Re: benchmarks
On Apr 17 22:07:13, Rodrigo Mosconi wrote: > Hi all, > > I'm interested on some benchmarks, specially with network/PF. > > For example: > > What's the maximum bandwidth that a soekris (or alix) can handle safely as a > firewall? (with and without ipsec, how long the rule set are) > > Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge > mode. Peter, how much traffic your new firewall handle? > > On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall > can handle? > > These are some questions. > > Some of these information can help me to advocate OpenBSD based solution at > work, starting with firewall. Just as comment, some linuxes (argh) fw can't > handle as much as 100Mbps on Dells (R200 or R400). I always save my money in the bank with the fastest safeboxes.
Re: benchmarks
On 18/04/2011, at 1:07 PM, Rodrigo Mosconi wrote: > Hi all, > > I'm interested on some benchmarks, specially with network/PF. > On the general performance: http://www.openbsd.org/faq/pf/perf.html > For example: > > What's the maximum bandwidth that a soekris (or alix) can handle safely as a > firewall? (with and without ipsec, how long the rule set are) Why limit yourself to (low-end) machines? Budget constraints? Space constraints? Or it might to cool to play with these devices? (I thought so too, but in the end easier to whack in an old Dell Optiplex - as is often recommended on this list.) > > Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge > mode. Peter, how much traffic your new firewall handle? > > On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall > can handle? Which goes fastest? Ford or Holden? What NICs are in those machines? > > These are some questions. What does "traffic" mean? Is your traffic the same as mine? > > Some of these information can help me to advocate OpenBSD based solution at > work, starting with firewall. Just as comment, some linuxes (argh) fw can't > handle as much as 100Mbps on Dells (R200 or R400). > pf is fast enough for me at my work. It might not be fast enough for you at your work. What are your requirements? > Thanks for any comments, > Probably not what you were after, but that's the repeated advice I see around here - only YOU can answer this question. And don't forget to read this (and buy the book) http://home.nuug.no/~peter/pf/en/ > Mosconi
benchmarks
Hi all, I'm interested on some benchmarks, specially with network/PF. For example: What's the maximum bandwidth that a soekris (or alix) can handle safely as a firewall? (with and without ipsec, how long the rule set are) Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge mode. Peter, how much traffic your new firewall handle? On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall can handle? These are some questions. Some of these information can help me to advocate OpenBSD based solution at work, starting with firewall. Just as comment, some linuxes (argh) fw can't handle as much as 100Mbps on Dells (R200 or R400). Thanks for any comments, Mosconi
Invitacisn a Curso Experto en Google y Posicionamiento Web
Invitacion a Curso Experto en Google y Posicionamiento Web, Curso con sede en: 26 de abril curso online. El curso puede tomarlo desde la comodidad de su hogar u oficina. 03 de Mayo en Santiago de Chile. 06 de Mayo en Temuco, Chile. 13 de Mayo en Cancun 21 de Mayo en Monterrey 17 de Junio en Guadalajara. 10 de Junio Mexico D.F. Dirigido a Empresas que desean Mejorar su Posicionamiento Natural en Buscadores. Usuarios de Google Adwords interesados en Optimizar sus campa}as y sistema de pago por clic... Costo $ 3500 + IVA. Curso Redes Sociales Orientada a Empresas. Mexico, D.F. 14 de Abril - Nivel Basico 15 de Abril - Nivel Avanzado Monterrey 18 de Mayo - Nivel Basico 19 de Mayo - Nivel Avanzado Guadalajara 15 de Junio - Nivel Basico 16 de Junio - Nivel Avanzado Costo basico y Avanzado $ 4,500 + IVA Para Mas informacion visite Nuestra web Seminariosenmexico.com http://www.seminariosenmexico.com/ Telefonos +52 (55) 5523 0796 (Mexico) +56- 2 8977537 (Chile) Contacto via correo electronico conta...@seminariosenmexico.com Messenger seminarios enmex...@hotmail.com
Userland ppp stopped working between Mar24 and Apr8
