bsd.m3th.org
Yet another *nix admin blog

The link aggregation and link failover interface, lagg(4) device, first appeared in FreeBSD 6.3. It as the name suggested allows aggregation of multiple network interfaces as one virtual lagg(4) interface for the purpose of providing fault-tolerance and high-speed links. The driver currently supports the aggregation protocols such as failover, fec, lacp, loadbalance, roundrobin, and none by detecting child interface link state.

This is useful in large enterprise environment. Nonetheless, you can use it to set up roaming between wired and wireless network. The lagg(4) manpage provides simple example. However, it states that

WPA security does not currently work correctly with a wireless interface added to the lagg port.

Well, it is easy to overcome the issue by use of wpa_supplicant(8). Just set up /etc/wpa_supplicant.conf as normal. Please refer to wpa_supplicant.conf manpage for detailed setup. Here is my example.

/etc/wpa_supplicant.conf :-

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=1
network={
       ssid="MY_WPA_WIFI"
       scan_ssid=1
       key_mgmt=WPA-PSK
       psk="verysecretpassword"
}

/etc/rc.conf :-

ifconfig_nfe0="DHCP"
ifconfig_ndis0="WPA DHCP"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto failover laggport ndis0 laggport nfe0 DHCP"

Relevant ifconfig output :-

ndis0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        media: IEEE 802.11 Wireless Ethernet autoselect
        status: associated
        ssid "MY_WPA_WIFI" channel 1 (2412 Mhz 11b)
        authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
        bintval 0
        lagg: laggdev lagg0
nfe0: flags=8843 metric 0 mtu 1500
        options=8
        ether 00:1a:73:73:92:34
        media: Ethernet autoselect (none)
        status: no carrier
        lagg: laggdev lagg0
lagg0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect
        status: active
        laggproto failover
        laggport: nfe0 flags=0<>
        laggport: ndis0 flags=5
tun0: flags=8010 metric 0 mtu 1500

It is that easy. Your laptop will auto roam between wired and wireless connection.

Previously, I posted write-up on glusterfs on FreeBSD clusters. Here the installment on round-robin web proxy part. In my configuration, nginx is running as front-end and apache is the back-end. Both boxes have same configuration on nginx and apache. Nginx SSL cert and key should be the same as well (with same common name i.e. www.yourdomain.com).

APACHE
I will skip most of the apache installation part as it is too common and easy to set up. The basic requirement for apache is to run with SSL on port 8443. Please take note that mod_rpaf is required for apache to capture the real IP address of the visitors. Install it from /usr/ports/www/mod_rpaf2. Then add these lines to your httpd.conf.

LoadModule rpaf_module       libexec/apache22/mod_rpaf.so

<IfModule rpaf_module>
RPAFEnable On
RPAFsethostname On
RPAFproxy_ips 192.168.100.82 192.168.100.84
</IfModule>

Note:
IP address for node 1 = 192.168.100.82
IP address for node 2 = 192.168.100.84

NGINX (engine X)
Installation of nginx is fairly simple under FreeBSD as the ports is complete (no messy manual patching and stuff). Just run the installation with this command. But take note that you need these two options: HTTP_SSL_MODULE and HTTP_UPSTREAM_FAIR. Yes, you need them.

cd /usr/ports/www/nginx && make install

The configuration file, nginx.conf, is relatively easy to understand if you are fimilar with lighttpd or apache mod_proxy. The following is an example of nginx config file. Remember, use with care because YMMV.

user  www;
worker_processes  4;

events {
    worker_connections  4096;
}                            

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  5;
    gzip  on;
    upstream backend_servers {
        fair;
        server 192.168.100.82:8443;
        server 192.168.100.84:8443;
    }                                                 

    server {
        listen   80 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-access.log;
        error_log /var/log/nginx-error.log;
        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }                                                                              

    server {
        listen       443 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-ssl-access.log;
        error_log /var/log/nginx-ssl-error.log;
        ssl                  on;
        ssl_certificate      /etc/ssl/certs/nginx-cert.pem;
        ssl_certificate_key  /etc/ssl/keys/nginx-key.pem;
        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }
}

Vhost is managed by apache httpd. Thus these lines are needed in nginx.conf.

server_name  _;
server_name_in_redirect  off;

For SSL cert and key generation, please refer to previous post, glusterfs on FreeBSD. That’s it.

UPDATE : Check out recent committed /usr/ports/www/spawn-fcgi/, it comes with a better spawn-fcgi rc.d script. Please use the script from the post. However, the spawn-fcgi.sh provided does not have option to run via unix socket. I have submitted the patch.

