Posts by tykling@mastodon.social
(DIR) Post #9hD2b4A9eUlCVZ6EoC by tykling@mastodon.social
2019-03-27T21:53:10Z
0 likes, 0 repeats
@rixx absolutely!
(DIR) Post #9hD2i1lGyjXn5UmT0C by tykling@mastodon.social
2019-03-27T21:54:25Z
0 likes, 0 repeats
@rixx :) I know right!
(DIR) Post #A0cAuISHdDURF3Vrjk by tykling@mastodon.social
2020-10-28T08:21:36Z
0 likes, 0 repeats
@usul not at all, py3 has been supported for ages, and has been the default for a long time. Py3 and Ansible work perfectly well together on FreeBSD, both on the ansible controller and on the managed servers.
(DIR) Post #A787gxNyq9xaRseZkG by tykling@mastodon.social
2021-05-11T05:25:45Z
0 likes, 0 repeats
@nergal @Unairedspecifics it is a debian based system where "pkg" is aliased to "apt"
(DIR) Post #AQfO7jjuH0J8ulTdvE by tykling@mastodon.social
2022-12-16T14:10:49Z
0 likes, 0 repeats
@swashberry funny, that is how I feel about linux, and in particular linux networking. It is like it was built intentionally to be inconsitent and annoying. FreeBSD is much, much, MUCH better in that regard, imo :)
(DIR) Post #ASCJjEbexerSwTXr4i by tykling@mastodon.social
2023-01-31T08:38:48Z
0 likes, 1 repeats
Do network cameras which boot with UEFI secure boot exist? Boosts appreciated! :)
(DIR) Post #AXeiUtlL7xaZP5UGum by tykling@mastodon.social
2023-07-13T15:29:08Z
0 likes, 1 repeats
@ms they are different operating systems, they share very little apart from the name
(DIR) Post #AbpAlR21EtwdXxQmiO by tykling@mastodon.social
2023-11-15T08:01:22Z
0 likes, 0 repeats
@stefano it has not
(DIR) Post #Abpxt45BLIMWRUB7BI by tykling@mastodon.social
2023-11-15T17:03:45Z
0 likes, 0 repeats
I was investigating an MITM today where the attacker was using a real LetsEncrypt certificate. This was possible because an NS record domain expired and was re-registered by the attackerA few weeks ago there was also the jabber.ru MITM issue where a valid LE cert had also been issued.Both of these attacks could have been avoided by using CAA account pinning.You should add this on all domains today!For an example see the CAA record for bornhack.dk https://caatest.co.uk/bornhack.dkSpread the word!
(DIR) Post #Abpy5i3WY4sJtNQrRY by tykling@mastodon.social
2023-11-15T17:12:19Z
0 likes, 0 repeats
@feld you can pin both, no problem with that
(DIR) Post #AbpyXaX27HE8fIWpLU by tykling@mastodon.social
2023-11-15T17:16:37Z
0 likes, 0 repeats
@feld that is what the account pinning prevents. The attacker doesn't control the private keys for the ACME account pinned in the CAA record. ZeroSSL would refuse to issue because the attacker is using a different account.
(DIR) Post #Abq0EczCxz54gRnHM0 by tykling@mastodon.social
2023-11-15T17:33:19Z
0 likes, 0 repeats
@feld I believe LE currently does DNS checks from multiple AWS regions + from their own servers. So they likely would have gotten inconsistent answers and bailed out at that point. I don't know about ZeroSSL.The attackers likely had to try issuing multiple times to get lucky and have all the lookups hit the "bad" server.No guarantees here, but I would much, much rather have had CAA account pinning in place than not during this attack.
(DIR) Post #Abq5k4aMu03T1szMlk by tykling@mastodon.social
2023-11-15T17:55:29Z
0 likes, 0 repeats
@feld I agree that DNS-01 should be pushed, and pinned. ACME tools should check for CAA records and recommend they be added.But IMO you should never let any tool on an internet-facing server edit your zone directly, or an attacker compromising the server can also edit your zone.Instead you should make CNAMEs for the _acme-challenge records to a dedicated subzone which is used exclusively for ACME challenges. This has all the advantages of DNS-01, but doesn't hand over control of your zone :)
(DIR) Post #AbqFzFnoTnJJhf9fg8 by tykling@mastodon.social
2023-11-15T19:12:38Z
1 likes, 0 repeats
@feld maybe you want an NS record, I want a CNAME. Making a delegation and seperate zone for every challenge sounds very ineffective to me, but whatever works for you.A CNAME does exactly what is needed, and as a bonus it can carry the name being challenged in the CNAME target (below the challenge zone), so:_acme-challenge.www.example.com CNAME www.example.com.acme.example.orgAnyway, we clearly have different views on this, which is fine. I am not on bikeshed.party, so I will stop here :)
(DIR) Post #AcnsKWSXtkB4d4eXBo by tykling@mastodon.social
2023-12-14T14:07:09Z
0 likes, 0 repeats
Today I tagged v0.2.0 of gstat_exporter, a Prometheus exporter for FreeBSD gstat data: https://github.com/tykling/gstat_exporter/releases/tag/v0.2.0It is available on PyPi now: https://pypi.org/project/gstat-exporter/I have opened a PR to update the #FreeBSD port: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275762I have also updated the Grafana dashboard to use some more modern panels: https://grafana.com/grafana/dashboards/11223-freebsd-gstat-exporter/I will tag v1.0.0 of gstat_exporter soon if no issues appear with the changes I've made over the last couple of days. If you use it please test! Thanks :)
(DIR) Post #Acnt4dUA6jEpk0Oh8a by tykling@mastodon.social
2023-12-14T14:55:13Z
1 likes, 0 repeats
@feld like .02% of a core, nothing noticable on my systems at least.
(DIR) Post #AuBGLbA4qXttW1fR6O by tykling@mastodon.social
2025-05-16T14:58:53Z
1 likes, 0 repeats
To all the people upset about #letsencrypt removing TLS Client Auth support from certificates, yes it sucks, but please direct your anger at Google who initiated this change. LetsEncrypt cannot exist if the biggest browser doesn't accept their certificates. Yell at Google, Not LE please.
(DIR) Post #AztdiuvQNHc08J1U9o by tykling@mastodon.social
2025-11-04T07:44:09Z
2 likes, 0 repeats
OK, I'll say it:TOML is a terrible format.I'll take yaml (warts and all) over toml any day of the week.That is all.
(DIR) Post #B0gpcqlxh17qT07V3Y by tykling@mastodon.social
2025-10-23T06:36:40Z
0 likes, 0 repeats
@bagder I am curious, does this make you wonder how many genuine reporters you are scaring off with this attitude?
(DIR) Post #B0yhGmvA1xEFMWfcye by tykling@mastodon.social
2025-12-06T16:58:16Z
1 likes, 1 repeats
Can I source upgrade straight from latest 13-STABLE to 15-STABLE or do I need a stop in 14-STABLE? #freebsd