Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Administered by:

Server stats:

217
active users

eupolicy.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#tls

6 posts6 participants0 posts today
Continued thread
Public
Felix Palmen :freebsd: :c64:

Oh boy, I have a lead! And it's NOT related to #TLS. I finally noticed another pattern: #swad only #crashed when running as a #daemon. The daemonizing wasn't the problem, but the default logging configuration attached to it: "fake async", by letting a #threadpool job do the logging.

Forcing THAT even when running in foreground, I can finally reproduce a crash. And I wouldn't be surprised if that was actually the reason for crashing "pretty quickly" with #LibreSSL (and only rarely with #OpenSSL), I mean, something going rogue in your address space can have the weirdest effects.

Public
Gytis Repečka

Running e-mail servers is always fun: as the time came to renew TLS certificate on one machine doing e-mail transmission (SMTP), came to know TLSA records are now supposed to be 3 1 1 (no more 3 0 1) :blobcateyes:

There is an added benefit of 3 (DANE-EE) 1 (subject public key) 1 (SHA2-256 hash digest) - if you do not rotate your private key to issue TLS certificate, you don't need to update the TLSA record - signature can be squeezed from key and certificate is not necessary at that point. If you do rotate private keys, this enables you to pre-create DNS records even before certificate is issued (given that you already generated keys) - that is really nice :blobcatthumbsup:

mail.sys4.deA sensible "3 1 1" + "3 1 1" key rotation approach
#serveradmin#email#dane
Public
patpro

Hello, I’m hosting a #Vaultwarden server behind #Caddy 2.10 and made the following test:

Tuning Caddy to allow only #PQC curves:

	tls {
		curves x25519mlkem768
	}

Trying to connect with #Firefox Mac -> OK
Trying to connect with #Bitwarden #android client -> Fail

Without the #TLS tuning, the Bitwarden Android client will happily connect to the server.

Is it a problem with the Bitwarden Android client or with Android, or both?

Public *
Dendrobatus Azureus

A recent research has exposed more than 40 * 10³ IoT cameras happily showing their feed _and_ location to anyone who can browse and use search engines specialized in the indexing of the misconfigured devices.

More than 14 * 10³ are localised in the USA.

Read more here.

Note:
I know that there are more than a million of these cameras world wide misconfigured an open on just port 80 http not even TLS 443, with admin / admin as credentials 🪪

theregister.com/2025/06/10/400

The image shows a screenshot of a news article from The Register website. The article is titled "Peep show: 40K IoT cameras worldwide stream secrets to anyone with a browser." The headline is in white text on a black background, with the word "RESEARCH" in white above it. The article mentions that the majority of exposures are located in the US, including datacenters, healthcare facilities, factories, and more. The author of the article is Connor Jones, and it was published on Tuesday, June 10, 2025, at 10:00 UTC. The article states that security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide. The website's URL is visible at the bottom of the screen, and there are 16 comments on the article. The screenshot also shows the time as 21:59, with a battery level of 85%.
The image shows a screenshot of a news article from "The A Register" displayed on a mobile device. The article discusses a cybersecurity issue, highlighting that the US was the most affected region with around 14,000 feeds streaming from the country. These feeds provide access to various facilities, including datacenters, healthcare facilities, factories, hotels, gyms, construction sites, retail premises, and residential areas. Bitsight, a cybersecurity firm, warns that these feeds could be used for espionage, mapping blind spots, and stealing trade secrets. The article also mentions that monitoring typical patterns of activity in retail stores could be useful for petty criminals. The screenshot includes the website's logo, a red banner with the text "The A Register," and a navigation bar at the bottom with three dots, a circle, and a left arrow. The device's status bar at the top shows the time as 22:00, a battery level of 85%, and various connectivity icons. Ovis2-8B 🌱 Energy used: 0.889 Wh
#Infosec#nightmare#not
Public *
Felix Palmen :freebsd: :c64:

More interesting progress trying to make #swad suitable for very busy sites!

I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed. 😆

So I read some scientific papers 🙈 ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. 🤩 Maybe it could do even more, didn't try yet.

Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...

(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: dl.acm.org/doi/10.1145/248052.

Throuput curve of my latest stress test of swad (with ramp-up and ramp-down phase)
Response times in percentiles. 97% stay below 10ms!
Continued thread
Public
Felix Palmen :freebsd: :c64:

Solved! 🥳

This was a pretty "interesting" bug. Remember when I invented a way to implement #async / #await in #C, for jobs running on a threadpool. Back then I said it only works when completion of the task resumes execution on the *same* pool thread.

Trying to improve overall performance, I found the complex logic to identify the thread job to put on a pool thread a real deal-breaker. Just having one single MPMC queue with a single semaphore for all pool threads to wait on is a lot more efficient. But then, a job continued after an awaited task will resume on a "random" thread.

