From jkeenan at pobox.com Mon Sep 4 21:13:53 2017 From: jkeenan at pobox.com (James E Keenan) Date: Mon, 4 Sep 2017 21:13:53 -0400 Subject: [talk] In lieu of a tech meeting on Wednesday Sept 6 ... Message-ID: <80ee1e0c-bd1c-86db-4ead-6b4a5c9cf61c@pobox.com> Since we don't have a technical meeting scheduled for this week (hey George!), I propose that anyone who wants to meet up socially join me at: Suspenders 108 Greenwich St north of Rector St (trains 1, R, W) around 6:30 pm on Wednesday September 6 for food and beverage. No need to RSVP, but if you like ping me off list or on freenode #nycbug. Jim Keenan (IRC: kid51) From viewtiful.icchan at gmail.com Tue Sep 5 07:40:38 2017 From: viewtiful.icchan at gmail.com (Robert Menes) Date: Tue, 5 Sep 2017 07:40:38 -0400 Subject: [talk] In lieu of a tech meeting on Wednesday Sept 6 ... In-Reply-To: <80ee1e0c-bd1c-86db-4ead-6b4a5c9cf61c@pobox.com> References: <80ee1e0c-bd1c-86db-4ead-6b4a5c9cf61c@pobox.com> Message-ID: Heh, I was wondering when we were actually going to all get together again, even if it was for a beer or something. :) I should be able to swing on by tomorrow! --Robert On Sep 4, 2017 9:14 PM, "James E Keenan" wrote: > Since we don't have a technical meeting scheduled for this week (hey > George!), I propose that anyone who wants to meet up socially join me at: > > Suspenders > 108 Greenwich St > north of Rector St (trains 1, R, W) > > around 6:30 pm on Wednesday September 6 for food and beverage. > > No need to RSVP, but if you like ping me off list or on freenode #nycbug. > > Jim Keenan > (IRC: kid51) > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark.saad at ymail.com Tue Sep 12 09:06:51 2017 From: mark.saad at ymail.com (Mark Saad) Date: Tue, 12 Sep 2017 09:06:51 -0400 Subject: [talk] SSL certificates Message-ID: All I was looking tat replace a wildcard ssl cert on a commercial site and I was looking for options . In light of google starting to remove Symantec ssl certs as well this is becoming a endeavor. https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html?m=1 --- Mark Saad | mark.saad at ymail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Tue Sep 12 10:24:00 2017 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 12 Sep 2017 14:24:00 +0000 Subject: [talk] SSL certificates In-Reply-To: References: Message-ID: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> Mark Saad: > All > I was looking tat replace a wildcard ssl cert on a commercial site and I was looking for options . > wildcard certs have security implications to them. Best to avoid. > In light of google starting to remove Symantec ssl certs as well this is becoming a endeavor. > > https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html?m=1 Yeah, didn't dive in yet to see the backstory on that. g From mwlucas at michaelwlucas.com Tue Sep 12 10:38:57 2017 From: mwlucas at michaelwlucas.com (Michael W. Lucas) Date: Tue, 12 Sep 2017 10:38:57 -0400 Subject: [talk] SSL certificates In-Reply-To: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> Message-ID: <20170912143857.GA15199@mail.michaelwlucas.com> On Tue, Sep 12, 2017 at 02:24:00PM +0000, George Rosamond wrote: > Mark Saad: > > All > > I was looking tat replace a wildcard ssl cert on a commercial site and I was looking for options . > > > > wildcard certs have security implications to them. Best to avoid. > Out of curiosity: any real-world reason not to do Let's Encrypt? I'm pondering writing a book on LE with acme.sh. > Yeah, didn't dive in yet to see the backstory on that. It's bad. It's really bad. ==ml -- Michael W. Lucas https://mwl.io/ nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ From pete at nomadlogic.org Tue Sep 12 11:39:22 2017 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 12 Sep 2017 08:39:22 -0700 Subject: [talk] SSL certificates In-Reply-To: <20170912143857.GA15199@mail.michaelwlucas.