Re: whats wrong with me?
Sorry, I'm beginner. I konow, my message was not logical. uname -a: # OpenBSD hostname 5.8 GENERIC#0 i386 # virtual server in httpd.conf: # server "hostname" { listen on * port 80 listen on * tls port 443 log { access "access.log", error "error.log" } tls { certificate "/etc/ssl/server.crt" key "/etc/ssl/private/server.key" } root "/htdocs/hostname" } # port 80 end 443 is open: # netstat -a |grep http # tcp 0 0 localhost.https *.* LISTEN tcp 0 0 *.https *.* LISTEN # in firefox: # Secure Connection Falied An error occurred during a connection to my_domain. Cannot communicate securely whih peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) # in log from httpd: # httpd: could not parse macro definition SSL httpd[21336]: server_tls_init: failed to configure TLS - failed to read private key: Operation not supported by device # Krzysztof Strzeszewski On 30.11.2015 22:31, Alexander Salmin wrote: > On 2015-11-30 20:52, Krzysztof Strzeszewski wrote: >> Hi, >> whats wrong?: >> >> httpd: could not parse macro definition SSL >> httpd[21336]: server_tls_init: failed to configure TLS - failed to read >> private key: Operation not supported by device >> >> >> Krzysztof Strzeszewski > Hey Krzysztof, > > Two reasons why you did not receive much feedback on this. > - You did not supply OpenBSD version (uname -a) so we can't replicate > with same version. > - You did not provide httpd.conf(8) so we can't replicate your exact setup. > > A key to good free online OpenBSD support is to; "Always provide as much > information as possible. Try to pin-point the exact problem. Give clear > instructions on how to reproduce the problem. Try to describe the > problem with as much accuracy and non-confusing terminology as possible, > especially if it is not easy to reproduce." // > http://www.openbsd.org/report.html > > Continue to fail this and the world will just lead to sadness and despair. > > Alexander
Re: whats wrong with me?
On 2015-12-01 21:51, Krzysztof Strzeszewski wrote: Sorry, I'm beginner. I konow, my message was not logical. uname -a: # OpenBSD hostname 5.8 GENERIC#0 i386 # virtual server in httpd.conf: # server "hostname" { listen on * port 80 listen on * tls port 443 log { access "access.log", error "error.log" } tls { certificate "/etc/ssl/server.crt" key "/etc/ssl/private/server.key" } root "/htdocs/hostname" } # port 80 end 443 is open: # netstat -a |grep http # tcp 0 0 localhost.https *.* LISTEN tcp 0 0 *.https *.* LISTEN # in firefox: # Secure Connection Falied An error occurred during a connection to my_domain. Cannot communicate securely whih peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) # in log from httpd: # httpd: could not parse macro definition SSL httpd[21336]: server_tls_init: failed to configure TLS - failed to read private key: Operation not supported by device # Check the following; 1) Does private key match certificate? Verify this like so (should result in two exact same sha512 strings); # openssl x509 -noout -modulus -in server.pem | openssl sha512 # openssl rsa -noout -modulus -in server.key | openssl sha512 2) Is httpd allowed to read key file? # ls -lhart /etc/ssl/server.crt # ls -lhart /etc/ssl/private/server.key 3) Check with browser random x on random other operating system y.
Re: whats wrong with me?
On 2015-11-30 20:52, Krzysztof Strzeszewski wrote: Hi, whats wrong?: httpd: could not parse macro definition SSL httpd[21336]: server_tls_init: failed to configure TLS - failed to read private key: Operation not supported by device Krzysztof Strzeszewski Hey Krzysztof, Two reasons why you did not receive much feedback on this. - You did not supply OpenBSD version (uname -a) so we can't replicate with same version. - You did not provide httpd.conf(8) so we can't replicate your exact setup. A key to good free online OpenBSD support is to; "Always provide as much information as possible. Try to pin-point the exact problem. Give clear instructions on how to reproduce the problem. Try to describe the problem with as much accuracy and non-confusing terminology as possible, especially if it is not easy to reproduce." // http://www.openbsd.org/report.html Continue to fail this and the world will just lead to sadness and despair. Alexander
whats wrong
Hi, whats wrong?: httpd: could not parse macro definition SSL httpd[21336]: server_tls_init: failed to configure TLS - failed to read private key: Operation not supported by device Krzysztof Strzeszewski
Re: whats wrong with me?
