Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Michael K. <mic...@ip...> - 2019-03-12 18:30:19
|
Thanks Lonnie and yes I will be using the new option.
I realised afterwards that I already had fixed this problem in the new release but had just forgotten about it.
Its basic routing and I am kicking myself. Old age ☹
Regards
Michael Knill
On 13/3/19, 12:25 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Yes, if 172.30.253.0/24 was the OpenVPN subnet on the remote WG peer, what you did would have made sense, assuming your OpenVPN subnets across peers are unique.
Think of the WireGuard "AllowedIPs" setting as AllowedIPs_into_this_peer . The corresponding figurative "AllowedIPs_out_of_this_peer" is limited by either control of the "AllowedIPs" of the remote peer and/or local firewall rules.
Also note that by default, OpenVPN and WireGuard are isolated from each other. In AstLinux 1.3.5.2 there is a new Firewall sub-tab option (unchecked by default):
_x_ Allow WireGuard VPN tunnel to the OpenVPN tunnel(s)
Before AstLinux 1.3.5.2 an AIF custom rule would be needed to do the same.
Lonnie
> On Mar 11, 2019, at 11:57 PM, Michael Knill <mic...@ip...> wrote:
>
> Damn it I found the problem.
> When using OpenVPN and Wireguard, I added this to the Wireguard config:
> AllowedIPs = 172.29.253.1/32, 172.30.253.0/24 (wg peer,openvpn subnet)
> This was done to allow OpenVPN to Wireguard connectivity however it ended up putting a route into the routing table for the openvpn subnet pointing to nowhere effectively black holing it.
>
> A trap for young players obviously.
> Thanks all.
>
> Regards
> Michael Knill
>
> From: Michael Knill <mic...@ip...>
> Reply-To: AstLinux List <ast...@li...>
> Date: Tuesday, 12 March 2019 at 3:24 pm
> To: AstLinux List <ast...@li...>
> Subject: [Astlinux-users] HELP URGENT OpenVPN problem
>
> After the weekend I upgraded my Astlinux system with my new release of config files but the Astlinux version remained the same as 1.3.2.
> Now all the Yealink phones connecting with OpenVPN connect fine as shown on the Status Tab but I cannot ping them.
> When I make a connection via my laptop via OpenVPN I also cant ping the server.
> What would cause the OpenVPN to break on an Astlinux box? What tests should I do next?
> I have these exact files in other systems and its fine.
>
> Details:
> ### gui.openvpn.conf - start ###
> ###
> ### Auth Method
> OVPN_USER_PASS_VERIFY="no"
> ### Device
> OVPN_DEV="tun0"
> ### Port Number
> OVPN_PORT="1194"
> ### Protocol
> OVPN_PROTOCOL="udp"
> ### Log Verbosity
> OVPN_VERBOSITY="1"
> ### Compression
> OVPN_LZO="yes"
> ### QoS Passthrough
> OVPN_QOS="yes"
> ### Cipher
> OVPN_CIPHER=""
> ### Auth HMAC
> OVPN_AUTH=""
> ### Allowed External Hosts
> OVPN_TUNNEL_HOSTS="0/0"
> ### Server Hostname
> OVPN_HOSTNAME="21010.ibcaccess.net"
> ### Server IPv4 Network
> OVPN_SERVER="172.30.253.0 255.255.255.0"
> ### Server IPv6 Network
> OVPN_SERVERV6=""
> ### Topology
> OVPN_TOPOLOGY="subnet"
> ### Server Push
> OVPN_PUSH="
> route 172.30.20.0 255.255.255.0
> "
> ### Raw Commands
> OVPN_OTHER="
> ifconfig-pool-linear
> "
> ### Private Key Size
> OVPN_CERT_KEYSIZE="2048"
> ### Signature Algorithm
> OVPN_CERT_ALGORITHM="sha256"
> ### CA File
> OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt"
> ### CERT File
> OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt"
> ### Key File
> OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key"
> ### DH File
> OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem"
> ### TLS-Auth File
> OVPN_TA=""
> ### gui.openvpn.conf - end ###
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-03-12 13:25:16
|
Yes, if 172.30.253.0/24 was the OpenVPN subnet on the remote WG peer, what you did would have made sense, assuming your OpenVPN subnets across peers are unique. Think of the WireGuard "AllowedIPs" setting as AllowedIPs_into_this_peer . The corresponding figurative "AllowedIPs_out_of_this_peer" is limited by either control of the "AllowedIPs" of the remote peer and/or local firewall rules. Also note that by default, OpenVPN and WireGuard are isolated from each other. In AstLinux 1.3.5.2 there is a new Firewall sub-tab option (unchecked by default): _x_ Allow WireGuard VPN tunnel to the OpenVPN tunnel(s) Before AstLinux 1.3.5.2 an AIF custom rule would be needed to do the same. Lonnie > On Mar 11, 2019, at 11:57 PM, Michael Knill <mic...@ip...> wrote: > > Damn it I found the problem. > When using OpenVPN and Wireguard, I added this to the Wireguard config: > AllowedIPs = 172.29.253.1/32, 172.30.253.0/24 (wg peer,openvpn subnet) > This was done to allow OpenVPN to Wireguard connectivity however it ended up putting a route into the routing table for the openvpn subnet pointing to nowhere effectively black holing it. > > A trap for young players obviously. > Thanks all. > > Regards > Michael Knill > > From: Michael Knill <mic...@ip...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 March 2019 at 3:24 pm > To: AstLinux List <ast...@li...> > Subject: [Astlinux-users] HELP URGENT OpenVPN problem > > After the weekend I upgraded my Astlinux system with my new release of config files but the Astlinux version remained the same as 1.3.2. > Now all the Yealink phones connecting with OpenVPN connect fine as shown on the Status Tab but I cannot ping them. > When I make a connection via my laptop via OpenVPN I also cant ping the server. > What would cause the OpenVPN to break on an Astlinux box? What tests should I do next? > I have these exact files in other systems and its fine. > > Details: > ### gui.openvpn.conf - start ### > ### > ### Auth Method > OVPN_USER_PASS_VERIFY="no" > ### Device > OVPN_DEV="tun0" > ### Port Number > OVPN_PORT="1194" > ### Protocol > OVPN_PROTOCOL="udp" > ### Log Verbosity > OVPN_VERBOSITY="1" > ### Compression > OVPN_LZO="yes" > ### QoS Passthrough > OVPN_QOS="yes" > ### Cipher > OVPN_CIPHER="" > ### Auth HMAC > OVPN_AUTH="" > ### Allowed External Hosts > OVPN_TUNNEL_HOSTS="0/0" > ### Server Hostname > OVPN_HOSTNAME="21010.ibcaccess.net" > ### Server IPv4 Network > OVPN_SERVER="172.30.253.0 255.255.255.0" > ### Server IPv6 Network > OVPN_SERVERV6="" > ### Topology > OVPN_TOPOLOGY="subnet" > ### Server Push > OVPN_PUSH=" > route 172.30.20.0 255.255.255.0 > " > ### Raw Commands > OVPN_OTHER=" > ifconfig-pool-linear > " > ### Private Key Size > OVPN_CERT_KEYSIZE="2048" > ### Signature Algorithm > OVPN_CERT_ALGORITHM="sha256" > ### CA File > OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt" > ### CERT File > OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt" > ### Key File > OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key" > ### DH File > OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem" > ### TLS-Auth File > OVPN_TA="" > ### gui.openvpn.conf - end ### > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-03-12 04:57:30