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> Message-ID: On 09/12/2017 07:38, Michael W. Lucas wrote: > On Tue, Sep 12, 2017 at 02:24:00PM +0000, George Rosamond wrote: >> Mark Saad: >>> All >>> I was looking tat replace a wildcard ssl cert on a commercial site and I was looking for options . >>> >> wildcard certs have security implications to them. Best to avoid. >> > > Out of curiosity: any real-world reason not to do Let's Encrypt? > > I'm pondering writing a book on LE with acme.sh. i'd be keen to get a copy of that!? the devs i support loved your ssh book, and i loved it b/c i didn't have to actually interact with humans :) one issue i've had with let's encrypt is trying to use it on private subdomains on AWS.? iirc the system needs to have a public DNS entry as well as access from the internet to work - i might be mistaken tho on this... -pete -- Pete Wright pete at nomadlogic.org @nomadlogicLA From mark.saad at ymail.com Tue Sep 12 13:10:35 2017 From: mark.saad at ymail.com (Mark Saad) Date: Tue, 12 Sep 2017 17:10:35 +0000 (UTC) Subject: [talk] SSL certificates In-Reply-To: References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> Message-ID: <1235265559.474283.1505236235386@mail.yahoo.com> n Tuesday, September 12, 2017, 9:39:32 AM GMT-6, Pete Wright wrote: On 09/12/2017 07:38, Michael W. Lucas wrote: > On Tue, Sep 12, 2017 at 02:24:00PM +0000, George Rosamond wrote: >> Mark Saad: >>> All >>>? ? I was looking tat replace a? wildcard ssl? cert on a commercial site and I was looking for options . >>> >> wildcard certs have security implications to them. Best to avoid. >> > > Out of curiosity: any real-world reason not to do Let's Encrypt? > This is a commercial setup, from what I remember LE is for non-commercial setups. Also I need to get two wild cards? one for *.mydomain.xxx and *.yyy.mydomain.xxx and I dont think LE can do the latter. > I'm pondering writing a book on LE with acme.sh. i'd be keen to get a copy of that!? the devs i support loved your ssh book, and i loved it b/c i didn't have to actually interact with humans :) one issue i've had with let's encrypt is trying to use it on private subdomains on AWS.? iirc the system needs to have a public DNS entry as well as access from the internet to work - i might be mistaken tho on this... -pete -- Pete Wright pete at nomadlogic.org @nomadlogicLA -- Mark Saad | mark.saad at ymail.com _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwlucas at michaelwlucas.com Tue Sep 12 14:04:12 2017 From: mwlucas at michaelwlucas.com (Michael W. Lucas) Date: Tue, 12 Sep 2017 14:04:12 -0400 Subject: [talk] SSL certificates In-Reply-To: <1235265559.474283.1505236235386@mail.yahoo.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> Message-ID: <20170912180412.GA16236@mail.michaelwlucas.com> On Tue, Sep 12, 2017 at 05:10:35PM +0000, Mark Saad wrote: > > Out of curiosity: any real-world reason not to do Let's Encrypt? > > > This is a commercial setup, from what I remember LE is for > non-commercial setups. LE can do commercial setups: https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687 > Also I need to get two wild cards one for *.mydomain.xxx and > *.yyy.mydomain.xxx > and I dont think LE can do the latter. LE can't do wildcards. So that is an issue. Thanks, ==ml -- Michael W. Lucas https://mwl.io/ nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ From mikel.king at gmail.com Tue Sep 12 14:10:45 2017 From: mikel.king at gmail.com (Mikel King) Date: Tue, 12 Sep 2017 14:10:45 -0400 Subject: [talk] SSL certificates In-Reply-To: <20170912180412.GA16236@mail.michaelwlucas.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <20170912180412.GA16236@mail.michaelwlucas.com> Message-ID: <788B7F0D-375F-4878-9C8B-2A0D3C0A84FF@gmail.com> > On Sep 12, 2017, at 2:04 PM, Michael W. Lucas wrote: > > On Tue, Sep 12, 2017 at 05:10:35PM +0000, Mark Saad wrote: >>> Out of curiosity: any real-world reason not to do Let's Encrypt? >>> >> This is a commercial setup, from what I remember LE is for >> non-commercial setups. > > LE can do commercial setups: > > https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687 > > >> Also I need to get two wild cards one for *.mydomain.xxx and >> *.yyy.mydomain.xxx >> and I dont think LE can do the latter. > > LE can't do wildcards. So that is an issue. I think it?s more of an: LE will not support wildcards because it goes against their philosophy. Plus it?s so easy to setup a cert w/ LE in most cases that wildcards should become irrelevant. > > Thanks, > ==ml > > -- > Michael W. Lucas https://mwl.io/ > nonfiction: https://www.michaelwlucas.com/ > fiction: https://www.michaelwarrenlucas.com/ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From mike+nycbug at mike-burns.com Tue Sep 12 13:47:06 2017 From: mike+nycbug at mike-burns.com (Mike Burns) Date: Tue, 12 Sep 2017 17:47:06 +0000 Subject: [talk] SSL certificates In-Reply-To: <1235265559.474283.1505236235386@mail.yahoo.