Few days ago, I posted a write-up, FreeBSD : php-cgi spawn-fcgi rc.d script for nginx, on running php-cgi on port 8888. But how do I run it via unix socket? It is trivial with spawn-fcgi rc.d script. Just add the flags to /etc/rc.conf

spawnfcgi_flags="-s /tmp/php-fastcgi.socket -u www -g www -f /usr/local/bin/php-cgi"

Next, replace the line

fastcgi_pass 127.0.0.1:8888;

with this

fastcgi_pass unix:/tmp/php-fastcgi.socket;

Lastly restart both php-cgi and nginx:

/usr/local/etc/rc.d/spawnfcgi restart && /usr/local/etc/rc.d/nginx restart

That’s all. You have your php-cgi on unix socket.

I have been working on parallel round-robin web clusters (is this the right term?) using 2 x FreeBSD 7.1 AMD64 boxes, nginx (patched with fair upstream), apache + php (backend), glusterfs, tinydns (sitting on another box, a name server, for round robin A record) and mysql multi-master replication. The setup is mainly making use of round-robin replication concept. Although I have yet fully hammered the configuration, it was pretty impressive and secure.

Glusterfs and mysql replicate with SSL. Nginx with SSL. These, however, are slightly at the expense of CPU and performance. I can live it that though.

The write-up of the setup is in progress as I am quite tied up with my day job, HeX project and glusterfs 2.0 ports for FreeBSD. Hopefully, I can manage the time well to complete all these. Nevertheless, here is partial (optional) write-up for glusterfs replication with SSL.

Note: server1 and server2 denote the FreeBSD clusters.

1) Installing required software
Most of the software except glusterfs (not in the freebsd ports as of this posting) is available via the FreeBSD ports. I’m aware of that TimurBakeyev is working on glusterfs ports.

# cd /usr/ports/security/stunnel && make install clean

2) Creating SSL certs (on either of the box)
Generally, it is easier to manage all certs/keys generation on a single box and duplicate required certs to the rest of the boxes. But YMMV. Commonly, cacert.pem and cert/key generated are copied.

2.1) For the impatient
Just create the certificate in 1 liner. Remember to modify the content of “-subj”.

# openssl req -new -outform PEM -out /etc/ssl/stunnel-cert.pem -newkey rsa:1024 \
-nodes -keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -x509 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

2.2) For the patient
Creating necessary directories for ssl with the following commands.

# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/private
# echo '01' >/etc/ssl/serial
# touch /etc/ssl/index.txt

Next, let’s generate a CA. You will be prompted with questions of your country, state, location etc and password for the CA key.

# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem \
-out /etc/ssl/cacert.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a cert request for stunnel

# openssl req -outform PEM -out /etc/ssl/server-req.pem -newkey rsa:1024 -nodes \
-keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

Lastly using the CA key to sign the cert.

# openssl ca -in /etc/ssl/stunnel-req.pem -notext -out /etc/ssl/stunnel-cert.pem

3) Modifying stunnel rc.d for stunnel running client mode
The rc.d startup for stunnel is meant for running either server or client mode only. I need both modes here. Thus, a quick replication of stunnel rc.d to run another client mode instance of stunnel. I named it /usr/local/etc/rc.d/stunnelc.

#!/bin/sh
#
# $FreeBSD: ports/security/stunnel/files/stunnel.in,v 1.9 2008/01/26 14:18:12 roam Exp $
#

# PROVIDE: stunnelc
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON glusterfs
# KEYWORD: shutdown

#
# Add some of the following variables to /etc/rc.conf to configure stunnel:
# stunnelc_enable (bool):        Set to "NO" by default.
#                               Set it to "YES" to enable stunnel.
# stunnelc_config (str):         Default "/usr/local/etc/stunnel/stunnel-client.conf"
#                               Set it to the full path to the config file
#                               that stunnel will use during the automated
#                               start-up.
# stunnelc_pidfile (str):        Default "/var/tmp/stunnel/stunnel-client.pid"
#                               Set it to the value of 'pid' in
#                               the stunnel.conf file.
#

. /etc/rc.subr

name="stunnelc"
rcvar=`set_rcvar`

load_rc_config $name

: ${stunnelc_enable="NO"}
: ${stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"}
: ${stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"}
procname="/usr/local/bin/stunnel"
command="/usr/local/bin/stunnel"
command_args=${stunnelc_config}
pidfile=${stunnelc_pidfile}

required_files="${stunnelc_config}"

run_rc_command "$1"

4) glusterfs vol configuration
In this setup, glusterfsd is listening on lo0 127.0.0.1 port 6996 and stunnel server listening on em0 (net facing nic) port 8996. Stunnel client, on the other hand, is listening on 127.0.0.1 port 7996, forwarding to remote host on port 8996. Glusterfs client mount volume which is on 127.0.0.1 port 6996 and 7996 (which is tunneled to port 8996 of remote host). Refer to the configurations below:-

i) stunnel-server.conf.