|
Damn it I found the problem. When using OpenVPN and Wireguard, I added this to the Wireguard config: AllowedIPs = 172.29.253.1/32, 172.30.253.0/24 (wg peer,openvpn subnet) This was done to allow OpenVPN to Wireguard connectivity however it ended up putting a route into the routing table for the openvpn subnet pointing to nowhere effectively black holing it. A trap for young players obviously. Thanks all. Regards Michael Knill From: Michael Knill <mic...@ip...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 12 March 2019 at 3:24 pm To: AstLinux List <ast...@li...> Subject: [Astlinux-users] HELP URGENT OpenVPN problem After the weekend I upgraded my Astlinux system with my new release of config files but the Astlinux version remained the same as 1.3.2. Now all the Yealink phones connecting with OpenVPN connect fine as shown on the Status Tab but I cannot ping them. When I make a connection via my laptop via OpenVPN I also cant ping the server. What would cause the OpenVPN to break on an Astlinux box? What tests should I do next? I have these exact files in other systems and its fine. Details: ### gui.openvpn.conf - start ### ### ### Auth Method OVPN_USER_PASS_VERIFY="no" ### Device OVPN_DEV="tun0" ### Port Number OVPN_PORT="1194" ### Protocol OVPN_PROTOCOL="udp" ### Log Verbosity OVPN_VERBOSITY="1" ### Compression OVPN_LZO="yes" ### QoS Passthrough OVPN_QOS="yes" ### Cipher OVPN_CIPHER="" ### Auth HMAC OVPN_AUTH="" ### Allowed External Hosts OVPN_TUNNEL_HOSTS="0/0" ### Server Hostname OVPN_HOSTNAME="21010.ibcaccess.net" ### Server IPv4 Network OVPN_SERVER="172.30.253.0 255.255.255.0" ### Server IPv6 Network OVPN_SERVERV6="" ### Topology OVPN_TOPOLOGY="subnet" ### Server Push OVPN_PUSH=" route 172.30.20.0 255.255.255.0 " ### Raw Commands OVPN_OTHER=" ifconfig-pool-linear " ### Private Key Size OVPN_CERT_KEYSIZE="2048" ### Signature Algorithm OVPN_CERT_ALGORITHM="sha256" ### CA File OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt" ### CERT File OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt" ### Key File OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key" ### DH File OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem" ### TLS-Auth File OVPN_TA="" ### gui.openvpn.conf - end ### Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2019-03-12 04:23:45
|
After the weekend I upgraded my Astlinux system with my new release of config files but the Astlinux version remained the same as 1.3.2. Now all the Yealink phones connecting with OpenVPN connect fine as shown on the Status Tab but I cannot ping them. When I make a connection via my laptop via OpenVPN I also cant ping the server. What would cause the OpenVPN to break on an Astlinux box? What tests should I do next? I have these exact files in other systems and its fine. Details: ### gui.openvpn.conf - start ### ### ### Auth Method OVPN_USER_PASS_VERIFY="no" ### Device OVPN_DEV="tun0" ### Port Number OVPN_PORT="1194" ### Protocol OVPN_PROTOCOL="udp" ### Log Verbosity OVPN_VERBOSITY="1" ### Compression OVPN_LZO="yes" ### QoS Passthrough OVPN_QOS="yes" ### Cipher OVPN_CIPHER="" ### Auth HMAC OVPN_AUTH="" ### Allowed External Hosts OVPN_TUNNEL_HOSTS="0/0" ### Server Hostname OVPN_HOSTNAME="21010.ibcaccess.net" ### Server IPv4 Network OVPN_SERVER="172.30.253.0 255.255.255.0" ### Server IPv6 Network OVPN_SERVERV6="" ### Topology OVPN_TOPOLOGY="subnet" ### Server Push OVPN_PUSH=" route 172.30.20.0 255.255.255.0 " ### Raw Commands OVPN_OTHER=" ifconfig-pool-linear " ### Private Key Size OVPN_CERT_KEYSIZE="2048" ### Signature Algorithm OVPN_CERT_ALGORITHM="sha256" ### CA File OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt" ### CERT File OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt" ### Key File OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key" ### DH File OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem" ### TLS-Auth File OVPN_TA="" ### gui.openvpn.conf - end ### Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2019-03-03 17:05:26
|
Greetings, A friendly heads-up, the AstLinux web interface generates OpenVPN (and IPSec) certificates with a expire date of 10 years in the future. Seems like a really long time... Well today I hit an OpenVPN failure due to an expired certificate ... thank goodness I also had WireGuard access ! BTW, a CLI command to check your OpenVPN valid dates is: -- openssl x509 -startdate -enddate -noout -in /mnt/kd/openvpn/webinterface/keys/ca.crt -- This was not all bad, since if your cert is 10 years old then recreating them with 2048 bits and SHA-256 is a good thing anyway. I also enabled "Extra TLS-Auth:" while I was at it. Also a good time to consider switching to WireGuard :-) Lonnie |
|
From: Michael K. <mic...@ip...> - 2019-02-24 22:22:37
|
Far out simple. I think I will just push the host address of the server and that should be fine. Sorry everyone. Regards Michael Knill From: Michael Knill <mic...@ip...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 25 February 2019 at 9:14 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN Firewall Rules Thanks Michael. Darn I missed that page. Looking at it now. Regards Michael Knill From: Michael Keuter <li...@mk...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 25 February 2019 at 8:55 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN Firewall Rules Have you looked at our Wiki page about OpenVPN Access Policies? Sent from a mobile device. Michael Keuter Am 24.02.2019 um 22:33 schrieb Michael Knill <mic...@ip...<mailto:mic...@ip...>>: Sorry guys me again I have a customer that is connecting via OpenVPN into their Astlinux appliance to connect to a local server on the LAN. They are asking if access from OpenVPN can be restricted to a particular protocol and address e.g. TCP3389 to 192.168.x.x/32. I'm not sure how I would go about doing this sorry. Regards Michael Knill _______________________________________________ Astlinux-users mailing list Ast...@li...<mailto:Ast...@li...> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr...<mailto:pa...@kr...>. |
