<Regenaxer>
I call SSL_CTX_new(SSLv23_client_method())
<beneroth>
the Ciphers[] within ssl.c need an update?
<tankf33der>
i dont think so
<tankf33der>
googling.
<Regenaxer>
hmm, but what is the right way?
<Regenaxer>
openssl is such a mess ...
<Regenaxer>
I also would think it is not the Ciphers
<Regenaxer>
sounds more like a version or support issue
<Regenaxer>
With SSL_CTX_new(SSLv23_client_method()) I suspect it means to accept only 2 and 3
<Regenaxer>
So strato needs 1 ?
<Regenaxer>
We (tankf33der and I) removed 1 a long time ago iirc
<beneroth>
strato requireds TSL 1.1 or TSL 1.2
<Regenaxer>
aw- the quality labs page gives A to that server, right?
<beneroth>
yes
<Regenaxer>
beneroth, really only 1?
<beneroth>
SSL 2 and SSL 3 is lower than TSL 1.1
<Regenaxer>
oh
<Regenaxer>
grr
<beneroth>
SSL2 -> SSL 3 -> TLS 1.0 - these are all considered outdated/insecure
<Regenaxer>
OK
<beneroth>
TLS 1.1 and TLS 1.0 is currently recommended
<Regenaxer>
So what is the right way of function calls in ssl.c?
<beneroth>
TLS 1.3 is about to be released soon whenever (bank lobbyists want to make it insecure)
<Regenaxer>
bank lobbyists?
<beneroth>
no idea. I guess you don't make TLS 1.1 in there
<Regenaxer>
rather governments
<Regenaxer>
Can't be that openssl is *that* outdated
<Regenaxer>
OpenSSL 1.1.1 11 Sep 2018
<Regenaxer>
Newest
<beneroth>
no, banks. gov too, but mostly banks. because they usually have to surveillance their employees. TLS 1.3 would require (original plan) to customize all included network nodes, which apparently is too much work to them (while technically possible)
<beneroth>
over a year they are discussing this shit now
<Regenaxer>
Anyway
<Regenaxer>
this breaks pilbox now
<Regenaxer>
I need to talk with strato
<beneroth>
the problem will only get worse when other servers will drop support for TLS 1.0 and below
<beneroth>
you will eventually have to fix this in the bin/ssl
<Regenaxer>
So if I use TLS instead of SSL_CTX_new(SSLv23_client_method(), something else will break
<Regenaxer>
That's what I'm talking about all the time!!!!
<Regenaxer>
src/ssl.c!
<beneroth>
probably true. you probably have to determine first which TLS version the server supports, and then do your initialization.
<beneroth>
or something like that. I have no idea.
<Regenaxer>
No
<Regenaxer>
usually you give a list of allowed protocols
<Regenaxer>
we removed SSL1 some time ago
<tankf33der>
14:36 <tankf33der> needs just updade ssl.c
<Regenaxer>
yes
<Regenaxer>
easy then
<Regenaxer>
haha
<Regenaxer>
Must find docs for client methods probably
<rick42>
Regenaxer: ssllabs gives software-lab.de an A grade now. was it lower before?
fletom26 has quit [Remote host closed the connection]
<rick42>
beneroth: ^^
<Regenaxer>
rick42, I have never looked, as I have no control. It is not my server
<Regenaxer>
tankf33der, it does *not* print "no SNI\n"
<Regenaxer>
I inserted other debug output, so I'm sure I tested correctly
Reina1411 has joined #picolisp
<rick42>
ah
<Regenaxer>
Must also go for a short time. bbl
<rick42>
bye!
Reina1411 has quit [Remote host closed the connection]
BladedThesis4 has joined #picolisp
freemint has joined #picolisp
BladedThesis4 has quit [Ping timeout: 252 seconds]
freeemint has quit [Ping timeout: 252 seconds]
<Regenaxer>
ret
ubLIX has joined #picolisp
<Regenaxer>
OOOooohhh
<Regenaxer>
I'm stupid. My fault!
<Regenaxer>
Didn't properly update the app
<Regenaxer>
tankf33der, sorry, it works
<tankf33der>
super
<tankf33der>
good
<Regenaxer>
:)
<Regenaxer>
was confused
<Regenaxer>
Now I can also release PilBox, need it tomorrow
orivej has quit [Ping timeout: 240 seconds]
<beneroth>
so the problem was that 1) TLS 1.1+ required 2) new OpenSSL requires SNI to be explicitly activated (I would think SNI was used before too, no?) ?
freemint has quit [Ping timeout: 240 seconds]
<Regenaxer>
I don't know well ...
<tankf33der>
first, strato may change something
<Regenaxer>
What does tlsext_host_name have to do with SNI?
<tankf33der>
because they reverse proxy
freemint has joined #picolisp
pierpal has quit [Ping timeout: 246 seconds]
RetardedOnion2 has joined #picolisp
RetardedOnion2 has quit [Remote host closed the connection]
<tankf33der>
cant connect from home to software-lab by openssl s_client and bin/ssl
<tankf33der>
but curl works
<Regenaxer>
At home still old version?