Krzysztof, dmesg output could also be helpful for people trying to help you out. Interesting how this applies to so many other contexts in our lives - especially in business and overall management related matters: "Always provide as much information as possible. Try to pin-point the exact problem. (...) Try to describe the problem with as much accuracy and non-confusing terminology as possible, especially if it is not easy to reproduce." Many problems become harder because we can't describe them precisely, and usually because we don't understand how things work or should work in the first place. Worst than that: we don't know how "problem solving" works! (and that's critically important in a group effort like the openbsd project, right?). The poor soul's understanding is that providing an error message is enough, without being considerate or aware of the challenges this imposes to the very people that are willing to help him (which sometimes go as far as to aggressively provide clear evidences of his ignorance!) - not in this case, let me be clear! yes, let's try to describe our problems precisely, and provide more Information to help our helpers... Btw (just an idea), maybe there could be a script to save last error messages, run uname -a save its output, + any other frequently useful info (dmesg? a sanitized copy of traceroute output?)... I know sendbug(1) does something along those lines, but I wonder if it would be feasible to do something similar for "support requests"...? One of the challenges is that it's hard to separate the demand for OpenBSD specific knowledge and the lack of understanding over "universal computer science concepts" like network protocols for example...? And the correspondent triage of all this in an effective and efficient way. Anyway, sorry for the ranting, just some thoughts... ("Well, why don't YOU go there and code this suggested tool, and send us the diff?! Easy to just give ideas, huh?!") :-) take it easy guys, just ideas... On Monday, 30 November 2015, Alexander Salmin <alexan...@salmin.biz> wrote: > On 2015-11-30 20:52, Krzysztof Strzeszewski wrote: > >> Hi, >> whats wrong?: >> >> httpd: could not parse macro definition SSL >> httpd[21336]: server_tls_init: failed to configure TLS - failed to read >> private key: Operation not supported by device >> >> >> Krzysztof Strzeszewski >> > Hey Krzysztof, > > Two reasons why you did not receive much feedback on this. > - You did not supply OpenBSD version (uname -a) so we can't replicate with > same version. > - You did not provide httpd.conf(8) so we can't replicate your exact setup. > > A key to good free online OpenBSD support is to; "Always provide as much > information as possible. Try to pin-point the exact problem. Give clear > instructions on how to reproduce the problem. Try to describe the problem > with as much accuracy and non-confusing terminology as possible, especially > if it is not easy to reproduce." // http://www.openbsd.org/report.html > > Continue to fail this and the world will just lead to sadness and despair. > > Alexander
whats wrong with my iwi still ieee80211: nwid -50dBm
#dmesg OpenBSD 4.0 (GENERIC) #1: Mon Mar 19 00:36:34 PHT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.50GHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 795308032 (776668K) avail mem = 716935168 (700132K) using 4256 buffers containing 39866368 bytes (38932K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ff) BIOS, date 07/08/05, BIOS32 rev. 0 @ 0xfd710, SMBIOS rev. 2.31 @ 0xdf010 (19 entries) bios0: Hewlett-Packard Presario M2000 (PV328PA#UUF) pcibios0 at bios0: rev 2.1 @ 0xfd710/0x8f0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xf200! 0xcf800/0x1000 0xdf000/0x800! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82915GM/PM/GMS Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82915GM/GMS Video rev 0x03: aperture at 0xb008, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82915GM/GMS Video rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 3 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 3 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 4 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 3 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd3 pci1 at ppb0 bus 1 rl0 at pci1 dev 0 function 0 Realtek 8139 rev 0x10: irq 10, address 00:c0:9f:90:0f:6f rlphy0 at rl0 phy 0: RTL internal PHY iwi0 at pci1 dev 6 function 0 Intel PRO/Wireless 2200BG rev 0x05: irq 4, address 00:12:f0:c7:30:a9 cbb0 at pci1 dev 9 function 0 TI PCI7XX1 CardBus rev 0x00pci_intr_map: no mapping for pin A : couldn't map interrupt TI PCI7XX1 FireWire rev 0x00 at pci1 dev 9 function 2 not configured TI PCI7XX1 Flash rev 0x00 at pci1 dev 9 function 3 not configured sdhc0 at pci1 dev 9 function 4 TI PCI7XX1 Secure Data rev 0x00: irq 11 sdmmc0 at sdhc0 sdmmc1 at sdhc0 sdmmc2 at sdhc0 auich0 at pci0 dev 30 function 2 Intel 82801FB AC97 rev 0x03: irq 5, ICH6 AC97 ac97: codec id 0x43585430 (Conexant CX?) ac97: codec features reserved, headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 Intel 82801FB Modem rev 0x03 at pci0 dev 30 function 3 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801FBM LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2080AT wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 ignored (disabled) ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x03: irq 3 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 biomask efdd netmask efdd ttymask ffdf pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 auich0: measured ac97 link rate at 48007 Hz, will use 48000 Hz uhidev0 at uhub1 port 1 configuration 1 interface 0 uhidev0: Logitech USB-PS/2 Optical Mouse, rev 2.00/20.00, addr 2, iclass 3/1 ums0 at uhidev0: 3 buttons and Z dir. wsmouse1 at ums0 mux 0 umass0 at uhub4 port 1 configuration 1 interface 0 umass0: vendor 0x0457 product 0x0151, rev 2.00/1.00, addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets sd0 at scsibus0 targ 1 lun 0: USBest, USB2FlashStorage, 0.00 SCSI2 0/direct removable sd0: 1000MB, 1000 cyl, 64