|
From: Michael K. <mic...@ip...> - 2019-02-24 22:14:17
|
Thanks Michael. Darn I missed that page. Looking at it now. Regards Michael Knill From: Michael Keuter <li...@mk...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 25 February 2019 at 8:55 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN Firewall Rules Have you looked at our Wiki page about OpenVPN Access Policies? Sent from a mobile device. Michael Keuter Am 24.02.2019 um 22:33 schrieb Michael Knill <mic...@ip...<mailto:mic...@ip...>>: Sorry guys me again I have a customer that is connecting via OpenVPN into their Astlinux appliance to connect to a local server on the LAN. They are asking if access from OpenVPN can be restricted to a particular protocol and address e.g. TCP3389 to 192.168.x.x/32. I'm not sure how I would go about doing this sorry. Regards Michael Knill _______________________________________________ Astlinux-users mailing list Ast...@li...<mailto:Ast...@li...> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr...<mailto:pa...@kr...>. |
|
From: Michael K. <li...@mk...> - 2019-02-24 21:55:20
|
Have you looked at our Wiki page about OpenVPN Access Policies? Sent from a mobile device. Michael Keuter > Am 24.02.2019 um 22:33 schrieb Michael Knill <mic...@ip...>: > > Sorry guys me again > > I have a customer that is connecting via OpenVPN into their Astlinux appliance to connect to a local server on the LAN. > They are asking if access from OpenVPN can be restricted to a particular protocol and address e.g. TCP3389 to 192.168.x.x/32. > I'm not sure how I would go about doing this sorry. > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-02-24 21:33:20
|
Sorry guys me again I have a customer that is connecting via OpenVPN into their Astlinux appliance to connect to a local server on the LAN. They are asking if access from OpenVPN can be restricted to a particular protocol and address e.g. TCP3389 to 192.168.x.x/32. I'm not sure how I would go about doing this sorry. Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2019-02-24 21:25:09
|
Hi all I have a bit of a concern regarding a shared OpenVPN server that I have. When I say shared, I mean multiple customers using OpenVPN on Yealink phones. Although I am very careful with ovpn files, it could be a real problem if an attacker obtained one. So basically I'm wondering if there is any way that I could restrict all tunnels to be Pont to Point only e.g. can access server IP Address only, and not other devices on the OpenVPN subnet? Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2019-02-23 14:21:33
|
Announcing AstLinux Release: 1.3.5.2 (1.3.5 and 1.3.5.1 were not released) More Info: AstLinux Project https://www.astlinux-project.org/ AstLinux 1.3.5.2 Highlights: * Asterisk Versions: 11.25.3, 13.24.1 * Upgrade to Linux Kernel 3.16.61, including the RUNNIX bootloader, security and bug fixes * wol-host, new command to send Wake-on-LAN packet to specified host, by IP or DNS name * fossil, new feature to optionally send commit notifications via email while using "fossil-commit" * WireGuard VPN, latest development snapshot during its incorporation into the mainline Linux Kernel * Web Interface, WireGuard VPN sub-tab, add "Mobile Client Defaults" and "Mobile Client Credentials" sections * Web Interface, Status tab, improve layout of "WireGuard VPN Status" section * Package upgrades providing important security and bug fixes Full ChangeLog: https://raw.githubusercontent.com/astlinux-project/astlinux/1.3.5.2/docs/ChangeLog.txt All users are encouraged to upgrade. Special note: Significant development on WireGuard VPN support, related to available macOS, iOS and Android WireGuard Apps -- macOS Wireguard (macOS 10.14+) https://itunes.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12 iOS WireGuard (iOS 12+) https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8 Android WireGuard https://play.google.com/store/apps/details?id=com.wireguard.android -- Please re-read first half of WireGuard VPN Configuration: https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2019-02-06 15:50:45
|
Hi JT, Thanks for the followup with your test results. > It looks like a C2358 benefits more from having AES-NI enabled than an i3-6100 does. Yes, and kind of makes sense. Also keep in mind the WireGuard VPN does not use AES, but rather ChaCha20-Poly1305 which leverages off the x86_64 CPU's SSSE3 and AVX instructions for additional performance. BTW, It is amazing how much faster the Core i3-6100U is from an Atom D525 ... by the simple numbers, same number of cores and hyper threading, i3-6100U clock is less than 2x faster, but a 100 Mbps WireGuard tunnel endpoint takes about 20-25% CPU for the D525, but only 3-5% CPU on the i3-6100U. Lonnie > On Feb 5, 2019, at 10:11 PM, aut...@gm... wrote: > > Thanks Lonnie. Just for reference, here are my numbers: > > pbx ~ # system-vendor > Lanner FW-7525B NIC x4 > > pbx ~ # openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 153712.42k 235672.87k 282781.53k 297832.45k 302000.81k > > ## Disable AES-NI detection > pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 31603.19k 34203.54k 35166.63k 35390.46k 35485.01k > > It looks like a C2358 benefits more from having AES-NI enabled than an i3-6100 does. > > OpenVPN: > > pbx ~ # openvpn --genkey --secret /tmp/secret > pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc > Tue Jan 29 19:39:58 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode > > real 0m33.698s > user 0m33.618s > sys 0m0.011s > > This is close to the results on the FW-7525B documentation page, and close to the results from FreeBSD: > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openvpn --genkey --secret /tmp/secret > [2.3.5-RELEASE][root@pfSense.localdomain]/root: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc > 31.633u 0.039s 0:31.69 99.9% 747+177k 0+0io 1pf+0w > > JT > > On Sun, Jan 27, 2019 at 4:12 AM <ast...@li...> wrote: > Send Astlinux-users mailing list submissions to > ast...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/astlinux-users > or, via email, send a message with subject or body 'help' to > ast...@li... > > You can reach the person managing the list at > ast...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Astlinux-users digest..." > > > Today's Topics: > > 1. Re: Enabling AES (Lonnie Abelbeck) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 26 Jan 2019 09:57:37 -0600 > From: Lonnie Abelbeck <li...