The Poodle killed SSLv3

October 16, 2014

Due to the POODLE attack I have removed support for SSLv3 on this webserver. With a decent browser you should not face any problems.

Bug in git-2.1.0 parsing IPv6 SSH URLs

September 18, 2014

Git 2.1.0 (and maybe 2.0.x) doesn't handle URLs with literal IPv6 addresses properly when a username is supplied.

Cloning without an username succeeds:

% git clone ssh://[2001:db8::1]/repository.git

As soon as you give a username to the URL, git fails:

% git clone ssh://git@[2001:db8::1]/repository.git
Cloning into 'repository.git'...
ssh: Could not resolve hostname [2001: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I used the clone command here only for demonstration. The bug applies to all commands which connect to the specified URL (e.g. push).

Workaround

A workaround is to put the left square bracket before the username, but this syntax violates RFC 3986 (Uniform Resource Identifier (URI): Generic Syntax).

% git clone ssh://[git@2001:db8::1]/repository.git

This works for git 2.1.0, but will probably break in future versions as it is invalid syntax.

Bug?

I reported this behaviour to the Git mailing list on 2014-09-18 and it was confirmed as a bug shortly after.

jQuery 2 and Internet Explorer 8

July 6, 2014

I recently visited my site on a company's computer which was still using Windows XP and Internet Explorer 8 (IE 8). I noticed the menu bar on top of my page didn't work here. The menu bar uses functions from jQuery, and the latest jQuery 2.x version I was using didn't support IE 8 and below anymore.

While looking at my website statistics, I discovered Internet Explorer 8 is used by 2,3% of my visitors (Internet Explorer 7: 1%). Of course, that's not very much compared to Chrome and Firefox, but it was easy to include a fix into the theme to get IE 6/7/8 support back:

<!--[if lt IE 9]>
  <script src="/assets/js/jquery1-compat.js"></script>
<![endif]-->
<!--[if gte IE 9]><!-->
  <script src="/assets/js/jquery.js"></script>
<!--<![endif]-->

IE 8 and below load jQuery-1.11.1 now, while all other browsers should use the default one (currently jQuery-2.1.1).

Of course, this can have side effects. Functions depending on a recent jQuery 2.x could break if viewed with IE 6/7/8. I am aware of this and will drop support for those abandoned browsers again if I think the time is right.


The graphic below shows the browser families that were used to surf my website (from 2014-01-01 to 2014-07-06):

Browser families used to surf this site

First server downtime

February 5, 2014

Today I noticed my server wasn't available anymore. No ping, no ssh, nothing!

Unfortunately, I wasn't able to login via remote console and had to restart the machine without the ability to shut it down properly.

This brought me some filesystem hickups…

… but they could be fixed and the machine restarted flawlessly.

Looking through the logfiles it seemed like the server was still running at the moment I restarted it, but had lost its network connectivity for unknown reasons.

Hetzner-Server mit IPv6 unter FreeBSD

January 27, 2014

Im Netz gibt es eine große Menge an Konfigurationsanleitungen um einen dedizierten Rootserver bei Hetzner mit IPv6-Konnektivität zu versorgen. Ich packe jetzt meine Konfiguration noch dazu.

ifconfig_re0_ipv6="inet6 2a01:4f8:140:136d::2 prefixlen 64"
ipv6_defaultrouter="fe80::1%re0"

Diese stimmt im Grunde mit der Empfehlung aus dem Hetzner-Wiki überein und mehr braucht es auch nicht.

Firewall

Und für die Firewall noch ein paar Tipps:

ICMPv6

Eingehende IPv6-Pakete zu filtern ist grundsätzlich nicht verkehrt, aber einige wichtige ICMP6-Pakete sollte man durchlassen:

pass in quick inet6 proto icmp6 all \
    icmp6-type { echoreq, unreach, neighbrsol, neighbradv, routeradv }

RFC 1918

Hetzner sieht es verständlicherweise nicht gerne wenn Pakete aus dem RFC1918 Adressbereich durchs Netz fliegen. Filtern ist einfach:

ext_if="re0"
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                        10.0.0.0/8, 255.255.255.255/32 }
…
block in  quick on $ext_if from <rfc1918>
block out quick on $ext_if from <rfc1918>
block out quick on $ext_if to   <rfc1918>

Jails lassen sich übrigens prima über das loopback-Interface lo0 miteinander vernetzen.

Archive