home.social
  1. New blog post: figuring out, and updating upstream bug reports on how to get OpenVPN+DCO (in-kernel encryption/decryption) working on upcoming Ubuntu 26.04 LTS and Fedora 44.

    tuxed.net/fkooman/blog/openvpn

    Hopefully this can all be fixed before the release, so it works out of the box!

    #OpenVPN #Linux #DCO #Ubuntu #Fedora #UbuntuLTS

  2. GitHub is unusable without account. This is what you get by simply browsing to a repository on GitHub and clicking on the link to view the commits.

    #FuckMicrosoft #Centralization

  3. The systemd project was and is a *huge* leap forward for Linux. I can't imagine doing sysops without it.

    blog.tjll.net/the-systemd-revo

    Update: suspected "AI" usage for the images in the post, in case you want to avoid this.

    #systemd #Linux #sysops

  4. What are we (NRENs deploying SAML) gonna do about libxml2? It is now sort of unmaintained and reading the announcement for it, I can totally understand why the maintainer wants to step away.

    gitlab.gnome.org/GNOME/libxml2

    #saml #nren #xml #libxml #libxml2 #refeds

  5. It seems Red Hat Enterprise Linux 10 has been released. But what is new? The "release notes" ramble about "AI" and PQC, but... where are the actual release notes?!

    redhat.com/en/technologies/lin

    #rhel #rhel10

  6. Seems we'll be getting "Post Quantum Crypto" for free with #eduVPN 4.x on Debian 13 which comes with OpenSSL 3.5. The TLSv1.3 handshake will use X25519MLKEM768 and the 4.x server introduces `PresharedKey` support as well. We just need to recompile the eduVPN clients with Go 1.24 and we are good to go.

  7. Finally working on "Static IP address assignments" for the new #eduVPN 4.x server. An often requested feature. It is a bit tricky to implement cleanly due to how well eduVPN scales up (and down) 😄

  8. Preparing a small update for eduVPN 3.x. We are mostly working on 4.x now, so the development of 3.x is slowing down, but 3.x will keep receiving fixed and small updates for the foreseeable future!

    #eduVPN #NREN #GÉANT #vpn

  9. This is... interesting. Apparently bcrypt truncates user provided passwords at 72 byte marker. I guess one way can be to "prehash" the password with a HMAC as suggested here:

    soatok.blog/2024/11/27/beyond-

    The other (simpler) approach would be to, like Go's x/crypto/bcrypt, just reject all user provided passwords > 72 bytes. It is not *great*, but it works and fails "safe". Now one wonders *why* this is not the default behavior of PHP's password_hash function...

    #password #bcrypt #php

  10. Very nice presentations by GWDG and TU Dresden at #dfn_bt82 today about #eduVPN @DFN Very useful to hear how it is deployed in "the real world"!

  11. "Bug fixes."

    Not sure exactly when this was done and enabled by default, but in case you use Firefox Focus/Klar, be aware.

    *Update*: since version 136, see support.mozilla.org/en-US/kb/u

    #iOS #Firefox #FirefoxKlar #FirefoxFocus #surveillance

  12. Considering writing a small daemon that stores encryption/signing keys encrypted on disk using TPM2 (systemd-credentials) with a simple encryption/signing API that (web) apps can use either over HTTP or filesystem socket without risk of key exfiltration if said app is compromised. Poor person's HSM. Does anyone know any free software prior art here? It seems impossible to find among AWS KMS and Google Cloud KMS and various non-free solutions...

    #security #api #cryptography #kms #floss #hsm

  13. Spent the last ~week debugging and trying to understand MTU issues with WireGuard on DS-Lite and PPPoE connections with ICMP "black holes", MSS clamping and nftables. Quite the ride! Think I managed to sort of understand things now...

    #networking #wireguard #ipv6 #ipv4 #pppoe #dslite