@lo...> > To: AstLinux Users Mailing List <ast...@li...> > Subject: Re: [Astlinux-users] Enabling AES > Message-ID: <9F8...@lo...> > Content-Type: text/plain; charset=us-ascii > > Hi JT, > > I can't explain the differences between different OpenSSL versions on different platforms (Linus vs. FreeBSD), but there is a way to artificially disable the AES-NI detection by setting OPENSSL_ia32cap="~0x200000200000000" to disable AES-NI usage. > > For Example: > > pbx ~ # system-vendor > Qotom Q530G6 CPU i3-6100U NIC x6 > > pbx ~ # openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 732389.02k 806448.32k 822415.19k 826271.40k 832817.83k > > ## Disable AES-NI detection > pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 213826.86k 224500.25k 227550.04k 229667.16k 229709.14k > > > About a 3.5x improvement with AES-NI enabled, as is the default. > > If you are comparing with pfSense, try a more real-world test, testing more than just the AES-NI ... > > pbx ~ # openvpn --genkey --secret /tmp/secret > pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc > Sat Jan 26 09:39:25 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode > > real 0m11.413s > > > BTW, I read the pfSense forums from time to time, and there is a lot of confusion loading the "aesni-intel" (FreeBSD name may be different) kernel module and using the "cryptodev" engine, as using the CPU's native AES-NI is faster, but often confusing in the pfSense configuration. > > Lonnie > > > > > > On Jan 25, 2019, at 11:54 PM, aut...@gm... wrote: > > > > Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a Lanner FW-7525B. > > > > The reason I asked about enabling AES is because in Astlinux, openssl does not show the AES engine: > > > > ================= > > > > pbx ~ # openssl engine -t -c > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > pbx ~ # openssl speed -evp aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in 2.99s > > Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in 3.00s > > Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in 2.99s > > Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in 3.00s > > Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in 2.99s > > OpenSSL 1.0.2p 14 Aug 2018 > > built on: reproducible build, date unspecified > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > > compiler: /var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > > aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k 302797.14k > > > > ================= > > > > Running pfSense on the same machine, openssl shows the AES engine, and gives much faster numbers: > > > > ================= > > > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c > > (cryptodev) BSD cryptodev engine > > [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] > > [ available ] > > (rsax) RSAX engine support > > [RSA] > > [ available ] > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s > > Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s > > Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in 0.30s > > Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in 0.16s > > Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in 0.03s > > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > > built on: date not available > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > > compiler: clang > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > > aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k 23374594.05k > > > > ================= > > > > What am I overlooking here? Thank you. > > > > JT |
|
From: <aut...@gm...> - 2019-02-06 04:11:37
|
Thanks Lonnie. Just for reference, here are my numbers: pbx ~ # system-vendor Lanner FW-7525B NIC x4 pbx ~ # openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 153712.42k 235672.87k 282781.53k 297832.45k 302000.81k ## Disable AES-NI detection pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 31603.19k 34203.54k 35166.63k 35390.46k 35485.01k It looks like a C2358 benefits more from having AES-NI enabled than an i3-6100 does. OpenVPN: pbx ~ # openvpn --genkey --secret /tmp/secret pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc Tue Jan 29 19:39:58 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode real 0m33.698s user 0m33.618s sys 0m0.011s This is close to the results on the FW-7525B documentation page, and close to the results from FreeBSD: [2.3.5-RELEASE][root@pfSense.localdomain]/root: openvpn --genkey --secret /tmp/secret [2.3.5-RELEASE][root@pfSense.localdomain]/root: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc 31.633u 0.039s 0:31.69 99.9% 747+177k 0+0io 1pf+0w JT On Sun, Jan 27, 2019 at 4:12 AM < ast...@li...> wrote: > Send Astlinux-users mailing list submissions to > ast...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/astlinux-users > or, via email, send a message with subject or body 'help' to > ast...@li... > > You can reach the person managing the list at > ast...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Astlinux-users digest..." > > > Today's Topics: > > 1. Re: Enabling AES (Lonnie Abelbeck) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 26 Jan 2019 09:57:37 -0600 > From: Lonnie Abelbeck <li...@lo...> > To: AstLinux Users Mailing List <ast...@li...> > Subject: Re: [Astlinux-users] Enabling AES > Message-ID: <9F8...@lo...> > Content-Type: text/plain; charset=us-ascii > > Hi JT, > > I can't explain the differences between different OpenSSL versions on > different platforms (Linus vs. FreeBSD), but there is a way to artificially > disable the AES-NI detection by setting > OPENSSL_ia32cap="~0x200000200000000" to disable AES-NI usage. > > For Example: > > pbx ~ # system-vendor > Qotom Q530G6 CPU i3-6100U NIC x6 > > pbx ~ # openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes > aes-128-cbc 732389.02k 806448.32k 822415.19k 826271.40k > 832817.83k > > ## Disable AES-NI detection > pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp > aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes > aes-128-cbc 213826.86k 224500.25k 227550.04k 229667.16k > 229709.14k > > > About a 3.5x improvement with AES-NI enabled, as is the default. > > If you are comparing with pfSense, try a more real-world test, testing > more than just the AES-NI ... > > pbx ~ # openvpn --genkey --secret /tmp/secret > pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu > 20000 --cipher aes-128-cbc > Sat Jan 26 09:39:25 2019 disabling NCP mode (--ncp-disable) because not in > P2MP client or server mode > > real 0m11.413s > > > BTW, I read the pfSense forums from time to time, and there is a lot of > confusion loading the "aesni-intel" (FreeBSD name may be different) kernel > module and using the "cryptodev" engine, as using the CPU's native AES-NI > is faster, but often confusing in the pfSense configuration. > > Lonnie > > > > > > On Jan 25, 2019, at 11:54 PM, aut...