After some experimenting, I've discovered that userland ppp stopped working normally at some point between the March 24th and April 8th snapshots. I've been using the same ppp.{conf,linkup,linkdown} files for 6 months now with 4.8-stable without any problems. This weekend I decided to change firewall hardware and use -current, and the same configuration fails. It's not the hardware: 4.8-stable and snapshots up to Mar. 24th work just fine. The next snap I have in my collection is Apr. 8th, and everything since then including Apr. 17th, fails. Replication is simple: - clean install, not an upgrade. No customizing/tweaking anything. - copy my known-good ppp.* files over - "up" the interface my DSL modem is on - adjust syslog.conf to allow ppp logging to /var/log/ppp.log # ppp -ddial mlppp (config file below; normally this done from rc.local) - with anything <= Mar 24th, the connection works straight away - with anything >= Apr. 8th, the ppp process loops continuously trying to establish the connection Looking at the log, the old version shows "LCP: 2: RecvConfigReq", after which my MRU drops from 1500 to 1492, and the connection ultimately succeeds. The new version only shows "LCP: 2: SendConfigReq" and the redial process loops until manually stopped. Does anyone have any idea if my config needs adjusting, or have I found a bug? The only variable is the version of -current I use, and the ppp(8) man page is the same. Nothing to indicate that my config needs adjusting. I'm not sure if the following log snippets show the proper information, so I'll wait for requests for full logs instead of spamming the list with a hugely long post. Thanks, - Scott Log snippet from successful connection: Apr 17 21:09:22 fw0 ppp[30518]: tun0: Chat: 2: Reconnect try 2 of 3 Apr 17 21:09:25 fw0 ppp[30518]: tun0: Chat: 2: Redial timer expired. Apr 17 21:09:25 fw0 ppp[30518]: tun0: Warning: Carrier settings ignored Apr 17 21:09:25 fw0 ppp[30518]: tun0: Phase: 2: Connected! Apr 17 21:09:25 fw0 ppp[30518]: tun0: Phase: 2: opening -> dial Apr 17 21:09:25 fw0 ppp[30518]: tun0: Phase: 2: dial -> carrier Apr 17 21:09:25 fw0 ppp[30518]: tun0: Phase: 2: carrier -> login Apr 17 21:09:25 fw0 ppp[30518]: tun0: Phase: 2: login -> lcp Apr 17 21:09:25 fw0 ppp[30518]: tun0: LCP: FSM: Using "2" as a transport Apr 17 21:09:25 fw0 ppp[30518]: tun0: LCP: 2: State change Initial --> Closed Apr 17 21:09:25 fw0 ppp[30518]: tun0: LCP: 2: State change Closed --> Stopped Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: LayerStart Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: SendConfigReq(6) state = Stopped Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MRU[4] 1500 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MAGICNUM[6] 0x48a3693d Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MRRU[4] 1485 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: SHORTSEQ[2] Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: State change Stopped --> Req-Sent Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: RecvConfigReq(138) state = Req-Sent Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MRU[4] 1492 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: AUTHPROTO[4] 0xc023 (PAP) Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MAGICNUM[6] 0x4a64ebd8 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: SendConfigAck(138) state = Req-Sent Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MRU[4] 1492 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: AUTHPROTO[4] 0xc023 (PAP) Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MAGICNUM[6] 0x4a64ebd8 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: State change Req-Sent --> Ack-Sent Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: RecvConfigRej(6) state = Ack-Sent Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: MRRU[4] 1485 Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: SHORTSEQ[2] Apr 17 21:09:26 fw0 ppp[30518]: tun0: LCP: 2: SendConfigReq(7) state = Ack-Sent Log snippet from unsuccessful connection: Apr 17 21:07:29 hellgate ppp[30239]: tun0: Chat: 2: Reconnect try 2 of 3 Apr 17 21:07:32 hellgate ppp[30239]: tun0: Chat: 1: Redial timer expired. Apr 17 21:07:32 hellgate ppp[30239]: tun0: Chat: 2: Redial timer expired. Apr 17 21:07:32 hellgate ppp[30239]: tun0: Warning: Carrier settings ignored Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 1: Connected! Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 1: opening -> dial Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 1: dial -> carrier Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 1: carrier -> login Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 1: login -> lcp Apr 17 21:07:32 hellgate ppp[30239]: tun0: LCP: FSM: Using "1" as a transport Apr 17 21:07:32 hellgate ppp[30239]: tun0: LCP: 1: State change Initial --> Closed Apr 17 21:07:32 hellgate ppp[30239]: tun0: LCP: 1: State change Closed --> Stopped Apr 17 21:07:32 hellgate ppp[30239]: tun0: Warning: Carrier settings ignored Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 2: Connected! Apr 17 21:07:32 hellgate ppp[30239]: tun0: Phase: 2: openi
Se Busca Vendedor(a) de espacios Publicitarios y servicios en internet