It theoretically works by making sure to restore the CORRECT context (the original one of the pool thread) every time after executing a job, whether partially (up to the next await) or completely.

Only it didn't, at least here on #FreeBSD, and I finally understood the reason for this was that I was using #TLS (thread-local storage) to find the context to restore.

Well, most architectures store a pointer to the current thread metadata in a register. #POSIX user #context #switching saves and restores registers. I found a source claiming that the #Linux (#glibc) implementation explicitly does NOT include the register holding a thread pointer. Obviously, #FreeBSD's implementation DOES include it. POSIX doesn't have to say anything about that.

In short, avoiding TLS accesses when running with a custom context solved the crash. 🤯

Continued thread
Public *
DrScriptt

After having decided the #TLS certificate, I’m much more sure that ASN.1 is simply encoding / serializing pieces of information.

Similarly, DER, BER, etc specify what is encoded in what order and using what ASN.1 types for things.

Said another way, ASN.1 is how to do something and DER is what to do it to.

Sort of a policies vs procedure type thing.

#ASN1
Continued thread
Public *
DrScriptt

I managed to finish decoding the ASN.1 of my servers #TLS certificate this evening.

I did have a few identifiers that stumped me. But I continued decoding as if they used the same type / length / value format as most other identifiers and they worked.

After the fact I found some documentation confirming that I decided the identifiers correctly.

Now I need to decode all of the OIDs and make sure that I have them correct and that I have them in my .oid #DNS zone.

#ASN1#OID
Public *
screwlisp

#commonLisp #emacs #smallweb #kitten screwlisp.small-web.org/kitten #webdev

Eev (and lisp secret alien technology) made it /really/ easy and convenient to generate a kitten matching @aral's Tutorial 2: dynamic pages, kitten.small-web.org/tutorials serve it and visit it inside emacs (just press F8 over and over again and it happens on its own).

I guess you can do it too...? What do you think? How much of a Hurkle itch is this giving you Aral ;p. It seems /really/ easy to get a fancy! #tls site up like this.

An emacs eww browser window visiting https://localhost which is announcing Kitten count and two smiling kitten emojis On the right is the kitten expert shell, which was automatically initiated by emacs as well.
Public
Aral Balkan

🔒 Auto Encrypt – heads up!

In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².

The change³ should be seamless.

If you have any concerns, now is the time to raise them :)

#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb

¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (codeberg.org/small-tech/auto-e)
² datatracker.ietf.org/doc/draft
³ codeberg.org/small-tech/auto-e

Codeberg.orgauto-encryptAutomatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.
Public *
Aral Balkan

👋🤓 Goodbye Site.js, Hello Kitten!

I started working on creating a Small Web¹ server (a peer-to-peer Web server) six years ago² with Site.js.

Building Site.js was my first attempt. And it resulted in:

• Auto Encrypt (automatic Let’s Encrypt certificates): codeberg.org/small-tech/auto-e

• Auto Encrypt Localhost (automatic localhost TLS certificates): codeberg.org/small-tech/auto-e

• @small-tech/https (drop-in Node.js https module replacement with automatic TLS certs everywhere): codeberg.org/small-tech/https

• JSDB: In-process, in-memory JavaScript database that persists to append-only JavaScript logs: codeberg.org/small-tech/jsdb

As Site.js reached an evolutionary dead-end, and as I learned from my experiements with replicated data types that replicated data types are *not* a prerequisite for a decentralised web (actual topological decentralisation and ease of use are), I started writing a new server/platform called Kitten from scratch while still making use of the tried and tested modules listed above.

Last week, I switched over our last site using Site.js to Kitten and, with that, today I’ve sunset³ Site.js:

sitejs.org

For its successor, please see Kitten:

kitten.small-web.org

If you want to support our work at the Small Technology Foundation, please consider becoming a patron:

small-tech.org/fund-us

:kitten:💕

¹ ar.al/2024/06/24/small-web-com
² ar.al/2019/08/26/introducing-s
³ Using our instance of Look Over There!: look-over-there.small-web.org

Detail of Site.js web site: Illustation of woman lying down with laptop. On screen is a twig with two green leaves. Site.js Small Web construction set. Site.js is deprecated and no longer being actively maintained. Much of it lives on in Kitten.
#SiteJS#SmallWeb#SmallTech
Public
Trusty

🔐 How can you keep your online data safe?
Whether you’re a web developer, IT professional, or simply interested in online security, our YouTube video will give you the confidence and know-how to secure your online presence using TLS SAN Certificates.
Discover how Subject Alternative Name (SAN) extensions make it possible to encrypt multiple domain names with just one TLS certificate.

#TLS #SAN

visit: youtu.be/R5jdnZyusew for more details.

ExploreLive feeds
About