@gm... wrote: > > > > Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a > Lanner FW-7525B. > > > > The reason I asked about enabling AES is because in Astlinux, openssl > does not show the AES engine: > > > > ================= > > > > pbx ~ # openssl engine -t -c > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > pbx ~ # openssl speed -evp aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in > 2.99s > > Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in > 3.00s > > Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in > 2.99s > > Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in > 3.00s > > Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in > 2.99s > > OpenSSL 1.0.2p 14 Aug 2018 > > built on: reproducible build, date unspecified > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) > idea(int) blowfish(idx) > > compiler: > /var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc > -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os > -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes > > aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k > 302797.14k > > > > ================= > > > > Running pfSense on the same machine, openssl shows the AES engine, and > gives much faster numbers: > > > > ================= > > > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c > > (cryptodev) BSD cryptodev engine > > [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] > > [ available ] > > (rsax) RSAX engine support > > [RSA] > > [ available ] > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp > aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s > > Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s > > Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in > 0.30s > > Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in > 0.16s > > Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in > 0.03s > > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > > built on: date not available > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) > idea(int) blowfish(idx) > > compiler: clang > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes > > aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k > 23374594.05k > > > > ================= > > > > What am I overlooking here? Thank you. > > > > JT > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > > ------------------------------ > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > ------------------------------ > > End of Astlinux-users Digest, Vol 150, Issue 10 > *********************************************** > |
|
From: Michael K. <mic...@ip...> - 2019-02-02 04:48:15
|
Thanks Lonnie for the info. Yes I hope to do some testing eventually as this can overcome one of the big issues I have with mobile integration. Just wanting to check that no one else had done any testing as I am EXTREMELY time poor ☹.
Already have a Vultr server! So quick to deploy and so cheap.
Regards
Michael Knill
On 2/2/19, 3:29 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
In general, for mobile devices, WireGuard is much more battery friendly since no keepalive packets are required ... a mobile Wireguard client can establish a tunnel to a server... sleep-disconnect-wake while the server endpoint maintains the crypto-route state ... updates the Mobile IP if it roams when a packet is sent over the tunnel. The connection is initiated by the mobile client.
But Bria's SIP is a chatty protocol with register and notify packets, usually needed to keep firewall states open. But when running over WireGuard, SIP does not see any NAT or worry about firewall states. Bottom line, if you can back off the SIP registers to 15 minutes and disable notify (qualify) you should be able to lower battery consumption from the defaults. This would take some testing to confirm.
In fairness, one minor negative is iOS (macOS and Android) WireGuard app is implemented using the Go programming language which in it's binary target form is probably about 1/2 (?) the speed of native compiled code, but since SIP is not a lot of traffic this inefficiency should not matter too much.
Michael, you have all the tools to test this yourself, install AstLinux 1.3.4 somewhere and then upgrade it with astlinux-1.3-4073-68d8d5 ... install the iOS WireGuard app and test away. You could create a WireGuard test server for iOS clients on Vultr in probably 10 minutes.
Lonnie
> On Feb 1, 2019, at 8:11 PM, Michael Knill <mic...@ip...> wrote:
>
> I'm certainly looking forward to Wireguard on IOS but I am interested in its use for a VoIP softphone such as Bria.
> Does having the tunnel up all the time drain the battery?
>
> Regards
> Michael Knill
>
> On 2/2/19, 10:13 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> Announcing Pre-Release Version: astlinux-1.3-4073-68d8d5
> Provided no issues found, this will become AstLinux 1.3.5
>
>
> Significant development on WireGuard VPN support, related to available iOS and Android WireGuard Apps
> --
> iOS WireGuard (iOS 12+)
> https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8
>
> Android WireGuard
> https://play.google.com/store/apps/details?id=com.wireguard.android
> --
> Re-read first half of WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
>
>
> The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
>
> -- Asterisk, version bump to 13.24.1 and pjsip 2.8
>
> -- Linux Kernel 3.16.61, security and bug fixes.
>
> -- WireGuard VPN, version bump to 0.0.20190123
>
> -- WireGuard VPN, add wireguard-mobile-client script to manage mobile clients. Also used by the web interface.
>
> -- Web Interface, WireGuard VPN sub-tab, add "Mobile Client Defaults" and "Mobile Client Credentials" sections.
>
> -- Web Interface, Status tab, improve layout of "WireGuard VPN Status" section.
>
> -- arnofw (AIF), add WIREGUARD_ALLOW_OPENVPN rc.conf variable, Allow WireGuard tunnel to OpenVPN tunnel(s), disabled by default.