Re: whats wrong with my iwi still ieee80211: nwid -50dBm
On Monday 19 March 2007 6:51:37 am Jay Jesus Amorin wrote: iwi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:f0:c7:30:a9 media: IEEE802.11 autoselect status: no network ieee80211: nwid my_net nwkey 0x1deadbeef1 -50dBm inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::212:f0ff:fec7:30a9%iwi0 prefixlen 64 scopeid 0x2 It not 'UP' but I doubt that's the problem. I've noticed iwi has trouble after changing nwid and/or nwkey. Rebooting works. This weekend I noticed an access point scan also seems to kick the card into recognizing the changed values. Try: ifconfig iwi0 up ifconfig -M iwi0 -Kurt
Re: Unable to reach server in dmz. Whats wrong?
Abraham Al-Saleh wrote: On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote: Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)), which we cant change: Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example) ok, finally :) this is how my pf.conf and interfaces look like. # 1. macros if_ext=fxp0 if_int=bce0 if_dmz=re0 if_lo=lo0 icmp_types = echoreq dmz_servers = {38.87.5.122} services = {22, 8080, 8081} internal_services ={2401} reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255} # 2. Tables # No tables are defined # 3. Options # What should we do with blocked traffic? drop or return. set block-policy return # we can only gather statistics on one interface at a time set loginterface $if_ext # 4. Packet normalization scrub in all # 5. Queueing is not done # 6. Adress translation # The internal network has NAT-adresses nat on $if_ext from $if_int:network to any - ($if_ext) # Redirecting ports # Port redirect to make ftp possible. See manual for OpenBSD rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021 # temporary redirects rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port 8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122 port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122 port 22 # 7. Filtering #allow loopback # Block everything block all pass quick on if_lo all # Antispoof antispoof for { $if_lo, $if_ext, $if_int } # Allow traffic in on our ssh-deamon pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state # Allow trafic to and from the internal interface # are the lines below the same as # pass quick on $if_int all pass in on $if_int from $if_int:network to any keep state pass out on $if_int from any to $if_int:network keep state # block all traffic from reserved nets to external interface block in quick on $if_ext from $reserved to any #allow pinging pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # Open ports 8080 and ssh to trused machines on the dmz pass in on $if_ext proto tcp from any to any port 8081 keep state pass in on $if_ext proto tcp from any to any port 8080 keep state #Allow active ftp pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \ user proxy flags S/SA keep state # Users on the internal network is allowd to initate external contact pass out on $if_ext proto tcp all modulate state flags S/SA pass out on $if_ext proto {udp, icmp} all keep state # DMZ rules. As default we stop all traffic in to the dmz. # To open up a service we use port forwarding in the external if # to the specific server in the dmz block in on $if_dmz all pass out on $if_dmz proto tcp from any to any port $services flags S/SA keep state pass out on $if_dmz proto tcp from any to any port internal_services flags S/SA keep state pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port internal_services keep state #pf.conf ends here ### interfaces hostname.fxp0 #external interface inet 38.87.5.114 255.255.255.240 NONE # more hostname.bce0 #internal interface inet 192.168.97.254 255.255.255.0 NONE # more hostname.re0 # dmz inet 38.87.5.121 255.255.255.252 NONE
Unable to reach server in dmz. Whats wrong?
Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)): Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas
Re: Unable to reach server in dmz. Whats wrong?
On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote: Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)): Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example)
Re: Unable to reach server in dmz. Whats wrong?
Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)): Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway I suspect it may still be a routing problem. You have a range of 13 available IP's from your ISP, but according to the subnet they are all on the same network. Unless I've mis-read something (which happens often) you need to have the ISP split your range into 2 networks* and set the router located at 38.87.5.113 to route the next hop of the second network to your firewall. * note you will lose a couple of ip's by doing that. A simple way to test would be to move the 38.87.5.122 machine to the same network as the firewall (so that it's no longer being firewalled) and see if you can get to it. --Bryan