<beneroth>
Regenaxer, SNI is protocol to get the right certificate (the one for your domain) from a server who servers multiple virtual hosts (as in host header in HTTP)
freemint has quit [Ping timeout: 240 seconds]
freemint has joined #picolisp
<Regenaxer>
beneroth, thanks
<Regenaxer>
makes sense
<beneroth>
SNI = Server Name Indication. aka client tells server to which host it wants to connect so server can show it the right certificate
<beneroth>
because the host header within HTTP is within the encrypted TLS connection, the encrypted connection which can't be started without the right server certificate
<freemint>
Regenaxer how would you go about a web service/pilbox app who has a background process which populates the database with new data.
<beneroth>
freemint, second process (started with fork) which does (loop (wait)).
<beneroth>
save Pid of that background process in a globale, e.g. *BackgroundWorker, and use (tell *BackgroundWorker (do-something 'arg 'arg))
<freemint>
i thought of that too. about pil box? how to make sure energy saving does not kill my process?
<beneroth>
so I do it on unix servers.
<freemint>
That with the background worker is cool
<beneroth>
I think there is a android api function to call to tell the android that it should keep that process around
<Regenaxer>
freemint, in fact I have two such applications now
<Regenaxer>
Synchronizing DBs between server and mobiles
<Regenaxer>
(you know, beneroth, Messe Spedition)
<Regenaxer>
But it is hard to explain here
beneroth has quit [Remote host closed the connection]
<freemint>
that sounds cool but a little more than i need right now.
<freemint>
How do you a secure connection?
beneroth has joined #picolisp
pierpal has joined #picolisp
<beneroth>
Regenaxer, natural approach.
<Regenaxer>
freemint, what we talked here all the time
<freemint>
over https? ok
<Regenaxer>
yes, @bin/ssl
<Regenaxer>
-> @bin/httpGate
<Regenaxer>
A few background tasks
<Regenaxer>
in fact, using the new 'tasks' function
<beneroth>
Regenaxer, about SNI: there is also a trick to connect straight away via TLS with a server cert the server is also hosting (e.g. google.com) and then declare another host within the HTTP within the encrypted connection. TOR and Signal messenger app use (or used) this to conceal their protocol, looking for surveillance like normal HTTPS to google.com, but being actually TOR/signal traffic. only possible because they're hosted on Google/Amazon/etc and know t
<beneroth>
hat the same server also servers one of this common domains.
<beneroth>
Not sure if this still works. I long believed Google supported this actively, but actually it seems this was a unintended neat trick and they want to shut it down (or already did)
<Regenaxer>
Wow, tricky
<freemint>
completely other question. I want to port a small embedded OS to a CPU architecture... where and how would i best document that struggle? The result will be mostly open.
<beneroth>
a blog?
<beneroth>
or a wiki about the hardware, if still one exists
<freemint>
Mhh any thoughts about version control can you recommend something along those lines?
<beneroth>
semver.org, ubuntu/windows/picolisp-style, or arbitrary
<beneroth>
Knuth-style if you really want to be exotic (his version numbers are approximations to PI)
<beneroth>
or just a plain integer
<freemint>
Version control as in git-like
<beneroth>
ah
<beneroth>
git ?
<beneroth>
mercury
<beneroth>
or Regenaxer-style picolisp snapshot
<beneroth>
git is the most used one
<beneroth>
mercury has similar powers, and is said to be easier to be used, but I never used it, so I don't know.
<beneroth>
SVN is still used in some companies, but its slow and inflexible and gets replaced with git everywhere
<beneroth>
I'm using git with a private git server I set up myself
<beneroth>
if you work with many people, than something like gitlab (can be self-hosted) or github is probably more comfortable
<beneroth>
(e.g. different access rights to different people, nice web gui to configure and view all the stuff)
<freemint>
i will soon get an FPGA board from America or Japan or both. On these runs a simulated CPU of an "fork" of a CPU architecture. GCC support and Co exists, even an no mmu Linux port and the OS was already ported to the predecessor(before fork).
<beneroth>
wow, nice project freemint :)
<freemint>
and the CPU architecture is open source
<freemint>
and i will probably have to do without an MMU in the beginning
<freemint>
beneroth thanks i hope to manage to pull that trough: good thing i got an dead line
ubLIX has quit [Quit: ubLIX]
<Regenaxer>
ret
ubLIX has joined #picolisp
<beneroth>
freemint, I think you can do it! it's hard work, but you will gain a really good understanding of CPU architecture. Afterwards you can learn pilASM and teach me :)
<freemint>
luckily all the super hard work was atleast done once already
<freemint>
beneroth what fascinates you about pil assembly?
<beneroth>
well I want to understand everything in picolisp eventually. understanding the VM means I can fully understand how a certain software runs on a computer including the hardware level.
<beneroth>
also I might need/want to do changes on pil ASM level eventually (bugfixes, or new features to pil DB)
<freemint>
i got a list of candidates for that too
<beneroth>
the most important thing about new feature is saying NO to them, only accepting them when it is a real step forward and all costs considered.
<tankf33der>
this one is promising replacement for tls protocol
<tankf33der>
wireguard is also based on noise ecosystem
<tankf33der>
modern and very easy to use blablabla
<freemint>
tankf33der do browser speak it?
<tankf33der>
of course no
<tankf33der>
only whatsapp use it now everywhere
<freemint>
mhh it is simpler but do you know how the key exchange is done when read over the paper i could not find it. Does the protocol need hard coded keyd
lifeeth0 has joined #picolisp
lifeeth0 has quit [Remote host closed the connection]
dsirrine16 has joined #picolisp
dsirrine16 has quit [Killed (Sigyn (Spam is off topic on freenode.))]