>
> -- wol-host, new command to send Wake-on-LAN packet to specified host, by IP or DNS name.
> Example: wol-host --ping 192.168.101.13
> More info: wol-host --help
>
> -- fossil, new feature to optionally send commit notifications via email while using 'fossil-commit'.
> New rc.conf variable FOSSIL_NOTIFY must be defined (via user.conf) as To: email address to enable.
> Additional new, optional rc.conf variables: FOSSIL_NOTIFY_FROM, FOSSIL_HOSTNAME
>
> -- Complete Pre-Release ChangeLog:
> https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt
>
>
> New Documentation Topics:
> EdgeRouter-X VPN Endpoint -- https://doc.astlinux-project.org/userdoc:tt_edgerouter-x
>
> Updated Documentation Topics:
> WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
>
> The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
>
> AstLinux Project -> Development
> https://www.astlinux-project.org/dev.html
>
> AstLinux Team
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-02-02 04:29:37
|
Hi Michael, In general, for mobile devices, WireGuard is much more battery friendly since no keepalive packets are required ... a mobile Wireguard client can establish a tunnel to a server... sleep-disconnect-wake while the server endpoint maintains the crypto-route state ... updates the Mobile IP if it roams when a packet is sent over the tunnel. The connection is initiated by the mobile client. But Bria's SIP is a chatty protocol with register and notify packets, usually needed to keep firewall states open. But when running over WireGuard, SIP does not see any NAT or worry about firewall states. Bottom line, if you can back off the SIP registers to 15 minutes and disable notify (qualify) you should be able to lower battery consumption from the defaults. This would take some testing to confirm. In fairness, one minor negative is iOS (macOS and Android) WireGuard app is implemented using the Go programming language which in it's binary target form is probably about 1/2 (?) the speed of native compiled code, but since SIP is not a lot of traffic this inefficiency should not matter too much. Michael, you have all the tools to test this yourself, install AstLinux 1.3.4 somewhere and then upgrade it with astlinux-1.3-4073-68d8d5 ... install the iOS WireGuard app and test away. You could create a WireGuard test server for iOS clients on Vultr in probably 10 minutes. Lonnie > On Feb 1, 2019, at 8:11 PM, Michael Knill <mic...@ip...> wrote: > > I'm certainly looking forward to Wireguard on IOS but I am interested in its use for a VoIP softphone such as Bria. > Does having the tunnel up all the time drain the battery? > > Regards > Michael Knill > > On 2/2/19, 10:13 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Announcing Pre-Release Version: astlinux-1.3-4073-68d8d5 > Provided no issues found, this will become AstLinux 1.3.5 > > > Significant development on WireGuard VPN support, related to available iOS and Android WireGuard Apps > -- > iOS WireGuard (iOS 12+) > https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8 > > Android WireGuard > https://play.google.com/store/apps/details?id=com.wireguard.android > -- > Re-read first half of WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn > > > The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. > > -- Asterisk, version bump to 13.24.1 and pjsip 2.8 > > -- Linux Kernel 3.16.61, security and bug fixes. > > -- WireGuard VPN, version bump to 0.0.20190123 > > -- WireGuard VPN, add wireguard-mobile-client script to manage mobile clients. Also used by the web interface. > > -- Web Interface, WireGuard VPN sub-tab, add "Mobile Client Defaults" and "Mobile Client Credentials" sections. > > -- Web Interface, Status tab, improve layout of "WireGuard VPN Status" section. > > -- arnofw (AIF), add WIREGUARD_ALLOW_OPENVPN rc.conf variable, Allow WireGuard tunnel to OpenVPN tunnel(s), disabled by default. > > -- wol-host, new command to send Wake-on-LAN packet to specified host, by IP or DNS name. > Example: wol-host --ping 192.168.101.13 > More info: wol-host --help > > -- fossil, new feature to optionally send commit notifications via email while using 'fossil-commit'. > New rc.conf variable FOSSIL_NOTIFY must be defined (via user.conf) as To: email address to enable. > Additional new, optional rc.conf variables: FOSSIL_NOTIFY_FROM, FOSSIL_HOSTNAME > > -- Complete Pre-Release ChangeLog: > https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt > > > New Documentation Topics: > EdgeRouter-X VPN Endpoint -- https://doc.astlinux-project.org/userdoc:tt_edgerouter-x > > Updated Documentation Topics: > WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn > > The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... > > AstLinux Project -> Development > https://www.astlinux-project.org/dev.html > > AstLinux Team > > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-02-02 02:11:53
|
I'm certainly looking forward to Wireguard on IOS but I am interested in its use for a VoIP softphone such as Bria.
Does having the tunnel up all the time drain the battery?
Regards
Michael Knill
On 2/2/19, 10:13 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Announcing Pre-Release Version: astlinux-1.3-4073-68d8d5
Provided no issues found, this will become AstLinux 1.3.5
Significant development on WireGuard VPN support, related to available iOS and Android WireGuard Apps
--
iOS WireGuard (iOS 12+)
https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8
Android WireGuard
https://play.google.com/store/apps/details?id=com.wireguard.android
--
Re-read first half of WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
-- Asterisk, version bump to 13.24.1 and pjsip 2.8
-- Linux Kernel 3.16.61, security and bug fixes.
-- WireGuard VPN, version bump to 0.0.20190123
-- WireGuard VPN, add wireguard-mobile-client script to manage mobile clients. Also used by the web interface.
-- Web Interface, WireGuard VPN sub-tab, add "Mobile Client Defaults" and "Mobile Client Credentials" sections.
-- Web Interface, Status tab, improve layout of "WireGuard VPN Status" section.
-- arnofw (AIF), add WIREGUARD_ALLOW_OPENVPN rc.conf variable, Allow WireGuard tunnel to OpenVPN tunnel(s), disabled by default.
-- wol-host, new command to send Wake-on-LAN packet to specified host, by IP or DNS name.
