Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 15:02, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server default { listen on 10.11.0.200 tls port 443 tls { certificate /etc/ssl/server-unified.pem key /etc/ssl/private/server.key } root /htdocs/default } types { include /usr/share/misc/mime.types } My certificate is intermediate/chain certificate. That mean I need to supply next level certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no server_tls_init nothing apears when started openssl s_client command This smells very much like the same problem that has been mentioned on the list earlier - with a 6KB private key and a 8KB bundle, you're almost certainly hitting the 16K limit for a single imsg. Unfortunately there were missing return value checks which means that this fails silently. If you can try httpd from -current you will likely see an error instead of a silent failure. Otherwise you can try removing one of the certificates from the bundle in order to reduce the size and see if it then reports server_tls_init and starts working. tested on -current: # httpd -dv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default': Result too large fatal: send server: Result too large socket_rlimit: max open files 1024 logger exiting, pid 4965 socket_rlimit: max open files 1024 server exiting, pid 10727 server exiting, pid 32594 server exiting, pid 5337 Above situation occurs when I have server cert + intermediate + ca and only server cert + intermediate in server-chain.pem. httpd starts only when I supply only my server cert to it. Is there any solution to run httpd with such big private key?
OpenBSD 5.7 httpd tls intermediate/chain certificate problem
--- No client certificate CA names sent --- SSL handshake has read 4020 bytes and written 511 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 8192 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 763361AC6825A838E0FE8782F8FE20DF048536FECC20530E16003132C5BEDB66 Session-ID-ctx: Master-Key: 39DCA8F06FE62896A75D1D4B8C961D5FB4E5B50238A59C7AB21DB33C63723AFF0C93D099064D37419FD385B7EEC1573C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - aa 00 6c 87 f7 97 38 fa-ee 44 db 0f 35 44 eb b6 ..l...8..D..5D.. 0010 - d6 51 6d bb 20 5a b4 d1-9d 09 59 69 4b a8 84 dd .Qm. ZYiK... 0020 - fb 0b 56 ca 16 be 77 ed-f5 14 85 69 f8 f1 a2 a2 ..V...wi 0030 - 93 d3 a0 85 46 d4 f5 1e-75 40 26 ad aa 1e fc 4d F...u@M 0040 - 55 78 bc 1b cb fc 27 64-f1 12 82 e1 02 49 d7 61 Ux'd.I.a 0050 - 12 9d 13 9a d5 b8 97 84-e3 ed 09 96 ba e5 1c 14 0060 - dd 6f 84 d7 ee 71 5c 07-4c cc c8 3a 33 f1 c4 c4 .o...q\.L..:3... 0070 - ae fe ba bc 9d d5 86 a2-11 04 fd ec 2f ff 55 89 /.U. 0080 - b6 c2 97 5d a1 53 34 07-c5 2c 51 12 8a 7a 84 1f ...].S4..,Q..z.. 0090 - 2e 4c 83 54 e9 a0 f4 ab-6c bf 6a 75 f4 96 5e 8c .L.Tl.ju..^. 00a0 - da 3f 47 b7 d9 87 f7 0d-39 54 e6 90 11 ac a8 e3 .?G.9T.. 00b0 - c1 39 b7 4a b9 5c 64 71-dc 83 99 d2 c9 07 cf eb .9.J.\dq Start Time: 1431605259 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- GET / HTTP/1.0 HTTP/1.0 200 OK Connection: close Content-Length: 7 Content-Type: text/html Date: Thu, 14 May 2015 12:07:50 GMT Last-Modified: Wed, 13 May 2015 17:29:26 GMT Server: OpenBSD httpd devcat read:errno=0 Unfortunately I did not find answer in mailing list / google. BTW. I have same situation with httpd in OpenBSD 5.6 stable (there is only change in config file ssl [5.6] -- tls [5.7]). Any ideas on what I'm doing wrong? How to start TLS server with chain/intermediate certificate? Thanks for your help! Best Regards, Michal Lesniewski
Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 14:43, Abel Abraham Camarillo Ojeda wrote: On Thu, May 14, 2015 at 7:35 AM, Michal Lesniewski open...@michal.wildnet.pl wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server default { listen on 10.11.0.200 tls port 443 tls { certificate /etc/ssl/server-unified.pem key /etc/ssl/private/server.key } I think this should be tls certificate /etc/ssl/server-unified.pem tls key /etc/ssl/private/server.key the same situation root /htdocs/default } types { include /usr/share/misc/mime.types } My certificate is intermediate/chain certificate. That mean I need to supply next level certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no server_tls_init nothing apears when started openssl s_client command ^Clogger exiting, pid 20328 server exiting, pid 17109 server exiting, pid 6140 server exiting, pid 16603 parent terminating, pid 11859 I tested combinations with unified certificate like: cat server.pem sub.class2.server.ca.pem /etc/ssl/server-unified.pem cat ca-sha2.pem sub.class2.server.ca.pem server.pem /etc/ssl/server-unified.pem cat sub.class2.server.ca.pem server.pem /etc/ssl/server-unified.pem but situation is always as described above. When I try to change in config file tls certificate to: tls certificate /etc/ssl/server.pem where server.pem is PEM format file certificate from my CA (there is no entire SSL certificate trust chain) and start httpd: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_tls_init: setting up TLS for default server_launch: running server default server_tls_init: setting up TLS for default server_tls_init: setting up TLS for default server_launch: running server default server_launch: running server default server_launch: running server default default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] GET / HTTP/1.0 200 7 server default, client 1 (1 active), 10.11.0.100:52805 - 10.11.0.200:443, done ^Clogger exiting, pid 5930 server exiting, pid 19884 server exiting, pid 26372 server exiting, pid 14384 parent terminating, pid 22451 I try to test using openssl s_client like before: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=27:certificate not trusted verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA --- Server certificate -BEGIN
Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 16:01, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: On 14.05.2015 15:02, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server default { listen on 10.11.0.200 tls port 443 tls { certificate /etc/ssl/server-unified.pem key /etc/ssl/private/server.key } root /htdocs/default } types { include /usr/share/misc/mime.types } My certificate is intermediate/chain certificate. That mean I need to supply next level certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no server_tls_init nothing apears when started openssl s_client command This smells very much like the same problem that has been mentioned on the list earlier - with a 6KB private key and a 8KB bundle, you're almost certainly hitting the 16K limit for a single imsg. Unfortunately there were missing return value checks which means that this fails silently. If you can try httpd from -current you will likely see an error instead of a silent failure. Otherwise you can try removing one of the certificates from the bundle in order to reduce the size and see if it then reports server_tls_init and starts working. tested on -current: # httpd -dv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default': Result too large fatal: send server: Result too large socket_rlimit: max open files 1024 logger exiting, pid 4965 socket_rlimit: max open files 1024 server exiting, pid 10727 server exiting, pid 32594 server exiting, pid 5337 Above situation occurs when I have server cert + intermediate + ca and only server cert + intermediate in server-chain.pem. httpd starts only when I supply only my server cert to it. Is there any solution to run httpd with such big private key? Try this (albeit only tested a little beyond compilation...) Index: config.c === RCS file: /cvs/src/usr.sbin/httpd/config.c,v retrieving revision 1.37 diff -u -p -r1.37 config.c --- config.c11 Apr 2015 14:52:49 - 1.37 +++ config.c14 May 2015 13:58:57 - @@ -193,14 +193,6 @@ config_setserver(struct httpd *env, stru iov[c].iov_base = srv-srv_conf.return_uri; iov[c++].iov_len = srv-srv_conf.return_uri_len; } - if (srv-srv_conf.tls_cert_len != 0) { - iov[c].iov_base = srv-srv_conf.tls_cert; - iov[c++].iov_len = srv-srv_conf.tls_cert_len; - } - if (srv-srv_conf.tls_key_len != 0) { - iov[c].iov_base = srv-srv_conf.tls_key; - iov[c++].iov_len = srv-srv_conf.tls_key_len; - } if (id == PROC_SERVER (srv-srv_conf.flags SRVFLAG_LOCATION) == 0) { @@ -220,6 +212,9 @@ config_setserver(struct httpd *env, stru return (-1