31 de Marzo de 2011 Visualizar versiC3n en lC-nea SE BUSCA VENDEDOR(A) CON CARTERA DE CLIENTES DE ANUNCIOS PUBLICITARIOS EN INTERNET SALARIO: US$500 + US$50.00 (Combustible) Excelentes Comisiones: del 25 al 50%. Requisitos Imprescindibles: - AutomC3vil (En buen estado) - Experiencia como Vendedor (mC-nimo 1 aC1o) - Cartera de Clientes activos (Anunciantes) - Contar con Laptop (Vendedor debe tener una computadora portC!til) - Conocimientos en informC!tica e internet (Intermedio) - Edad mC-nima 25 aC1os. Habilidades adicionales que se considerarC!n. - Habilidades en ventas - Liderazgo - RC!pido aprendizaje DescripciC3n del Puesto. Se requiere de un vendedor(a) con experiencia en ventas que sea responsable de: - vender a clientes corporativos e individuales. - abrir nuevas cuentas. - asistir al coordinador de ventas. - cerrar ventas de servicios informC!ticos y anuncios publicitarios en internet. - visitar clientes interesados. - generar cotizaciones - entre otros. Se espera que conozca el sector de Internet y Publicidad, que posea experiencia; se espera del vendedor buena presencia, responsabilidad, creatividad, organizaciC3n, con iniciativa y buena expresiC3n verbal. Se ofrece como beneficios excelente comisiC3n (del 25 al 50%) mC!s el pago de us$50.00 (gasolina). B?QuC) le ofrece nuestra empresa? El salario es inicial, si el vendedor logra cerrar ventas de los servicios con eficacia, nuestra empresa le garantiza aumento de salario y bonos de productividad. B?Por quC) trabajar en MicroKey Group? TendrC! horarios flexibles de trabajo, excelente ambiente laboral, interesantes comisiones, bonos y aumento de salario por productividad. Puede enviar su hoja de vida a microkeygr...@yahoo.com TelC)fono de Contacto: +507 . 3605858 Web: MicroKeyGroup .Com Correo para Vacantes microkeygroup (arroba) yahoo.com Le ha sido C:til nuestro newsletter?. IndC-quenos la calidad del mismo. Confirmar SuscripciC3n | Desuscribirme de esta lista | ContC!ctenos http://www.microkeyclients.com/mail/unsubscribe.php?M=176106&C=b502001e5bc80edcfe404298d8bca767&L=1&N=5
Re: pf rules
2011/4/17, gdrm : table persist file "/etc/terlarang" block in quick on re0 from in /etc/terlarang 10.0.0.0/8 192.168.0.0/16 xxx.xxx.xxx.xxx Muhammad Muntaza bin Hatta -- Indonesia http://muntaza.wordpress.com
Re: pf ftp-proxy forward AND reverse (Help?)
Hi! I just wanted to share that alternative to ftp-proxy clients which connect from external network to internal ftp server is just letting appropriate packets thru i.e. without doing application level proxying. For example like this where 10.0.21.254 is ftp server's external address and 192.168.111.162 is its internal address # control channel ja and passive clients get in pass in quick on $if_ext inet proto tcp from any \ to 10.0.21.254 port { 21, 2:5 } tag TO_INT \ rdr-to 192.168.111.162 # server gets out for active clients pass in on $if_int inet proto tcp from 192.168.111.162 port 20 \ to any tag FROM_INT_FTP # companion rules for tagged packets pass out quick on $if_int inet tagged TO_INT pass out quick on $if_ext inet tagged FROM_INT_FTP \ nat-to 10.0.21.254 port 20 This setup assumes that ftp server cooperates, for example with vsftpd is needed to use these directives ... connect_from_port_20=YES pasv_min_port=2 pasv_max_port=5 pasv_address=10.0.21.254 As always, its up to the user to decide which solution fits better, with above described setup the gain is that you get into ftp server logs clients' ip addresses; on the other hand opening up 20k-50k ports might not be a good idea, and with ftp-proxy OpenBSD has more control over ftp sessions. Imre PS You could follow what ftp-proxy anchors contain with # pfctl -a ftp-proxy -sA .. # pfctl -a ftp-proxy/xxx.yyy -sr PPS You must make sure that port 21/tcp states live long enough or your clients may get funny hungups. On 04/12/11 01:31, Steven R. Gerber wrote: Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * $ cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install # # set these to "NO" to turn them off. otherwise, they're used as flags #named_flags="-d 3" # for normal use: "" named_flags="" # for normal use: "" #dhcpd_flags="" # for normal use: "" # ISC dhcpd will be invokd via rc.local!!! # # set the following to "YES" to turn them on pf=YES # Packet filter / NAT ftpproxy_flags="" # for normal use: "" ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for normal use: "" # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. "-s 256" * rc.local: # Start ftp-proxy #2 if [ X"${ftpproxy_flags2}" != X"NO" ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
Urgent vila de vanzare complet finisata si mobilata
Vila de vanzare in cartierul Berceni, sector 4, Str. Mariuca. Contructie 2005, complet finisata si mobilata pe comanda. Vila este contruita pe 3 nivele open space, incluzand sala de fitness. In plus detine o crama de 18 mp la subsol. Suprafata totala construita a vilei este de 210 mp, cu un teren aferent de 150 mp. Pretul este de 150.000 Euro . Description: Description: Description: Description: Description: Description: 077.jpg Description: Description: Description: Description: Description: Description: 073.jpg Description: Description: Description: Description: Description: Description: 055.jpg Description: Description: Description: Description: Description: Description: 048.jpg Description: Description: Description: Description: Description: Description: 039.jpg Description: Description: Description: Description: Description: Description: 3.jpg Pentru detalii sunati la 0725.076.193 [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of image002.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of image003.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of image004.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of image005.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of image006.jpg]
Re: certs validation in xxxterm
On Sun, Apr 17, 2011 at 11:21 AM, Marco Peereboom wrote: > On Sun, Apr 17, 2011 at 11:18:00AM +0200, Tomas Bodzar wrote: >> On Sun, Apr 17, 2011 at 11:04 AM, Marco Peereboom wrote: >> > Not correct. >> > >> > On openbsd use "ssl_ca_file = /etc/ssl/cert.pem" per the example in the >> > config file. ??The ~/.xxxterm/certs/ directory is where certs are saved >> > to when prompted by the user. >> >> Then question is why if it's set "my way" it shows in address bar blue > > Because you saved it. B Not because you point to that directory. yep, it's in man. sorry > >> color for correct certs and yellow when untrusted because man says >> that it must be green. But will try correct way if color will be >> green. > > It will be if the cert is trusted. corrected and now it points to .pem files. Anyway all are yellow now including mail.google.com I thought that gmail has certs in fine state > >> >> > >> > On Sun, Apr 17, 2011 at 08:05:42AM +0200, Tomas Bodzar wrote: >> >> On Sun, Apr 17, 2011 at 7:39 AM, Tomas Bodzar wrote: >> >> > Hi all, >> >> > >> >> > as stated in man page for xxxterm: >> >> > >> >> > ssl_ca_file B ??B ??B ??B ??B ??B ??B ??B ??If set to a valid PEM file all server >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??certificates will be validated against >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??it. B The URL bar will be colored green >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??when the certificate is trusted and >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??yellow when untrusted. >> >> > >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??If ssl_ca_file is not set then the URL >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??bar will color all HTTPS connections >> >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??red. >> >> > >> >> > >> >> > it looks like it's able to autenticate only against PEM file, but >> >> > certs are stored as ASCII text in .xxxterm/certs so what's the correct >> >> > setting for that? >> >> >> >> yep >> >> >> >> ssl_ca_file = /home/username/.xxxterm/certs/ >> >> >> >> is all you need. Just not proper wording in man page.
Re: certs validation in xxxterm
On Sun, Apr 17, 2011 at 11:04 AM, Marco Peereboom wrote: > Not correct. > > On openbsd use "ssl_ca_file = /etc/ssl/cert.pem" per the example in the > config file. B The ~/.xxxterm/certs/ directory is where certs are saved > to when prompted by the user. Then question is why if it's set "my way" it shows in address bar blue color for correct certs and yellow when untrusted because man says that it must be green. But will try correct way if color will be green. > > On Sun, Apr 17, 2011 at 08:05:42AM +0200, Tomas Bodzar wrote: >> On Sun, Apr 17, 2011 at 7:39 AM, Tomas Bodzar wrote: >> > Hi all, >> > >> > as stated in man page for xxxterm: >> > >> > ssl_ca_file B B B B B B B B B B B B B B B B If set to a valid PEM file all server >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B certificates will be validated against >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B it. B The URL bar will be colored green >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B when the certificate is trusted and >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B yellow when untrusted. >> > >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B If ssl_ca_file is not set then the URL >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B bar will color all HTTPS connections >> > B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B red. >> > >> > >> > it looks like it's able to autenticate only against PEM file, but >> > certs are stored as ASCII text in .xxxterm/certs so what's the correct >> > setting for that? >> >> yep >> >> ssl_ca_file = /home/username/.xxxterm/certs/ >> >> is all you need. Just not proper wording in man page.
Re: certs validation in xxxterm
On Sun, Apr 17, 2011 at 11:41:33AM +0200, Tomas Bodzar wrote: > >> color for correct certs and yellow when untrusted because man says > >> that it must be green. But will try correct way if color will be > >> green. > > > > It will be if the cert is trusted. > > corrected and now it points to .pem files. Anyway all are yellow now > including mail.google.com I thought that gmail has certs in fine state I surfed over there and it showed up green. You might want to get the latest pem from cvs.
Re: certs validation in xxxterm
On Sun, Apr 17, 2011 at 11:18:00AM +0200, Tomas Bodzar wrote: > On Sun, Apr 17, 2011 at 11:04 AM, Marco Peereboom wrote: > > Not correct. > > > > On openbsd use "ssl_ca_file = /etc/ssl/cert.pem" per the example in the > > config file. ??The ~/.xxxterm/certs/ directory is where certs are saved > > to when prompted by the user. > > Then question is why if it's set "my way" it shows in address bar blue Because you saved it. Not because you point to that directory. > color for correct certs and yellow when untrusted because man says > that it must be green. But will try correct way if color will be > green. It will be if the cert is trusted. > > > > > On Sun, Apr 17, 2011 at 08:05:42AM +0200, Tomas Bodzar wrote: > >> On Sun, Apr 17, 2011 at 7:39 AM, Tomas Bodzar > >> wrote: > >> > Hi all, > >> > > >> > as stated in man page for xxxterm: > >> > > >> > ssl_ca_file B ??B ??B ??B ??B ??B ??B ??B ??If set to a valid PEM file > >> > all server > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??certificates will be validated against > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??it. B The URL bar will be colored green > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??when the certificate is trusted and > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??yellow when untrusted. > >> > > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??If ssl_ca_file is not set then the URL > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??bar will color all HTTPS connections > >> > B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B ??B > >> > ??B ??red. > >> > > >> > > >> > it looks like it's able to autenticate only against PEM file, but > >> > certs are stored as ASCII text in .xxxterm/certs so what's the correct > >> > setting for that? > >> > >> yep > >> > >> ssl_ca_file = /home/username/.xxxterm/certs/ > >> > >> is all you need. Just not proper wording in man page.
Re: certs validation in xxxterm
Not correct. On openbsd use "ssl_ca_file = /etc/ssl/cert.pem" per the example in the config file. The ~/.xxxterm/certs/ directory is where certs are saved to when prompted by the user. On Sun, Apr 17, 2011 at 08:05:42AM +0200, Tomas Bodzar wrote: > On Sun, Apr 17, 2011 at 7:39 AM, Tomas Bodzar wrote: > > Hi all, > > > > as stated in man page for xxxterm: > > > > ssl_ca_file B B B B B B B B If set to a valid PEM file all server > > B B B B B B B B B B B B B B B B B B B certificates will > > be validated against > > B B B B B B B B B B B B B B B B B B B it. B The URL bar > > will be colored green > > B B B B B B B B B B B B B B B B B B B when the > > certificate is trusted and > > B B B B B B B B B B B B B B B B B B B yellow when > > untrusted. > > > > B B B B B B B B B B B B B B B B B B B If ssl_ca_file is > > not set then the URL > > B B B B B B B B B B B B B B B B B B B bar will color all > > HTTPS connections > > B B B B B B B B B B B B B B B B B B B red. > > > > > > it looks like it's able to autenticate only against PEM file, but > > certs are stored as ASCII text in .xxxterm/certs so what's the correct > > setting for that? > > yep > > ssl_ca_file = /home/username/.xxxterm/certs/ > > is all you need. Just not proper wording in man page.
Re: certs validation in xxxterm
On Sun, Apr 17, 2011 at 7:39 AM, Tomas Bodzar wrote: > Hi all, > > as stated in man page for xxxterm: > > ssl_ca_file B B B B B B B B If set to a valid PEM file all server > B B B B B B B B B B B B B B B B B B B certificates will be > validated against > B B B B B B B B B B B B B B B B B B B it. B The URL bar > will be colored green > B B B B B B B B B B B B B B B B B B B when the certificate > is trusted and > B B B B B B B B B B B B B B B B B B B yellow when > untrusted. > > B B B B B B B B B B B B B B B B B B B If ssl_ca_file is > not set then the URL > B B B B B B B B B B B B B B B B B B B bar will color all > HTTPS connections > B B B B B B B B B B B B B B B B B B B red. > > > it looks like it's able to autenticate only against PEM file, but > certs are stored as ASCII text in .xxxterm/certs so what's the correct > setting for that? yep ssl_ca_file = /home/username/.xxxterm/certs/ is all you need. Just not proper wording in man page.