Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2013
wesley wesley is offline
Real Name: Wesley
Shell Scout
Join Date: Aug 2009
Location: Reunion Island
Posts: 91
Default OpenBSD 5.4 : Layer 7 filtering, playing with pf and relayd

Here, it is :


Reply With Quote
  #2   (View Single Post)  
Old 26th November 2013
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
Join Date: Apr 2009
Location: California
Posts: 142

When I first saw this I was annoyed, "why is this using relayd to blacklist some websites?".

Blacklisting websites could be done simply using PF and nothing else.

But this guide is an example of using the relayd as described in the recent paper at AsiaBSDCon 2013:


The real interesting part for me was how one can use relayd to intercept SSL (https) connections. (Now you can be just like the NSA...) and why it is bad for the whole https system when certificate authorities are hacked.

Under the title, "Create certificates for relayd", the guide says:
Create CA key and Certificate :

openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt

I chose « testing_relayd » as password, you will need it in relayd.conf file, and the « ca.crt » need to be installed on all the computers in the network (lan).
Besides creating client certificates and putting them on all the client computers, the paper explains how hacking a certificate authority works just as well:

Another solution is to obtain an official CA with private key or to get an intermediate CA - a local CA signed by an official CA. Getting an official CA or intermediate CA for SSL Interception is normally only possible for governmental authorities (e.g. TURKTRUST in Turkey), or people who have access to a possibly compromised CA (e.g. DigiNotar in the Netherlands).
As the paper says,
"SSL Interception" is a fairly common feature in commercial fi rewall products, for example from Juniper[5] or Check Point[4], why shouldn't it be freely available in OpenBSD as open source software?
This might even have the ef fect that the increased availability of the feature will raise the awareness of the problem and lead to practical solutions in the future."
Let us hope that there is more awareness of the weaknesses in the https system and that a better system is developed.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
relayd gpatrick OpenBSD General 0 8th May 2012 10:10 PM
Content Filtering with OpenBSD alpha202ej OpenBSD Security 4 21st December 2011 01:38 PM
'Wear levelling' - a bedroom aid for multi-layer cell Flash J65nko News 1 13th December 2010 10:58 AM
relayd gpatrick OpenBSD General 1 16th January 2010 12:19 AM
Playing internet radio streams under OpenBSD J65nko OpenBSD General 6 29th August 2009 09:57 AM

All times are GMT. The time now is 03:15 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick