JimBuntuone word marcoagpinto ( in the dark )... blowdarts01:44
lotuspsychjegood morning to all02:06
lordievaderGood morning06:17
=== JanC_ is now known as JanC
EoflaOEHello everyone10:32
TJ-had fun so far making 18.04 apache2 deliver SSL Labs A+ rating, adding in TLSv1.3, CAA, and CipherSuite options. Shame the 18.04 apache2 doesn't support TLSv1.310:35
marcoagpintohello dear brothers and sisters!10:47
BluesKajHi folks11:13
marcoagpintoBluesKaj!!!! Hi!11:37
=== lotus|i5 is now known as lotuspsychje
BluesKajhey marcoagpinto, was busy looking at 1TB SSD prices and reviews12:38
BluesKajprices are still too high for my taste12:53
pragmaticenigmachildish behavior will get you no where in life13:07
marcoagpintopragmaticenigma: me?13:13
pragmaticenigmain general, but in this case MJCD13:13
marcoagpintoI don't know what is "MJCD"?13:14
EoflaOEHello everyone and marcoagpinto13:14
marcoagpintoEoflaOE: Hello13:14
pragmaticenigmauser in main... I typically don't use full handles here13:14
EoflaOEHow is your day going marcoagpinto?13:15
marcoagpintofine, thanks, I added 10 POS data into the English LanguageTool (proper names) and you?13:16
BluesKajhey EoflaOE13:16
EoflaOEHello BluesKaj, how was your day? | marcoagpinto: I am doing fine13:16
BluesKajok here13:17
marcoagpintoguys?! I guess that the green gadgets and others will come in 20.04 LTS? Maybe they were only added in 19.04 so that they get one year of testing?13:20
pragmaticenigmaDon't know what you mean there marcoagpinto13:22
EoflaOEmarcoagpinto: What are green gadgets? And what do they do?13:22
marcoagpintothe green buttons, such as in the login screen13:23
marcoagpintoand also different colours in the CheckBoxes gadgets13:23
EoflaOEThat feature is nice, but I don't know if it will come in 20.04 LTS.13:23
marcoagpintoohhhhhhh :(((((((((13:24
marcoagpinto[23:25] <tomreyn> maybeyou need \& or &&amp;14:08
marcoagpintoit didn't work. I have just tested it14:08
tomreynwell, it was just blind guessing, i know nothing about purebasic. why don't you use pythong or any other open source scripting or porgramming language?15:05
marcoagpintotomreyn: no, because coding is a hobby... so I am a lazy arse in learning other languages15:10
marcoagpintoI do have at least one or two books of Python and Java15:11
tomreynIMO, when learning new languages, your goal shouldn't be to "read this book" but to "write this (non-complex) software"15:15
tomreyn(but i acknowledge that different people prefer to approach things differently.)15:16
lordcirth_I prototyped the skeleton of a game in Haskell; I really ought to get back to it15:18
lordcirth_Well, not even the skeleton; I just wanted to get a handle on how to do OO-like things without OOP15:18
lotuspsychjelordcirth_: are you a game dev?15:18
lordcirth_Nope :P15:19
lotuspsychjei made a game in basic once15:19
lordcirth_I just had several games with bits I really liked and bits I didn't, and I wanted to learn Haskell.15:19
lordcirth_I still want to make a 4x where the tech tree is different every game, and hidden.15:20
lotuspsychjeyou might wanna talk to Ben64 sometime15:20
lotuspsychjemgedmin: for wishes, you can add a !bug to make a wishlist15:21
pragmaticenigmamgedmin: Also note, do-release-upgrade doesn't use apt15:22
tomreynand runs in a GNU screen15:23
tomreynor byobu rather15:23
marcoagpintoI have coded two games :)15:24
marcoagpintoZX Spectrum remakes to the PC15:24
marcoagpintobut that was almost 20 years ago... not much time for that hobby right now15:24
mgedminfor context, I expressed a desire for do-release-upgrade to use apt's progress bar15:25
mgedminbecause it's annoying to sit there and have no idea how far along the upgrade is15:25
mgedmin(sometimes some text like "Progress: [ 50%]" scrolls by but I rarely catch it)15:25
mgedminand the screen instance spawned by do-release-upgrade steals my scrollback buffer and changes all the screen keybindings from defaults to I-don't-know-what15:26
mgedmininteresting detail about not using apt15:28
mgedminyeah, pstree shows the 'bionic' process is running dpkg directly15:28
pragmaticenigmamgedmin: do-release-upgrade is more of a script, executing a bunch of other applications to perform the necessary configuration changes, package downloads, etc... It would be very difficult to gauge the progress of that, which is likely why it hasn't been included.15:28
mgedminhey, the gui update manager has a progress bar15:28
mgedminit's the same script with a different frontend afaiu?15:29
pragmaticenigmamgedmin: it might be, it could be a wrapper that looks for those "Progress: [ 50%]" string patterns in the log/output of do-release-upgrade15:30
mgedminbut yeah, someone would have to write some code to emit magic terminal escapes to draw the progress bar, since it cannot just ask apt to do that15:30
mgedmin(now I wonder if maybe screen's status bar could be repurposed for this? oh if I had the time)15:30
pragmaticenigmaAs a developer, the hard part about progress bars, is a lot of the work being done, is done asynchronously. Where a process is forked to process the command, and sometimes there are no waits to see if the process completed15:31
lordcirth_Is there any good way to see what processes are contributing to 'buffer' memory usage?15:31
tomreyni'd think these are any which are listed with a VSZ that is above the RSS in ps output.15:38
mgedminthat seems unlikely?15:39
tomreynactually top lists SHR15:39
tomreynand yes, my initial statement was incorrect.15:39
mgedmin"buffers" in free have something to do with block device caches iirc15:39
