote:
> Chad Hoolie writes:
>
> > Why does "tls keypair" in relayd.conf look for the regular and not the
> > fullchain certificate?
>
> Certificate filenames are defined by your acme-client.conf.
>
> > Thus, forcing users who want an A+ certificate to spend hours
> > searching the web for this hack?
> > cd /etc/ssl
> > doas mv foobar.com.crt foobar.com.crt.bak
> > doas ln -s foobar.com.fullchain.pem foobar.com.crt
>
> Rather than symlink, just tell acme-client to create certificates with
> the filename relayd expects.
>
> domain example.com {
> domain key "/etc/ssl/private/example.com.key"
> domain full chain certificate "/etc/ssl/example.com.crt"
> sign with letsencrypt
> }
Re: How to enable TLS 1.3?
Thanks a lot for the help Martijn. Fingers crossed it will appear soon. Our search engine rankings depend on it! --Chad ‐‐‐ Original Message ‐‐‐ On Thursday, April 30, 2020 4:16 PM, Martijn van Duren wrote: > If it's not in the manpage it's probably not there. > I did gave a quick look through the relayd source, but from what I saw > there's no TLS1.3 support there. > > On 4/30/20 3:55 PM, Chad Hoolie wrote: > > > Any idea about relayd though? I don't see any mentioning of 1.3 in man > > relayd.conf: > > tls > > no tlsv1.2 > > Disable the TLSv1.2 protocol. The default is to enable > > TLSv1.2. > > sslv3 Enable the SSLv3 protocol. The default is no sslv3. > > tlsv1 Enable all TLSv1 protocols. This is an alias that > > includes tlsv1.0, tlsv1.1, and tlsv1.2. The default is > > no tlsv1. > > tlsv1.0 > > Enable the TLSv1.0 protocol. The default is no tlsv1.0. > > tlsv1.1 > > Enable the TLSv1.1 protocol. The default is no tlsv1.1. > > --Chad > > ‐‐‐ Original Message ‐‐‐ > > On Thursday, April 30, 2020 3:04 PM, Martijn van Duren > > openbsd+m...@list.imperialat.at wrote: > > > > > On 4/30/20 1:19 PM, Chad Hoolie wrote: > > > > > > > Hello, > > > > I'm using httpd with acme-client and Let's Encrypt > > > > (https://www.romanzolotarev.com/openbsd/acme-client.html). > > > > This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is > > > > needed to achieve A+ ratings across the board. > > > > Anybody know how to make the upgrade? > > > > --Chad > > > > > > httpd(8): > > > protocols string Specify the TLS protocols to enable for this server. > > > If not specified, the value "default" will be used (secure protocols; > > > TLSv1.2-only). Refer to the tls_config_parse_protocols(3) function for > > > other valid protocol string values. > > > tls_config_parse_protocols(3): > > > Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all > > > supported protocols), > > > untested, but seems pretty self-explanatory.
Re: How to enable TLS 1.3?
Any idea about relayd though? I don't see any mentioning of 1.3 in man relayd.conf: tls no tlsv1.2 Disable the TLSv1.2 protocol. The default is to enable TLSv1.2. sslv3 Enable the SSLv3 protocol. The default is no sslv3. tlsv1 Enable all TLSv1 protocols. This is an alias that includes tlsv1.0, tlsv1.1, and tlsv1.2. The default is no tlsv1. tlsv1.0 Enable the TLSv1.0 protocol. The default is no tlsv1.0. tlsv1.1 Enable the TLSv1.1 protocol. The default is no tlsv1.1. --Chad ‐‐‐ Original Message ‐‐‐ On Thursday, April 30, 2020 3:04 PM, Martijn van Duren wrote: > On 4/30/20 1:19 PM, Chad Hoolie wrote: > > > Hello, > > I'm using httpd with acme-client and Let's Encrypt > > (https://www.romanzolotarev.com/openbsd/acme-client.html). > > This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is > > needed to achieve A+ ratings across the board. > > Anybody know how to make the upgrade? > > --Chad > > httpd(8): > protocols string Specify the TLS protocols to enable for this server. > If not specified, the value "default" will be used (secure protocols; > TLSv1.2-only). Refer to the tls_config_parse_protocols(3) function for > other valid protocol string values. > > tls_config_parse_protocols(3): > Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all > supported protocols), > > untested, but seems pretty self-explanatory.
relayd: Why doesn't "tls keypair" look for the fullchain certificate?
Hi, Why does "tls keypair" in relayd.conf look for the regular and not the fullchain certificate? Thus, forcing users who want an A+ certificate to spend hours searching the web for this hack? cd /etc/ssl doas mv foobar.com.crt foobar.com.crt.bak doas ln -s foobar.com.fullchain.pem foobar.com.crt From: http://blog.snailtext.com/posts/sni-relayd-support-in-six-point-six.html -- Chad
How to enable TLS 1.3?
Hello, I'm using httpd with acme-client and Let's Encrypt (https://www.romanzolotarev.com/openbsd/acme-client.html). This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is needed to achieve A+ ratings across the board. Anybody know how to make the upgrade? --Chad