Example: wol-host --ping 192.168.101.13
More info: wol-host --help
-- fossil, new feature to optionally send commit notifications via email while using 'fossil-commit'.
New rc.conf variable FOSSIL_NOTIFY must be defined (via user.conf) as To: email address to enable.
Additional new, optional rc.conf variables: FOSSIL_NOTIFY_FROM, FOSSIL_HOSTNAME
-- Complete Pre-Release ChangeLog:
https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt
New Documentation Topics:
EdgeRouter-X VPN Endpoint -- https://doc.astlinux-project.org/userdoc:tt_edgerouter-x
Updated Documentation Topics:
WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
AstLinux Project -> Development
https://www.astlinux-project.org/dev.html
AstLinux Team
_______________________________________________
Astlinux-devel mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-devel
|
|
From: Lonnie A. <li...@lo...> - 2019-02-01 23:13:41
|
Announcing Pre-Release Version: astlinux-1.3-4073-68d8d5 Provided no issues found, this will become AstLinux 1.3.5 Significant development on WireGuard VPN support, related to available iOS and Android WireGuard Apps -- iOS WireGuard (iOS 12+) https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8 Android WireGuard https://play.google.com/store/apps/details?id=com.wireguard.android -- Re-read first half of WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. -- Asterisk, version bump to 13.24.1 and pjsip 2.8 -- Linux Kernel 3.16.61, security and bug fixes. -- WireGuard VPN, version bump to 0.0.20190123 -- WireGuard VPN, add wireguard-mobile-client script to manage mobile clients. Also used by the web interface. -- Web Interface, WireGuard VPN sub-tab, add "Mobile Client Defaults" and "Mobile Client Credentials" sections. -- Web Interface, Status tab, improve layout of "WireGuard VPN Status" section. -- arnofw (AIF), add WIREGUARD_ALLOW_OPENVPN rc.conf variable, Allow WireGuard tunnel to OpenVPN tunnel(s), disabled by default. -- wol-host, new command to send Wake-on-LAN packet to specified host, by IP or DNS name. Example: wol-host --ping 192.168.101.13 More info: wol-host --help -- fossil, new feature to optionally send commit notifications via email while using 'fossil-commit'. New rc.conf variable FOSSIL_NOTIFY must be defined (via user.conf) as To: email address to enable. Additional new, optional rc.conf variables: FOSSIL_NOTIFY_FROM, FOSSIL_HOSTNAME -- Complete Pre-Release ChangeLog: https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt New Documentation Topics: EdgeRouter-X VPN Endpoint -- https://doc.astlinux-project.org/userdoc:tt_edgerouter-x Updated Documentation Topics: WireGuard VPN Configuration -- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... AstLinux Project -> Development https://www.astlinux-project.org/dev.html AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2019-01-26 15:57:52
|
Hi JT, I can't explain the differences between different OpenSSL versions on different platforms (Linus vs. FreeBSD), but there is a way to artificially disable the AES-NI detection by setting OPENSSL_ia32cap="~0x200000200000000" to disable AES-NI usage. For Example: pbx ~ # system-vendor Qotom Q530G6 CPU i3-6100U NIC x6 pbx ~ # openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 732389.02k 806448.32k 822415.19k 826271.40k 832817.83k ## Disable AES-NI detection pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 213826.86k 224500.25k 227550.04k 229667.16k 229709.14k About a 3.5x improvement with AES-NI enabled, as is the default. If you are comparing with pfSense, try a more real-world test, testing more than just the AES-NI ... pbx ~ # openvpn --genkey --secret /tmp/secret pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc Sat Jan 26 09:39:25 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode real 0m11.413s BTW, I read the pfSense forums from time to time, and there is a lot of confusion loading the "aesni-intel" (FreeBSD name may be different) kernel module and using the "cryptodev" engine, as using the CPU's native AES-NI is faster, but often confusing in the pfSense configuration. Lonnie > On Jan 25, 2019, at 11:54 PM, aut...@gm... wrote: > > Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a Lanner FW-7525B. > > The reason I asked about enabling AES is because in Astlinux, openssl does not show the AES engine: > > ================= > > pbx ~ # openssl engine -t -c > (rdrand) Intel RDRAND engine > [RAND] > [ available ] > (dynamic) Dynamic engine loading support > [ unavailable ] > pbx ~ # openssl speed -evp aes-128-cbc > Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in 2.99s > Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in 3.00s > Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in 2.99s > Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in 3.00s > Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in 2.99s > OpenSSL 1.0.2p 14 Aug 2018 > built on: reproducible build, date unspecified > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > compiler: /var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k 302797.14k > > ================= > > Running pfSense on the same machine, openssl shows the AES engine, and gives much faster numbers: > > ================= > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c > (cryptodev) BSD cryptodev engine > [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] > [ available ] > (rsax) RSAX engine support > [RSA] > [ available ] > (rdrand) Intel RDRAND engine > [RAND] > [ available ] > (dynamic) Dynamic engine loading support > [ unavailable ] > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp aes-128-cbc > Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s > Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s > Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in 0.30s > Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in 0.16s > Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in 0.03s > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > compiler: clang > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k 23374594.05k > > ================= > > What am I overlooking here? Thank you. > > JT > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: <aut...@gm...> - 2019-01-26 05:54:18
|
Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a
Lanner FW-7525B.
The reason I asked about enabling AES is because in Astlinux, openssl does
not show the AES engine:
=================
pbx ~ # openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
pbx ~ # openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in 2.99s
OpenSSL 1.0.2p 14 Aug 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int)
blowfish(idx)
compiler:
/var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc
-I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os
-Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k
302797.14k
=================
Running pfSense on the same machine, openssl shows the AES engine, and
gives much faster numbers:
=================
[2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(rsax) RSAX engine support
[RSA]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp
aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s
Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s
Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in 0.30s
Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in 0.16s
Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in 0.03s
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int)
blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k
23374594.05k
=================
What am I overlooking here? Thank you.
