LibreSSL: De Raadt forks OpenSSL

In the wake of the recent Heartbleed vulnerability, the OpenBSD Project started auditing the OpenSSL code before coming to the conclusion that it was beyond repair. In excess of 90,000 lines of C — comprised of deprecated (read: decades old) APIs, WIN32  and (potentially harmful) FIPS support, bugs and kludge — were removed from the source tree when the development group realised just how terribly bad the OpenSSL source code actually was. Continue reading

Heartbleed: NSA Used OpenSSL Exploit

It has come to light that the National Security Agency (NSA) knew about the vulnerability existing in the OpenSSL 1.0.1 code soon after its implementation, and used the Heartbleed bug to exploit their targets by stealing user credentials and other sensitive information. The NSA decided not to disclose the biggest flaw in the history of the Internet — more than two-thirds of all websites use the cryptographic protocol — to continue exploiting their targets in secret, while citing national security as the motivating factor. Continue reading

Heartbleed: OpenSSL Compromised

A serious vulnerability in the heartbeat extension, implemented in OpenSSL’s TLS protocol over two years ago, has been discovered and aptly labeld ‘Heartbleed.’

Fortunately, FreeBSD 9.2 releases using the base system OpenSSL (0.9.8) installation were unaffected. However, all later versions of the operating system and any machines running port installs of the vulnerable OpenSSL version (1.0.1 – 1.0.2-beta) have been exposed since the buggy code was released back in March 2012. Most, if not all, recent Linux distributions were running the vulnerable code; Debian oldstable might be one of the few not to be exposed. Continue reading

Poudriere: build your own package repository

FreeBSD recently converted to its next generation package management utility: PKGNG. To date, many of its improved features aren’t yet implemented due to developer commitment to maintaining legacy compatibility with pkg_*. One of the most eagerly anticipated features — smooth interaction between binary packages and source built applications from ports — remains elusive at present. To overcome this obstacle, create a local package repository with Poudriere.

  1. ZFS Setup
  2. Poudriere Setup
  3. Repository Configuration
  4. Client PKGNG Configuration

Continue reading

Building World and Custom Kernel in FreeBSD

Compiling a custom kernel in FreeBSD is relatively simple, it’s the research required to make a sane configuration to ensure your machine will operate properly with the new kernel loaded that is important. To that end, there is no blanket method to tailoring kernels; your hardware and objectives determine what options need to be set and what can be removed. The tuning(7) and config(5) manual pages should be consulted beforehand. Additionally, query loaded modules, drivers and attached devices with kldstat(8), pciconf(8) and devinfo(8), and parse /var/run/dmesg.boot to formulate a comprehensive list of kernel requirements.

This guide is divided into three sections: Continue reading

Thunderbird Security Bug

Thanks to Mike Caldwell, who notified correspondents on the tor-talk mailing list, a rather significant security hole in Thunderbird has been made public. I use Thunderbird, but have HTML disabled and only view mail in plain text, so I’ve never experienced this bug. If you view your mail in HTML, you should consider disabling it or install TorBirdy.

Mike goes into detail in this post on his blog. I am grateful he has made this public, but I feel as though it should have been done sooner.

synapse relocated

I decided to relocate the server running this site and a few other services to an old Pentium M 2GHz box with 4GB DDR2 SDRAM — a slight step up from its previous host. In the process, I opted to move to its second-level domain: This displaced access to some SOHO services but they’re now more secure elsewhere. Obviously in the mood for change, I decided to drop Apache for NGINX to complete the move. I can’t say why I elected to do this, or even if it was worth the hassle — rewriting Apache configuration to NGINX for Roundcube, ownCloud, WordPress and some database management applications is not an easy task — because I also upgraded my SSL protocols, which has brought about extended handshake times when accessing the server over HTTPS, so I’m actually experiencing extended loading times. Notwithstanding said encrypted requests, I can’t see any performance improvement in serving requests from this blog for example, but given everything is running on the same ADSL connection with only minor hardware improvements, I shouldn’t expect much from NGINX; maybe slightly quicker serving of static content. However, what I didn’t plan on was a host of other problems courtesy of NGINX, such as broken WordPress plugins and file uploads! I’m still in the process of ironing out these kinks but may just have to revert back to Apache. Continue reading

Mail Server: Postfix + Dovecot on FreeBSD

Running your own mail server makes email more secure and manageable. Fortunately, setting up your own Mail Transfer Agent (MTA) with IMAP is rather simple with Postfix and Dovecot on FreeBSD.

The following guide provides instructions to install a basic mail server using system users for authentication. For larger deployments, it is best to use a database backend, such as MySQL, and virtual users. TLS encrypted authentication will be enforced to protect credentials and message content.

This procedure assumes you already have a certificate and private key to implement; if not, see this guide to establish your own Certificate Authority to certify service certificates or use this guide to quickly generate a self-signed certificate. Continue reading