Return to Level1Techs.com

Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech

Seeing as your server supports TLS 1.3, that should mean you have OpenSSL 1.1.1.

Might be worth getting rid of the DHE AES 256 for something like this: ECDHE-RSA-CHACHA20-POLY1305

I don’t have a super deep understanding of webservers and why one might want more than two cipher suites active, I just run as it works for me.

1 Like

When I’m done with my exercise I think I can pull my SSL conf

It’s a dirty hack but it works for both of you and I so

If you scroll down on the SSL test you can actually go down and see if you’re vulnerable to anything that’s weak

You’ll have to scroll down quite a bit and expand most of the menu items

These type weak vulnerabilities?

Didn’t all quite fit on a page, probably should have tried to use Pastebin, i dunno. Sorry for the spam.

I’m not really married to any of these technologies, I’m just trying to learn a thing or two while I tinker and (hopefully) try to improve the computing experience for family and try to maintain those rigorous SLAs. >.<

Debian GNU/Linux 10 (buster)
OpenSSL 1.1.1d  10 Sep 2019
nginx version: nginx/1.18.0

This is just a little VM i run since migrating the web server off my RPi3B so I could repurpose that for a little ADS-B project attempting to learn a few basics about radio waves and the surrounding technology. The thinking was that it might better equip me to deal with WiFi related matters. Sorry, now I’m delving a bit further off topic. You guys are great.

then you fine but honestly all I did in openssl was this

Disclaimer im not resposible for broken systems

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = [email protected]=2
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Options = ServerPreference,PrioritizeChaCha

Also everywhere I saw sha256 I changed to sha512 and anything RSA2048 to 4096

[ req ]
default_bits		= 4096
default_md		= sha512

Bingo and Im good

Also some other things I did were

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 19
challengePassword_max		= 29

changed from 4 and 20

1 Like

I keep churning it out man:

Series 5: Infrastructure Series -- Taking DNS One Step Further - Full DNS Server infrastructure

1 Like

Apologies if I haven’t found it skimming through the thread but since I am now the owner of a Pixel 4a I’d like to follow your steps on getting the phone set up since my last lineageos setup was pretty tashy. Have you already written more specifically about what steps you took or could you if not?

1 Like

The 4a isn’t officially supported. So my steps won’t be applicable until it gets supported.

The 5g version will take even longer.

1 Like

Yeah I’ve seen that, my hope is that it overlaps greatly with the 4 though so I wouldn’t discount your steps being helpful or at least some general guidance.

It’s not the 5g version

1 Like

Im NEVER

Doing this

Again

1 Like

My instructions dont really differ to much from building from source? I guess I should ask for clarification on what you need?

https://wiki.lineageos.org/devices/crosshatch/build

Its the only way to actually sign the ROM and make it into a factory image

Hacking there script up to work with the lineage OS Build

However you can just build it and skip signing and relocking the BL. thats the easiest route and honestly just fine

Well I have found the staged Pixel 4a device tree here and the proposed wiki entry on their gerrit so that’s good for the general build. Your comments on relocking the BL and using the Titan M chip for that is what caught my eye most.

Its a very difficult procedure and is tailored on a device per device basis my crosshatch wont work for your sunfish. However I can give you a brief idea of what you need to do

Ill adapt slightly from my process and the build docs. To generate keys for sunfish you should follow a similar process:

mkdir -p keys/codename
cd keys/crosshatch
../../development/tools/make_key releasekey '/CN=LineageOS/'
../../development/tools/make_key platform '/CN=LineageOS/'
../../development/tools/make_key shared '/CN=LineageOS/'
../../development/tools/make_key media '/CN=LineageOS/'
../../development/tools/make_key networkstack '/CN=LineageOS/'
openssl ecparam -name secp384r1 | openssl pkcs8 -topk8 -scrypt -out avb.pem
../../external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin
cd ../..

See I use EC keys because its supported on the Titan M and WAY more efficient on ARM but I dont know what phone to phone changes google has made you know? Its why Im hesitant to be exact but I hope this helps

signify -G -n -p keys/crosshatch/factory.pub -s keys/crosshatch/factory.sec

Of course I take the scripts from graphene and encrypt the keys. You can also make your own and automate the process

script/encrypt_keys.sh keys/crosshatch

Then follow the rest of the guide to turn the lineageOS image into a factory image. This is a step devs dont take on lineage because its hard enough to develop as it is

When i took this route I updated once every few months. The build takes a while an a serious amount of RAM. (24 GB in my case).

It will just swap out but that slows it down further.

Genning deltas is important too.

Also you have to commit to Signed root which means no android pay and stuff. Things that worked under magisk wont. You have to accept this trade off.

But yeah my process was similar to this. I hope it sheds light how much you kind of have to do your own foot work to get it working on a device per device basis. Every device has an ARM trusted zone. If you can figure it out for a one plus I think there is a bounty for that on XDA. I dont have the time for one plus. LOL

@SgtAwesomesauce only slightly relevant to you since I mentioned signing builds you make. See convo history. You might be able to figure it out for the OP7 if you deem it worth your time.

Disclaimer. This was my own hack. I dont provide support LOL YMMV

but building on the knowledge is welcome :rofl:

1 Like

hell yeah series 6 is out.

Security headers… Set them!

Links to Infrastructure Series and Blogs"

Blog: Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech
Series 1: Infrastructure Series -- Native Dual Stack IP4+IP6
Series 2: Infrastructure Series -- Wireguard Site to Site Tunnel
Series 3: Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX
Series 4: Infrastructure Series -- NGINX Reverse Proxy and Hardening SSL
Series 5: Infrastructure Series -- Taking DNS One Step Further - Full DNS Server infrastructure
Series 6: Infrastructure Series -- HTTP(S) Security Headers! You should use them! [NGINX]

4 Likes


reactive websites… are bloat. I decided to go simple HTML https://services.utangard.net/

2 Likes

I love simple websites. What has ever been wrong with just static content. JS is critically overrated :stuck_out_tongue:

On another note though, your background image is 14MB, and the response contained no cache headers… Might want to compress the image, and add HTTP caching headers?

1 Like

Js is bloat

Makes his own with a 14mb background image

Nice

3 Likes

ROFL… I had to make up for it somewhere. Gotta smack them data caps

Its mostly a troll … ill change it … when I get a good image. Problem is thats most of my images. hell my phone cameras images are like 16 on JPG… lol… so Im just at the point where I guess im desensitized to that