JT
|
|
From: David K. <da...@ke...> - 2019-01-24 16:20:35
|
Thanks Lonnie. I changed my SMTP authentication from "login" to "plain" and I changed from "ignore cert" to "check cert" and that got it working again. Thanks On Thu, Jan 24, 2019 at 9:31 AM Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > By chance are you using msmtp version 1.8.2 ? (msmtp --version) > > Are your network tab settings something like: > > > An empty "SMTP Cert File" will default to the > system /usr/lib/ssl/certs/ca-bundle.crt > > The above works for me for a non-gmail host. > > Lonnie > > > On Jan 24, 2019, at 8:16 AM, David Kerr <Da...@Ke...> wrote: > > I am getting errors when astlinux tries to send email... > > Jan 24 09:01:33 pbx mail.err msmtp: host=smtp.gmail.com tls=on auth=on > user=pb...@ex... from=ro...@ex... recipients=da...@ex... > errormsg='cannot set X509 system trust for TLS session: feature not yet > implemented for OpenSSL' exitcode=EX_SOFTWARE > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: (70) msmtp: cannot set X509 system trust for TLS session: > feature not yet implemented for OpenSSL msmtp: could not send mail (account > default from /etc/msmtprc) > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: Failure: Keeping mail queue > /var/spool/mail/2019-01-20-08.46.20-0 msmtp/mail pair. > > And the above is flooding my syslog. Googling suggests that it may be a > problem with root CA certificates. Has anyone seen this problem? > > Thanks > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2019-01-24 14:49:53
|
Hi JT, You don’t need to do anything, the Atom C2358 CPU’s AES-NI instructions are automatically used by OpenSSL at runtime. I presume you are using a x86_64 64-bit AstLinux image. Lonnie > On Jan 23, 2019, at 10:55 PM, aut...@gm... wrote: > > Hello all, > > What do I need to do to enable AES, like put a modprobe in rc.local? I'm using an Atom C2358. Thank you. > > JT |
|
From: Michael K. <li...@mk...> - 2019-01-24 14:44:16
|
> Am 24.01.2019 um 15:16 schrieb David Kerr <da...@ke...>: > > I am getting errors when astlinux tries to send email... > > Jan 24 09:01:33 pbx mail.err msmtp: host=smtp.gmail.com tls=on auth=on user=pb...@ex... from=ro...@ex... recipients=da...@ex... > errormsg='cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL' exitcode=EX_SOFTWARE > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: (70) msmtp: cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL msmtp: could not send mail (account default from /etc/msmtprc) > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2019-01-20-08.46.20-0 msmtp/mail pair. > > And the above is flooding my syslog. Googling suggests that it may be a problem with root CA certificates. Has anyone seen this problem? > > Thanks Hi David, there is a new CA file out, but we have not yet included it into AstLinux (it is on the list). Maybe you can try to replace it manually and see if it works for you. https://curl.haxx.se/docs/caextract.html Looking into this: https://github.com/astlinux-project/astlinux/blob/master/package/ca-certificates/ca-certificates.mk I should go to: /usr/share/ca-certificates/ca-bundle.crt Michael http://www.mksolutions.info |
|
From: Lonnie A. <li...@lo...> - 2019-01-24 14:31:27
|
Hi David, By chance are you using msmtp version 1.8.2 ? (msmtp --version) Are your network tab settings something like: An empty "SMTP Cert File" will default to the system /usr/lib/ssl/certs/ca-bundle.crt The above works for me for a non-gmail host. Lonnie > On Jan 24, 2019, at 8:16 AM, David Kerr <Da...@Ke...> wrote: > > I am getting errors when astlinux tries to send email... > > Jan 24 09:01:33 pbx mail.err msmtp: host=smtp.gmail.com tls=on auth=on user=pb...@ex... from=ro...@ex... recipients=da...@ex... > errormsg='cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL' exitcode=EX_SOFTWARE > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: (70) msmtp: cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL msmtp: could not send mail (account default from /etc/msmtprc) > Jan 24 09:01:33 pbx > mail.info > msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2019-01-20-08.46.20-0 msmtp/mail pair. > > And the above is flooding my syslog. Googling suggests that it may be a problem with root CA certificates. Has anyone seen this problem? > > Thanks > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: David K. <da...@ke...> - 2019-01-24 14:27:53
|
Never mind. Looks like I had a config error. I changed my authentication and encryption settings and it started working again. Sorry for the distraction. David On Thu, Jan 24, 2019 at 9:16 AM David Kerr <da...@ke...> wrote: > I am getting errors when astlinux tries to send email... > > Jan 24 09:01:33 pbx mail.err msmtp: host=smtp.gmail.com tls=on auth=on user=pb...@ex... from=ro...@ex... recipients=da...@ex... errormsg='cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL' exitcode=EX_SOFTWARE > Jan 24 09:01:33 pbx mail.info msmtpqueue: (70) msmtp: cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL msmtp: could not send mail (account default from /etc/msmtprc) > Jan 24 09:01:33 pbx mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2019-01-20-08.46.20-0 msmtp/mail pair. > > And the above is flooding my syslog. Googling suggests that it may be a > problem with root CA certificates. Has anyone seen this problem? > > Thanks > |
|
From: David K. <da...@ke...> - 2019-01-24 14:17:03
|
I am getting errors when astlinux tries to send email... Jan 24 09:01:33 pbx mail.err msmtp: host=smtp.gmail.com tls=on auth=on user=pb...@ex... from=ro...@ex... recipients=da...@ex... errormsg='cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL' exitcode=EX_SOFTWARE Jan 24 09:01:33 pbx mail.info msmtpqueue: (70) msmtp: cannot set X509 system trust for TLS session: feature not yet implemented for OpenSSL msmtp: could not send mail (account default from /etc/msmtprc) Jan 24 09:01:33 pbx mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2019-01-20-08.46.20-0 msmtp/mail pair. And the above is flooding my syslog. Googling suggests that it may be a problem with root CA certificates. Has anyone seen this problem? Thanks |
63 messages has been excluded from this view by a project administrator.
