• R/O
  • SSH
  • HTTPS

masspie: Commit


Commit MetaInfo

Revision23 (tree)
Zeit2020-03-08 16:18:55
Autorelge

Log Message

openssldir=/etc/ssl

Ändern Zusammenfassung

Diff

--- BUGS.md (nonexistent)
+++ BUGS.md (revision 23)
@@ -0,0 +1,29 @@
1+## Stage 1 IPREV - DNS round-robin
2+
3+better deal with this kind of situation...
4+
5+ $ host 194.224.177.201
6+ 201.177.224.194.in-addr.arpa domain name pointer meg02.aena.es.
7+ 201.177.224.194.in-addr.arpa domain name pointer correosmtp.aena.es.
8+ 201.177.224.194.in-addr.arpa domain name pointer spf.aena.es.
9+ 201.177.224.194.in-addr.arpa domain name pointer meg04.aena.es.
10+
11+ $ host 217.130.124.201
12+ 201.124.130.217.in-addr.arpa domain name pointer meg04.aena.es.
13+ 201.124.130.217.in-addr.arpa domain name pointer meg02.aena.es.
14+ 201.124.130.217.in-addr.arpa domain name pointer correosmtp.aena.es.
15+ 201.124.130.217.in-addr.arpa domain name pointer spf.aena.es.
16+
17+## Stage ENFORCE CHECK
18+
19+need to fix
20+
21+ zimbra.oxygen8.comsend: spawn id exp4 not open
22+ while executing
23+ "send "EHLO $ehlo\r""
24+ (file "/root/masspie/checksmtp.exp" line 41)
25+
26+## Stage ENFORCE CHECK - output formatting
27+
28+in case expect got killed by `timeout`, then a carriage return is missing in stderr. we currently workaround this by the fact we're parsing the right-hand part of the results anyway, meaning a that kind of failing hosts will have no result at all. we otherwise look at the raw SMTP status codes from stdout which also works around the issue
29+
--- CHANGES.md (nonexistent)
+++ CHANGES.md (revision 23)
@@ -0,0 +1,43 @@
1+## shot3
2+
3+- stage 1 iprev - wait 3 seconds instead of the default 5 (udp) or 10 (tcp) seconds
4+
5+## shot2
6+
7+_second shot for Feb 2020_
8+
9+- stage 1 iprev - better ip address splitting with ip??? instead of x?? x???? files
10+- stage 2 smtp gets done against ALL PTRs, not only IPREV hosts
11+- stage 2 smtp - timeout 1m+5s, yes that is slow bug some nasty mxen like to play that way and we wouldn't like to discard them (see Postfix Postscreen Howto)
12+
13+The order is as follows
14+
15+- stage 1 iprev - look for PTR vs IPREV resolving hosts
16+- stage 2 smtp -
17+
18+## shot1
19+
20+_initial version, for Jan 2020_
21+
22+The order was as follows
23+
24+- mass seek of 25/tcp & raw split into x?? x???? (no uniq nor ip field)
25+- checkiprev - ptr/iprev check into separate .ptr files
26+- checksan - san check into .nossl .nocert .validcn .wrongcn
27+- checkvalid - verify check into .validcn.return
28+- (then came the problem of dealing with DANE/TLSA records, we needed to lookup true MX records to start with, hence the need for domains to start with)
29+- checkdomains - domains/ - deferencing domain names
30+- checkmx - domains/mx/ - got mx record?
31+- checkssl - domains/mx/dane/ - valid cert? looking for 'Cipher is|Verify return code' against mx records
32+ * .ssl
33+ * .ssl.issuer
34+ * .ssl.cipher
35+- checkdane - valid dane?
36+ * .dane $NF notlsa // timeout // ...
37+ * .dane.results
38+ * .dane.weird
39+- checksmtp - starttls enforced?
40+ * stdout .starttls full session
41+ * stderr .starttls.enforce $NF connect-bad-dns // ...
42+- count.ksh - parsing results and producing stats
43+
--- README.md (revision 22)
+++ README.md (revision 23)
@@ -88,11 +88,21 @@
8888 git clone git://git.openssl.org/openssl.git
8989 cd openssl/
9090 patch -p1 < ../openssl-shut.patch
91- ./config --openssldir=/usr/local
91+
92+ removepkg openssl
93+ #keep openssl-solibs as the whole system depends on it
94+ mv /etc/ssl/ /etc/ssl.old/
95+
96+ ./config --openssldir=/etc/ssl
97+ #perl configdata.pm --dump
9298 time make -j8 >/dev/null && echo BUILT
9399 time make -j8 install >/dev/null && echo INSTALLED
94- grep /usr/local /etc/ld.so.conf
100+ ls -lF /usr/local/lib64/libssl.so
101+ ls -lF /usr/local/lib64/libcrypto.so
102+ ls -lF /usr/local/include/openssl/aes.h
103+ #cat /etc/ld.so.conf
95104 ldconfig
105+ update-ca-certificates
96106
97107 ## VALID CN/SAN CHECK
98108
@@ -101,11 +111,15 @@
101111
102112 ## CERTIFICATE CHECK
103113
104-Grab the [latest concatenated Mozilla CA bundle](https://curl.haxx.se/docs/caextract.html). As for the bundle dating 2020/01/01, hash is `adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f`.
114+Grab the [latest concatenated Mozilla CA bundle](https://curl.haxx.se/docs/caextract.html)
105115
106- curl -s --remote-name --time-cond - https://curl.haxx.se/ca/cacert.pem && echo done || echo FAIL
107- sha256sum cacert.pem
116+ cd /etc/ssl/
117+ curl -s --remote-name --time-cond - https://curl.haxx.se/ca/cacert.pem
118+ sha256sum cacert.pem | tee -a cacert.pem.sha2
108119
120+ #2020/01/01
121+ #adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f cacert.pem
122+
109123 Now make sure you're in position to validate certificates.
110124
111125 ehlo=YOUR-IPREV
Show on old repository browser