DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-07-10T10:42:55ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Bug #776 (Resolved): Users are unable to register to projects.duckcorp.orghttps://projects.duckcorp.org/issues/7762022-07-10T10:42:55ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>There is an issue related to the captcha:<br /><pre>
Oops, we failed to validate your reCAPTCHA response. Please try again.
</pre><br />I tried with firefox and chromium.</p>
<p><code>/var/log/redmine/dc/production.log</code> from the <code>redmine</code> LXC container:<br /><pre>
Started POST "/account/register" for 185.238.6.46 at 2022-07-10 12:53:52 +0000
Processing by AccountController#register as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[REDACTED]", "user"=>{"login"=>"pilou_test", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "firstname"=>"pilou", "lastname"=>"pilou_test", "mail"=>"pilou_test@ir5.eu", "language"=>"fr"}, "g-recaptcha-response"=>"[REDACTED]", "commit"=>"Soumettre"}
Current user: anonymous
Rendering plugins/recaptcha/app/views/account/register.html.erb within layouts/base
Rendered plugins/recaptcha/app/views/account/register.html.erb within layouts/base (8.8ms)
Completed 200 OK in 3022ms (Views: 14.7ms | ActiveRecord: 1.4ms)
</pre></p> DuckCorp Infrastructure - External #768 (Resolved): Perte du xco Oxymium/Nerim à PA3 le 14/04https://projects.duckcorp.org/issues/7682022-04-07T00:05:40ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On Toushirou, the current link provided by Acontios will end in one week (2022-04-14).</p>
<p>According to the checks made by Acontios about the used bandwith, the Nerim link can be used instead of the current one.</p>
<p>A L2TP tunnel will be required in order to keep/use our current IP.</p>
The requirements:
<ol>
<li>✅ If any issue occurs during the migration, a physical access will be required
<ul>
<li>Pilou asked Chojin about it (Pilou will be available 2022-04-11 or 2022-04-13).</li>
</ul>
</li>
<li>✅ Duck: contact Acontios to provide the L2TP setup</li>
</ol>
The required tasks in order to update the configuration:
<ol>
<li>✅ ensure we are able to connect through the Nerim link</li>
<li>✅ remove any reference to the hivane network interface<br /><pre># rgrep -l eth-wan-hivane /etc/
/etc/network/interfaces.d/hivane-link
/etc/network/multihoming
/etc/default/grub
/etc/systemd/network/10_eth-wan-hivane.link
/etc/mp-admin/firewalling
/etc/sysctl.d/90-disable-accept_ra.conf</pre><br />Notes that the following services aren't listening on nerim IP:
<ul>
<li><code>slapd</code> (TCP ports 389 and 636)</li>
<li><code>apache2</code> (TCP ports 80 and 443)</li>
<li><code>proftpd</code> (TCP port 21)</li>
</ul>
</li>
<li>✅ stop the multihoming setup</li>
<li>✅ run the L2TP service</li>
<li>✅ start the multihoming setup</li>
</ol>
<p>✅ <code>poulet</code>: I have checked that SSH is listening on the IP provided by Nerim (<code>213.215.11.165</code>)</p> Bip - Enhancement #715 (New): Backlog one channel onlyhttps://projects.duckcorp.org/issues/7152020-12-17T09:34:26ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The backlog command only allows to backlog all the channels from one network.</p>
<p>It would be nice to fetch backlog from one channel only.</p>
<p>From: Debian bug <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668420" class="external">#668420</a>.</p> DuckCorp Infrastructure - Review #712 (Resolved): Fix 'ipaddr' Jinja filter usage and avoid a forkhttps://projects.duckcorp.org/issues/7122020-08-28T10:34:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/fix_ipaddr_usage" class="external"><code>fix_ipaddr_usage</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Use <code>address</code> parameter with hosts and <code>network</code> parameter with ranges.</p>
<p><code>ipaddr</code> Jinja filter behavior is quiet unexpected but a fork of this filter isn't required.</p>
<p>Tested with the following play and command:</p>
<pre><code>- hosts: all<br /> tasks:<br /> - debug:<br /> msg: "{{ item ~ ' : ' ~ (item|ipaddr('address') or item|ipaddr('network')) ~ '/' ~ item|ipaddr('netmask') }}" <br /> loop: '{{ firewalling.whitelist }}'</code></pre>
<pre><code>$ ansible-playbook -c local -l Elwing test.yaml</code></pre>
<p>The playbook output is the same with these ipaddr versions:</p>
<p>- the one committed<br />- <a href="https://github.com/ansible/ansible/blob/stable-2.9/lib/ansible/plugins/filter/ipaddr.py" class="external">ansible/ansible: branch stable-2.9</a><br />- <a href="https://github.com/ansible-collections/ansible.netcommon/blob/1.1.2/plugins/filter/ipaddr.py" title="<redpre#5></code> tag" class="external">ansible-collections/ansible.netcommon</a></p>