tomreyn       buffers15:40
tomreyn              Memory used by kernel buffers (Buffers in /proc/meminfo)15:40
tomreynfrom free(1)15:40
tomreyni am still clueless about linux memory handling. :-/15:43
TJ-Hmmm, I have DNS-over-HTTPS server working... now what do I do with it? :)21:07
akemlenovo_Try to resolve all IPV4 adresses to see if it works properly and have some nice cache? :)21:09
daftykinsi read about Firefox moving to that, does it rely on querying a static IP to resolve? o021:10
TJ-huh? questions to confuse me!21:12
TJ-it's a DNS server using HTTPS on port 443 of apache, returms the same info as a 'dig' to port 5321:12
TJ-right now i've only got it set to allow resolving of domains I host so it can't be abused21:13
TJ-DoH currently is not distributed, there are lists of known public services the browers and other clients hard-code and use21:14
tomreyni guess it lacks a DHCP (or equivalent for IPv6) extension for propagation21:27
tomreynbut then it may make sense to fight out these undecided fights first.21:28
TJ-DoH? that's not how it's intended to work. It's basically a resolver that can be used to prevent snooping of DNS requests by any man-in-the-middle (ISP) and hard to block since it uses HTTPS port21:30
tomreynDoH vs DoT, Do[HT] vs DNS, 'enterprise' DNS vs Do[HT], and maybe even DNSSec vs DNS21:30
TJ-DNSSEC is different, that's a guarantee the returned record hasn't been modified (crypto hash)21:31
TJ-so a MITM could still intercept and modify (thus breaking) the query since it is not encrypted21:32
tomreyncompanies will probably forbid employees from using Do[HT] since it prevents resolving LAN resources (and having those superseed those of public resolvers)21:32
TJ-Or just operate their own DoH proxy21:33
tomreynyes, in the long term you really a combination of DNSSEC + Do[HT] but also allow for a 'trusted' third party injecting / overriding additional records21:33
tomreynit'll probably boil down to a custom DoH proxy per company network which will do DNSSec outwards and inject custom records inwards21:35
tomreynand clients will have a per system resolver still, which applications will be configured to use21:35
tomreynand that'll use this company resolver.21:36
tomreynso a similar architecture as we had so far, at least within companies21:36
tomreynwhile outside of companies computers and even apps can talk directly to public Do[HT] resolvers, or local / system proxies21:37
TJ-Let's hope it goes the way of HTTPS everywhere21:37
tomreyni'm not very much in favor of every application doing its own (remote) resolving, though. i like the idea of having it central per system21:38
TJ-I've one last job to do and that is deploy a TLSv1.3 stunnel config on 853 to ace the DoT tests21:38
tomreyni'm fine with proper TLS everywhere.21:38
tomreynugh stunnel21:38
TJ-I've got SSLlabs giving an A+ for the HTTPS configs now21:39
tomreynnice, that's not always easy21:39
TJ-I've used stunnel since the late '90s I think it was, on Windows, very useful21:39
tomreynit is. just it should not be neccessary to use it.21:40
TJ-I'm going to publish the apache config for others since the searches I did led only to fragments without context, bad advice, or lists of ciphers that cannot be directly entered into the apache config21:40
TJ-Well once BIND adds DoT support by linking in libssl it won't be needed21:40
* daftykins runs SSLlabs test for fun21:40
daftykinswon't be expecting a high result here given i'm mostly stock21:40
TJ-I had fun earlier adding CAA RRs to the zone and having it break BIND's dnssec-signzone which does not know of CAA records, had to use a raw type257 record to 'fool' it21:41
tomreyni think i read some chat around here about 18.04 ignoring cipher suites defined in service configurations for TLSv1.3 (only) and instead using those from ssl.conf, if any.21:41
daftykinshuh nope got A+ right away, that's just my personal nextcloud using LetsEncrypt21:42
tomreynhardly anyone does CAA21:43
daftykinslooks like i have a tonne of weak ciphers still enabled21:43
tomreynand still A+? :)21:43
daftykinsassuming i'm interpreting the orange lines correctly that are showing up21:44
tomreyni guess you have downgrade protections then and those are only for older TLS protocols21:44
TJ-18.04's apache doesn't support TLSv1.3, I've deployed from a PPA that does (the PPA belongs to Ondřej Surý one of the core devs of bind9 and others and DNSSEC guru)21:45
tomreynLet's Encrypt has achieved so much, we really should buy those folks many beers21:45
daftykinsyeah mine has come back showing TLS 1.0, 1.1 and 1.221:46
daftykinsseems to be talking about android v4 handshakes being simulated for TLS 1.021:46
tomreynoh, i was thinking 18.04's would.21:46
TJ-we have openssl 1.1.1 in 18.04 but apache hasn't been upgraded to support TLSv1.3, whereas i think nginx was21:48
tomreynoh ok, maybe i mixed those up.21:49
TJ-funny how ratings slip. Last time I did the exercise was about 6 years ago... rating had dropped to a low B today until I tweaked everything again21:50
daftykinsshared a pic of what my test result showed in other channels you're both in21:50
daftykinsmaybe some homework for another time :D21:52
TJ-I'll dig out the server config when I'm less tired, tomorrow, and share it so you can compare21:57
TJ-it's only about 7 lines if that (inc. the DoH reverse proxy )21:58
daftykinsthanks! sounds fun21:58
tomreyni'll be interested, too, thanks!22:01

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!