Month: December 2023

Enable legacy provider and TLSv1 in OpenSSL3 on FreeBSD14

Posted on by Andy

First you need to compile OpenSSL from ports and enable different options

# pkg install portsnap portmaster
# portsnap auto
# portmaster --packages-build security/openssl

then enable:

Provider Modules -> Legacy
Protocol Support -> TLS1 and TLS1_1

After compilation is finished, make sure the sections in /etc/ssl/openssl.conf look like this:

[openssl_init]
providers = provider_sect
ssl_conf = ssl_configuration

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1
[legacy_sect]
activate = 1

[ssl_configuration]
system_default = tls_system_default

[tls_system_default]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0

Install uCARP on Debian 12

Posted on by Andy

Download the ucarp package first:

apt install ucarp

Configure the interface in /etc/network/interfaces on your PRIMARY server:

iface eth0 inet static
    address 10.1.1.4/24
    gateway 10.1.1.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 1.1.1.1 9.9.9.9
    dns-search domain

iface eth0:ucarp inet static
    address 10.1.1.30
    netmask 255.255.255.0

now do the same thing on your SECONDARY server:

iface eth0 inet static
     address 10.1.1.5/24
     gateway 10.1.1.1
     # dns-* options are implemented by the resolvconf package, if installed
     dns-nameservers 1.1.1.1 9.9.9.9
     dns-search domain

iface eth0:ucarp inet static
     address 10.1.1.30
     netmask 255.255.255.0

you can check on your primary if carp is working with

$ ifup eth0:ucarp

if this is fine we have to create a config file and the systemd startup unit as the package comes without such a unit file.

First create /etc/ucarp/vip-common.conf on both servers and paste the following. This is for the primary so you have to adapt it to fit the secondary, notably SOURCE_ADDRESS and ADVSKEW. Set the ADVSKEW higher on the secondary, e.g. ADVSKEW=”100″:

BIND_INTERFACE="eth0"
PASSWORD="mysimplepass"
VIP_ADDRESS="10.1.1.30"
SOURCE_ADDRESS="10.1.1.4"
VHID="1"
ADVBASE="1"
ADVSKEW="10"
OPTIONS="-P -z"
UPSCRIPT="/usr/share/ucarp/vip-up"
DOWNSCRIPT="/usr/share/ucarp/vip-down"

Then create the systemd unit file /etc/systemd/system/ucarp.service

[Unit]
Description=UCARP virtual interface %I
After=network.target

[Service]
EnvironmentFile=-/etc/ucarp/vip-common.conf
ExecStart=/usr/sbin/ucarp $OPTIONS -i $BIND_INTERFACE -p $PASSWORD -v $VHID -a $VIP_ADDRESS -s $SOURCE_ADDRESS -b $ADVBASE -k $ADVSKEW -u $UPSCRIPT -d $DOWNSCRIPT
KillMode=control-group

[Install]
WantedBy=multi-user.target

Last but not least start it

$ systemctl enable --now ucarp

https://ucarp.wordpress.com