<p>Relates: <a class="issue tracker-1 status-3 priority-6 priority-high2 closed" title="Bug: restrict LDAP service accounts (Resolved)" href="https://projects.duckcorp.org/issues/646">#646</a></p> Bip - Bug #481 (In Progress): Fix log level for erroneous messageshttps://projects.duckcorp.org/issues/4812015-10-13T12:54:28ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Bip should display IRC <a href="https://tools.ietf.org/html/rfc1459#section-6" class="external">errors</a> sent by IRC servers using <code>error</code> log level.</p>
<p>The current behaviour is:<br /><pre>
13-10-2015 14:48:14 DEBUG: ":irc.server.local 432 * Pilou :Nickname too long, max. 9 characters
</pre></p> DuckCorp Infrastructure - Enhancement #460 (Resolved): SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/4602015-07-09T00:02:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
Checks:
<ul>
<li>NULL,EXPORT,LOW,3DES,aNULL must be disabled</li>
<li>RC4 must be disabled</li>
<li>SSLv2,SSLv3 must be disabled</li>
<li>TLSv1.1,TLSv1.2 must be enabled</li>
<li>PFS must be enabled</li>
</ul>
<ul>
<li>SSL Compression must be disabled</li>
</ul>
Configuration updates needed:
<ul>
<li>Postgresql (default conf used <code>HIGH:MEDIUM:+3DES:!aNULL</code>)</li>
<li>Apache (<code>RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW</code>)</li>
</ul>
<ul>
<li>References
<ul>
<li><a class="external" href="https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher">https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher</a></li>
<li><a class="external" href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/">https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/</a></li>
<li><a class="external" href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html</a></li>
<li><a class="external" href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations</a></li>
<li><a class="external" href="https://github.com/ioerror/duraconf">https://github.com/ioerror/duraconf</a></li>
</ul>
</li>
<li>Tools:
<ul>
<li><a class="external" href="https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh">https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh</a></li>
</ul></li>
</ul> Bip - Bug #432 (Resolved): authenticated bip users could stop bip daemonhttps://projects.duckcorp.org/issues/4322015-01-15T03:56:50ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fran found that these commands allow an authenticated bip user to stop bip daemon:<br /><pre>
{ echo PASS bipnick:mysecretpassword:freenode; echo NICK Pilou; echo USER Pilou 0 Pilou :blah; sleep 2; } | telnet 127.0.0.1 7778 | read
</pre></p>
<pre>
15-01-2015 04:26:44 DEBUG: Trying to accept new client on 0
15-01-2015 04:26:44 DEBUG: New client on socket 41 !
15-01-2015 04:26:44 DEBUG: fd:41 Connection established !
15-01-2015 04:26:44 DEBUG: "PASS bipnick:mysecretpassword:freenode"
15-01-2015 04:26:44 DEBUG: "NICK Pilou"
15-01-2015 04:26:44 DEBUG: "USER Pilou 0 Pilou :blah"
15-01-2015 04:26:44 DEBUG: Connection close asked. FD:41
15-01-2015 04:26:44 DEBUG: A client connected
15-01-2015 04:26:44 FATAL: select(): Bad file descriptor
</pre> Bip - Bug #431 (New): bip is leaking file descriptorshttps://projects.duckcorp.org/issues/4312015-01-15T02:01:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>fran wrote:</p>
<blockquote>
<p>bip is leaking file descriptors on my server, and the fix is pretty easy: on connection.c, on read_socket, whenever read returns <1 and errno is different to EAGAIN and EINTR, the socket MUST be closed <br />because read will not return 0 on the following iterations of select (cause it's not added to the read fd_set after that), plus after read failing with fatal error it keeps returning -1</p>
</blockquote> Bip - Enhancement #343 (New): Allow to blreset all queries or all channelshttps://projects.duckcorp.org/issues/3432014-07-24T00:21:01ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><code>blreset</code> command allows to reset backlog of an entire connection, a chan, a query.</p>
<p>Be able to reset all queries or all channels would be a nice feature.</p> Bip - Bug #342 (New): 'list connections' command doesn't display status of channelshttps://projects.duckcorp.org/issues/3422014-07-24T00:13:06ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>It seems that output of <code>list connections</code> command should use a suffix on channels without backlog: <a class="source" href="https://projects.duckcorp.org/projects/bip/repository/bip/entry/src/bip.c#L1395">source:src/bip.c#L1395</a>, but this is not the case.</p>
<p><code>list connections</code> doesn't display a suffix on any channel:</p>
<pre>
02:04:18 Pilou | list connections
[...]
02:04:18 -bip | * milkypond to milkypond as "pilou" (pilou!pilou) :
02:04:18 -bip | Options:
02:04:18 -bip | Channels (* with key, ` no backlog) #test #milkypond #DuckCorp
02:04:18 -bip | Status: connected !