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> Message-ID: <20170912174706.GS8257@safeword.mike-burns.com> On 2017-09-12 17.10.35 +0000, Mark Saad wrote: > On 09/12/2017 07:38, Michael W. Lucas wrote: > > Out of curiosity: any real-world reason not to do Let's Encrypt? > > > This is a commercial setup, from what I remember LE is for > non-commercial setups. Let's Encrypt is for all domain names. https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687 > Also I need to get two wild cards - one for *.mydomain.xxx and > *.yyy.mydomain.xxx and I dont think LE can do the latter. This is true: it does not support wildcard certs. Instead it offers a way to programmatically generate a cert instantly. So instead of using a wildcard, you could generate the certs for every subdomain, on demand, from a script. I'm curious -- is there a case where wildcard TLS certs are needed in the face of instant, programmatic certs? LE does not offer EV certs. If you need that, LE cannot help. --- It's worth noting that OpenBSD ships with acme-client(1). It has additional limitations due to programmer time. -Mike From cmacgreg at gmail.com Tue Sep 12 14:27:18 2017 From: cmacgreg at gmail.com (Craig MacGregor) Date: Tue, 12 Sep 2017 14:27:18 -0400 Subject: [talk] SSL certificates In-Reply-To: References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> Message-ID: On Tue, Sep 12, 2017 at 11:39 AM, Pete Wright wrote: > > one issue i've had with let's encrypt is trying to use it on private > subdomains on AWS. iirc the system needs to have a public DNS entry as > well as access from the internet to work - i might be mistaken tho on > this... I've been cheating for a few months now in order to generate internal/private Let's Encrypt certs. We have a tiny AWS instance, which we use to keep URLs alive for some disused domains, and also point the wildcard for our entire intranet subdomain there (on public DNS anyway). I run an nginx config like this, which allows only the /.well-known directory to be accessible, and other connections drop hard: server { listen 80; server_name *.intranet.example.com; location / { # drop the connection hard (except for /.well_known) return 444; } # public_html for .well-known (letsencrypt) location /.well-known { alias /var/www/redirect/public_html/.well-known; } } We use certbot to handle new certs and renewals (but I think acme.sh should work, too), and copy the cert dir to our puppet server, which deploys fresh certificates to the appropriate hosts; renewals always work, because we don't have to mess with public DNS at all. Of course, all of this only works if you also run your own private DNS. Let's Encrypt has some limits that can get annoying for this specific use case; you can register effectively unlimited domains, but are limited to 20 subdomains per domain per week. To make it even more complicated, there is no limit for renewals, but renewals also count against those 20 subdomains per week, so if you happen to have a few hundred internal subdomains, you will still run into these limits 90 days down the line, when the certs renew (I just had this issue and was able to resolve via their rate adjustment form and community forum; very responsive and helpful for a free/donation-based service). -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpb at jimby.name Tue Sep 12 14:51:53 2017 From: jpb at jimby.name (Jim B.) Date: Tue, 12 Sep 2017 14:51:53 -0400 Subject: [talk] Bluetooth Vulnerability Message-ID: <20170912185153.GA2993@jimby.name> Looking to see if anyone is following the new "blueborne" vuln: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 Anyone know if the BSDs are affected? Best, Jim B. From jpb at jimby.name Tue Sep 12 14:53:32 2017 From: jpb at jimby.name (Jim B.) Date: Tue, 12 Sep 2017 14:53:32 -0400 Subject: [talk] Bluetooth Vulnerability In-Reply-To: <20170912185153.GA2993@jimby.name> References: <20170912185153.GA2993@jimby.name> Message-ID: <20170912185332.GB2993@jimby.name> * Jim B. [2017-09-12 14:52]: > Looking to see if anyone is following the new "blueborne" vuln: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 > > Anyone know if the BSDs are affected? > > Best, > Jim B. > More here: https://www.armis.com/blueborne/ And you should watch the videos about compromising Android phones. My bluetooth is now OFF. From jschauma at netmeister.org Tue Sep 12 15:18:07 2017 From: jschauma at netmeister.org (Jan Schaumann) Date: Tue, 12 Sep 2017 15:18:07 -0400 Subject: [talk] SSL certificates In-Reply-To: <20170912180412.GA16236@mail.michaelwlucas.