Huawei E3272 USB 4G LTE modem (no HiLink)
Hi, I bouth Huawei E3272 USB 4G LTE modem (with no HiLink - connecting using serial ports, no ethernet card) and it would be nice to connect to Internet from OpenBSD using this modem ;) technical specification - http://www.huawei.com/ecommunity/bbs/10188081.html dmesg: OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1862074368 (1775MB) avail mem = 1803952128 (1720MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.34 @ 0xfcde0 (43 entries) bios0: vendor American Megatrends Inc. version 786R6 v2.03 date 02/08/2011 bios0: Hewlett-Packard hp t5000 series acpi0 at bios0: rev 0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT acpi0: wakeup devices PCE2(S0) PCE3(S0) PCE4(S0) PCE5(S0) PCE6(S0) PCE7(S0) PCE9(S0) PCEA(S0) PCEB(S0) PCEC(S0) SBAZ(S0) PS2K(S0) PS2M(S0) P0PC(S0) UHC1(S0) UHC2(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Turion(tm) X2 Ultra Dual-Core Mobile ZM-84, 2300.39 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP,OSVW,SKINIT,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Turion(tm) X2 Ultra Dual-Core Mobile ZM-84, 2300.13 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP,OSVW,SKINIT,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus 2 (PCE7) acpiprt5 at acpi0: bus -1 (PCEA) acpiprt6 at acpi0: bus 3 (P0PC) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature is 120 degC acpibtn0 at acpi0: PWRB cpu0: 2300 MHz: speeds: 2300 1200 600 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS780 Host rev 0x00 ppb0 at pci0 dev 1 function 0 AMD RS780 PCIE rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Radeon HD 3200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 ppb1 at pci0 dev 7 function 0 AMD RS780 PCIE rev 0x00: msi pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 Broadcom BCM5787M rev 0x02, BCM5754/5787 A2 (0xb002): msi, address 00:23:7d:cc:6b:94 brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 ohci0 at pci0 dev 18 function 0 ATI SB700 USB rev 0x00: apic 2 int 16, version 1.0, legacy support ohci1 at pci0 dev 18 function 1 ATI SB700 USB rev 0x00: apic 2 int 16, version 1.0, legacy support ehci0 at pci0 dev 18 function 2 ATI SB700 USB2 rev 0x00: apic 2 int 17 ehci0: halt timeout usb0 at ehci0: USB revision 2.0 uhub0 at usb0 ATI EHCI root hub rev 2.00/1.00 addr 1 ohci2 at pci0 dev 19 function 0 ATI SB700 USB rev 0x00: apic 2 int 18, version 1.0, legacy support ohci3 at pci0 dev 19 function 1 ATI SB700 USB rev 0x00: apic 2 int 18, version 1.0, legacy support ehci1 at pci0 dev 19 function 2 ATI SB700 USB2 rev 0x00: apic 2 int 19 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 ATI EHCI root hub rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 ATI SBx00 SMBus rev 0x3a: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5 SO-DIMM spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-6400CL5 SO-DIMM pciide0 at pci0 dev 20 function 1 ATI SB700 IDE rev 0x00: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: 1GB ATA Flash Disk wd0: 1-sector PIO, LBA, 977MB, 2001888 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 4 azalia0 at pci0 dev 20 function 2 ATI SBx00 HD Audio rev 0x00: apic 2 int 16 azalia0: codecs: Realtek ALC262 audio0 at azalia0 pcib0 at pci0 dev 20 function 3 ATI SB700 ISA rev 0x00 ppb2 at pci0 dev 20 function 4 ATI SB600 PCI rev 0x00 pci3 at ppb2 bus 3 pchb1 at pci0 dev 24 function 0 AMD AMD64 11h HyperTransport rev 0x40 pchb2 at pci0 dev 24 function 1 AMD AMD64 11h
Re: webmail
Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper Hi, I use: 1. http://hastymail.sourceforge.net/ - by default Hastymail does NOT use HTML frames, Javascript, or cookies. 2. http://www.roundcube.net/ - browser-based multilingual IMAP client with an application-like user interface (XHTML, CSS 2, AJAX). Regards, Michal