</pre> Bip - Bug #341 (New): 'bip list connections' command should display querieshttps://projects.duckcorp.org/issues/3412014-07-24T00:01:23ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The command <code>bip list connections</code> lists channels for all connections.</p>
<p>Queries could be listed too.</p> Bip - Enhancement #270 (Resolved): GIT: use signed taghttps://projects.duckcorp.org/issues/2702012-01-10T01:53:49ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Signed tags must be used.</p> Bip - Bug #269 (Resolved): buffer overflow when number of open file descriptors >= FD_SETSIZEhttps://projects.duckcorp.org/issues/2692012-01-07T10:28:05ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Reported by Julien Tinnes, thanks to him!</p>
<p>Bip doesn't check if fd is equal or larger than FD_SETSIZE.</p>
<p>From select man page:</p>
<blockquote>
<p>Executing FD_CLR() or FD_SET() with a value of fd that is negative or is equal to or larger than FD_SETSIZE will result in undefined behavior.</p>
</blockquote> Bip - Bug #186 (New): Bip crash after using "/QUOTE BIP TRUST OK" on a new connectionhttps://projects.duckcorp.org/issues/1862011-01-18T02:29:38ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<a name="How-to-reproduce"></a>
<h1 >How to reproduce:<a href="#How-to-reproduce" class="wiki-anchor">¶</a></h1>
<ol>
<li>/etc/bip.conf: add a new ssl connection </li>
<li>restart bip (Debian: <em>/etc/init.d/bip restart</em>)</li>
<li>use <em>/QUOTE BIP TRUST OK</em><br /> # all client connections are disconnected</li>
</ol>
<a name="Logs"></a>
<h1 >Logs<a href="#Logs" class="wiki-anchor">¶</a></h1>
<a name="Client-logs"></a>
<h2 >Client logs:<a href="#Client-logs" class="wiki-anchor">¶</a></h2>
<blockquote>
<p>03:12:08 oftc | irc: connecting to server irc-bouncer/7778...<br />03:12:08 oftc | irc: connected to irc-bouncer<br />03:12:08 oftc -- | b.i.p (b.i.p): This server SSL certificate was not accepted because it is not in your store of trusted certificates:<br />03:12:08 oftc -- | b.i.p (b.i.p): Subject: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certificate Authority/emailAddress=<a class="email" href="mailto:hostmaster@spi-inc.org">hostmaster@spi-inc.org</a><br />03:12:08 oftc -- | b.i.p (b.i.p): Issuer: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certificate Authority/emailAddress=<a class="email" href="mailto:hostmaster@spi-inc.org">hostmaster@spi-inc.org</a><br />03:12:08 oftc -- | b.i.p (b.i.p): MD5 fingerprint: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78<br />03:12:08 oftc -- | b.i.p (b.i.p): WARNING: if you've already trusted a certificate for this server before, that probably means it has changed.<br />03:12:08 oftc -- | b.i.p (b.i.p): If so, YOU MAY BE SUBJECT OF A MAN-IN-THE-MIDDLE ATTACK! PLEASE DON'T TRUST THIS CERTIFICATE IF YOU'RE NOT SURE THIS IS NOT THE CASE.<br />03:12:08 oftc -- | b.i.p (b.i.p): Type /QUOTE BIP TRUST OK to trust this certificate, /QUOTE BIP TRUST NO to discard it.<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): ==== Certificate now trusted.<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): No more certificates waiting awaiting user trust, thanks!<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): If the certificate is trusted, bip should be able to connect to the server on the next retry. Please wait a while and try connecting your client again.</p>
</blockquote>
<a name="Bip-logs"></a>
<h2 >Bip logs:<a href="#Bip-logs" class="wiki-anchor">¶</a></h2>
<blockquote>
<p>18-01-2011 03:12:12 ERROR: No certificate in SSL write_socket<br />18-01-2011 03:12:12 ERROR: SSL cert check failed at depth=3: certificate rejected (28)<br />18-01-2011 03:12:12 ERROR: Certificate check failed: certificate rejected (28)!<br />18-01-2011 03:12:12 ERROR: Error on fd 31 (state 9)<br />18-01-2011 03:12:12 ERROR: [oftc] read_lines error, closing...<br />18-01-2011 03:12:12 ERROR: [oftc] reconnecting in 240 seconds<br />18-01-2011 03:12:54 ERROR: No certificate in SSL write_socket</p>
</blockquote> Bip - Bug #165 (New): doesn't load openssl support for sha-256 digesthttps://projects.duckcorp.org/issues/1652010-10-26T00:21:16ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601021" class="external">Debian bug #601021</a></p>
<blockquote>
<p>As the subject says, bip doesn't make openssl load support for the sha-256<br />digest algorhytm. I've fixed a similar bug in fetchmail a while ago, see<br />Debian bug #576430 for a bit more info on the matter.<br />Attached is a simple patch that forces openssl to load support for everything<br />it knows :)<br />Sjoerd Simons</p>
</blockquote>