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <20170912180412.GA16236@mail.michaelwlucas.com> Message-ID: <20170912191807.GP13490@netmeister.org> "Michael W. Lucas" wrote: > LE can't do wildcards. Yet. They will do so starting January. https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html -Jan From spork at bway.net Tue Sep 12 15:08:52 2017 From: spork at bway.net (Charles Sprickman) Date: Tue, 12 Sep 2017 15:08:52 -0400 Subject: [talk] SSL certificates In-Reply-To: References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com>

Message-ID: <666ED778-FF57-4729-924E-05BB8DE7F38C@bway.net> > On Sep 12, 2017, at 2:27 PM, Craig MacGregor wrote: > > Let's Encrypt has some limits that can get annoying for this specific use case; you can register effectively unlimited domains, but are limited to 20 subdomains per domain per week. To make it even more complicated, there is no limit for renewals, but renewals also count against those 20 subdomains per week, so if you happen to have a few hundred internal subdomains, you will still run into these limits 90 days down the line, when the certs renew (I just had this issue and was able to resolve via their rate adjustment form and community forum; very responsive and helpful for a free/donation-based service). These limits can basically rule them out for wildcards. You can work around the limit, but it?s kind of a pain I suspect. Here?s their docs on this: https://letsencrypt.org/docs/rate-limits/ Also, for a script to handle this, I like dehydrated: https://github.com/lukas2511/dehydrated - also in FreeBSD ports collection Charles > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Tue Sep 12 16:35:15 2017 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 12 Sep 2017 13:35:15 -0700 Subject: [talk] SSL certificates In-Reply-To: <39EE0167-D64B-4411-AD87-A83C9D77D9AD@langille.org> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <39EE0167-D64B-4411-AD87-A83C9D77D9AD@langille.org> Message-ID: <796852e0-0f2a-085f-6b75-8be79283d8da@nomadlogic.org> On 09/12/2017 13:18, Dan Langille wrote: >> On Sep 12, 2017, at 1:10 PM, Mark Saad > > wrote: > >> one issue i've had with let's encrypt is trying to use it on private >> subdomains on AWS.? iirc the system needs to have a public DNS entry as >> well as access from the internet to work - i might be mistaken tho on >> this... > > I have LE certs for RFC 1918 addresses. ?The DNS server I use to > validate is a public DNS server, but where > you user the cert is not relevant. > ah i hadn't thought of that - basically having a bastion host wrangle getting new certs, then you deploy the to the appropriate backend after the CSR is fulfilled?? does the the public server announce the rfc1918 address for a given host, or does it use a dummy public ip? thx! -pete > -- > Dan Langille - BSDCan / PGCon > dan at langille.org > > -- Pete Wright pete at nomadlogic.org @nomadlogicLA -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at langille.org Tue Sep 12 16:19:37 2017 From: dan at langille.org (Dan Langille) Date: Tue, 12 Sep 2017 16:19:37 -0400 Subject: [talk] SSL certificates In-Reply-To: <20170912180412.GA16236@mail.michaelwlucas.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <20170912180412.GA16236@mail.michaelwlucas.com> Message-ID: <9E2FC55A-0D6C-4A38-9E90-7C8CB0A176C8@langille.org> > On Sep 12, 2017, at 2:04 PM, Michael W. Lucas wrote: > > On Tue, Sep 12, 2017 at 05:10:35PM +0000, Mark Saad wrote: >>> Out of curiosity: any real-world reason not to do Let's Encrypt? >>> >> This is a commercial setup, from what I remember LE is for >> non-commercial setups. > > LE can do commercial setups: > > https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687 For DV certs only. If you are buying from someone and they validate you as domain owner via email, you have a DV cert. In that case, go for it. This is the majority of certs. -- Dan Langille - BSDCan / PGCon dan at langille.org From dan at langille.org Tue Sep 12 16:41:59 2017 From: dan at langille.org (Dan Langille) Date: Tue, 12 Sep 2017 16:41:59 -0400 Subject: [talk] SSL certificates In-Reply-To: <796852e0-0f2a-085f-6b75-8be79283d8da@nomadlogic.org> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <39EE0167-D64B-4411-AD87-A83C9D77D9AD@langille.org> <796852e0-0f2a-085f-6b75-8be79283d8da@nomadlogic.org> Message-ID: <8E6EB862-CE55-45CE-871A-12EABAF92326@langille.org> > On Sep 12, 2017, at 4:35 PM, Pete Wright wrote: > > > > On 09/12/2017 13:18, Dan Langille wrote: >>> On Sep 12, 2017, at 1:10 PM, Mark Saad > wrote: >> >>> one issue i've had with let's encrypt is trying to use it on private >>> subdomains on AWS. iirc the system needs to have a public DNS entry as >>> well as access from the internet to work - i might be mistaken tho on >>> this... >> >> >> I have LE certs for RFC 1918 addresses. The DNS server I use to validate is a public DNS server, but where >> you user the cert is not relevant. >> > > ah i hadn't thought of that - basically having a bastion host wrangle getting new certs, then you deploy the to the appropriate backend after the CSR is fulfilled? does the the public server announce the rfc1918 address for a given host, or does it use a dummy public ip? I use a dns hidden master, a certs jail, a certs website, and two small scripts to copy the certs around. Keys go manually. This is an overview. More specific blog posts on each step also exist. https://dan.langille.org/2017/07/04/acme-sh-getting-free-ssl-certificates-installation-configuration-on-freebsd/ I go with multiple jails, and three steps. Overkill for some situations, but you can reduce it all to one jail for LE. Pretty diagram here: https://dan.langille.org/2017/07/15/introducing-anvil-tools-for-distributing-ssl-certificates/ anvil contains the scripts for cert distribution. -- Dan Langille - BSDCan / PGCon dan at langille.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at langille.org Tue Sep 12 16:18:05 2017 From: dan at langille.org (Dan Langille) Date: Tue, 12 Sep 2017 16:18:05 -0400 Subject: [talk] SSL certificates In-Reply-To: <1235265559.474283.1505236235386@mail.yahoo.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> Message-ID: <39EE0167-D64B-4411-AD87-A83C9D77D9AD@langille.org> > On Sep 12, 2017, at 1:10 PM, Mark Saad wrote: > one issue i've had with let's encrypt is trying to use it on private > subdomains on AWS. iirc the system needs to have a public DNS entry as > well as access from the internet to work - i might be mistaken tho on > this... I have LE certs for RFC 1918 addresses. The DNS server I use to validate is a public DNS server, but where you user the cert is not relevant. -- Dan Langille - BSDCan / PGCon dan at langille.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Tue Sep 12 17:07:42 2017 From: chsnyder at gmail.com (Chris Snyder) Date: Tue, 12 Sep 2017 17:07:42 -0400 Subject: [talk] SSL certificates In-Reply-To: <20170912174706.GS8257@safeword.mike-burns.com> References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <20170912174706.GS8257@safeword.mike-burns.com> Message-ID: On Tue, Sep 12, 2017 at 1:47 PM, Mike Burns wrote: > I'm curious -- is there a case where wildcard TLS certs are needed in > the face of instant, programmatic certs? > If you have a lot of subdomains virtually-hosted at one IP address, protected by a single wildcard cert, having one name per certificate will mean that you need to provision a lot of new IP addresses. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwlucas at michaelwlucas.com Tue Sep 12 17:27:12 2017 From: mwlucas at michaelwlucas.com (Michael W. Lucas) Date: Tue, 12 Sep 2017 17:27:12 -0400 Subject: [talk] SSL certificates In-Reply-To: References: <9edf4634-b3ad-1849-2160-d1c25bdcc861@ceetonetechnology.com> <20170912143857.GA15199@mail.michaelwlucas.com> <1235265559.474283.1505236235386@mail.yahoo.com> <20170912174706.GS8257@safeword.mike-burns.com> Message-ID: <20170912212712.GA17082@mail.michaelwlucas.com> On Tue, Sep 12, 2017 at 05:07:42PM -0400, Chris Snyder wrote: > If you have a lot of subdomains virtually-hosted at one IP address, > protected by a single wildcard cert, having one name per certificate > will mean that you need to provision a lot of new IP addresses. That's what SNI is for. Standard in browsers for, what? Over 10 years, I think? If you're running IE 6, you still have a problem. ==ml -- Michael W. Lucas https://mwl.io/ nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ From jun at soum.co.jp Tue Sep 12 19:07:19 2017 From: jun at soum.co.jp (Jun Ebihara) Date: Wed, 13 Sep 2017 08:07:19 +0900 (JST) Subject: [talk] Reporting the current status of world wide IPv6 deployment and progress to itojun Message-ID: <20170913.080719.772889925639455772.jun@soum.co.jp> I make a short presentation about itojun on http://v6reporttoitojun.jp/index.html.en please give me comments about itojun. -- Jun Ebihara From george at ceetonetechnology.com Wed Sep 13 10:29:00 2017 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 13 Sep 2017 14:29:00 +0000 Subject: [talk] NYC*BUG Oct 4th at LMHQ Message-ID: There will be an October NYC*BUG meeting held at LMHQ 645 PM, Wednesday October 4th at 150 Broadway on the 20th floor. "*BSD Tor Bridge Installfest" The Tor BSD Diversity Project Tor is a public and open-source anonymity network, playing a critical role for users facing censorship and surveillance around the globe. There is one glaring weakness about the Tor network: an overwhelming dominance of Linux-based nodes. Since March 2015, The Tor BSD Diversity Project (https://torbsd.github.io/) has worked to rectify this operating system monoculture. TDP managed a number of feats, most notably porting Tor Browser to OpenBSD. For this hands-on installfest, the goal is to approach the massive monoculture in Tor bridges, which are basically private gateways for users blocked from the Tor network. That monoculture is stark as the TDP statistics illustrate (http://torbsd.github.io/oostats.html). Bridge operating system diversity is even worse than for public relays (http://torbsd.github.io/oostats/bridges-bw-by-os.txt). Bridges are ideal services to run from a residential network. Many BSD users in New York City maintain fast underutilized internet connections that can easily help increase diversity. As Tor bridge IPs are not publicly listed, there is little worry about getting flack from internet service providers. Popular small embedded systems, from armv7 BeagleBones to amd64 APU boards, are ideal hardware platforms for a residential bridge. Each of the BSD projects provide strong support for an array of small systems. This meeting will feature a brief introduction to TDP, a quick overview of some diversity statistics, followed by hands-on configuration of hardware on-hand. To make this installfest worthwhile, come prepared with: * appropriate hardware to install the BSD of your choice on, with appropriate cables and install media * an IP address reserved on your private residential network for the Tor bridge Adequate power and bandwidth will be available, along with other NYC*BUG attendees ready and willing to assist. Speaker Bio The Tor BSD Diversity Project launched in March 2015 to inject more *BSD into the Tor public anonymity network. Since then, TDP accomplished a number of important milestones, including porting Tor Browser to OpenBSD with a current effort to port TB to FreeBSD. From mark.saad at ymail.com Tue Sep 19 15:39:21 2017 From: mark.saad at ymail.com (Mark Saad) Date: Tue, 19 Sep 2017 19:39:21 +0000 (UTC) Subject: [talk] pf.conf bowtie operator References: <832061144.2625268.1505849961467.ref@mail.yahoo.com> Message-ID: <832061144.2625268.1505849961467@mail.yahoo.com> All I have seen the bowtie operator a few times in use on both freebsd and openbsd pf setups but I cant find what it does exactly. For example from https://rlworkman.net/howtos/OpenBSD_pf_guide.html pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state So my two questions; When I setup a pf udp rule where I expect to get data back from the sender do I need to use the keep state option, my gut says yes . When trying to figure out how to do static port mappings I ran into that bowtie and I am at a loss as to what that does; would static-port $MYTARGETPORT work better ? Any out there know ? -- Mark Saad mark.saad at ymail.com