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

ii) stunnel-client.conf.

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

Auth login was used due to privileged port ceiling of 1024 imposed by auth addr method. Auth login method care less about privileged port ceiling.

Please refer to
http://www.gluster.org/docs/index.php/GlusterFS_Encrypted_network
http://www.gluster.org/docs/index.php/Translators_v2.0#auth.login

As I’m still working on glusterfs 2.0 ports, you can use the rc.d scripts that I have completed glusterfs and glusterfsd.

APPENDIX

Configuration files on server1

I) /etc/rc.conf

fusefs_enable="YES"
glusterfsd_enable="YES"
glusterfs_enable="YES"
glusterfs_mount="/usr/home/www"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel-server.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel-server.pid"
stunnelc_enable="YES"
stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"
stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"

II) Stunnel configuration for glusterfsd (/usr/local/etc/stunnel/stunnel-server.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-server.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem

output = /var/log/stunnel.log

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

III) Stunnel configuration for glusterfs (/usr/local/etc/stunnel/stunnel-client.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-client.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem
output = /var/log/stunnelc.log
client = yes

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

IV) Glusterfs client configuration (/usr/local/etc/glusterfs/glusterfs.vol)

volume remote1
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 6996
  option remote-subvolume brick
end-volume

volume remote2
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 7996
  option username yourusername
  option password yourpassword
  option remote-subvolume brick
end-volume

volume replicate
  type cluster/replicate
  subvolumes remote1 remote2
end-volume

volume writebehind
  type performance/write-behind
  option block-size 128KB
  option cache-size 1MB
  subvolumes replicate
end-volume

volume cache
  type performance/io-cache
  option cache-size 512MB
  subvolumes writebehind
end-volume

V) Glusterfs server configuration (/usr/local/etc/glusterfs/glusterfsd.vol)

volume posix
  type storage/posix
  option directory /usr/home/www-shared
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option transport.socket.bind-address 127.0.0.1
  option auth.addr.brick.allow 127.0.0.1
  option auth.login.brick.allow yourusername
  option auth.login.yourusername.password yourpassword
  subvolumes brick
end-volume

I was busy working on glusterfs ports for FreeBSD. Still some issues to be ironed out before it can be submitted to the upstream. At same the time, I set up web servers running nginx with php5 via fastcgi. FreeBSD doesn’t have rc.d script to trigger spawn-fcgi process. So I wrote a quick one. Below is the script.

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: spawnfcgi
# REQUIRE: DAEMON
# BEFORE:  nginx
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable spawnfcgi:
# spawnfcgi_enable (bool):    Set it to "YES" to enable spawnfcgi.
#                             Default is "NO".
# spawnfcgi_flags  (str):     Default is "-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi".
#

. /etc/rc.subr

name="spawnfcgi"
rcvar=${name}_enable

load_rc_config $name

spawnfcgi_enable=${spawnfcgi_enable:-"NO"}
spawnfcgi_flags=${spawnfcgi_flags:-"-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi"}
spawnfcgi_pidfile="/var/run/${name}.pid"
procname="/usr/local/bin/php-cgi"
pidfile=${spawnfcgi_pidfile}
command=/usr/local/bin/spawn-fcgi
command_args="${spawnfcgi_flags} -P ${spawnfcgi_pidfile}"

run_rc_command "$1"

Note: spawn-fcgi is part of lighttpd.

Just add spawnfcgi_enable=”YES” to /etc/rc.conf to enable it. As this is just a simple script, not all option is stated. You can add/overwrite options via spawnfcgi_flags. Do check the option available via /usr/local/bin/spawn-fcgi -h

For nginx part, just add these lines to your server directive.

location ~ \.php$ {
    fastcgi_pass   127.0.0.1:8888;
    fastcgi_index  index.php;
    fastcgi_param   SCRIPT_FILENAME /path/to/the/phpscript/$fastcgi_script_name;
    include         fastcgi_params;
}

It has been a while that I did not put up any post. Here a short note on swap space encryption with FreeBSD geom geli(8). This feature was there for quite sometimes.

Enabling swapspace encryption with geli

Only 2 files are required to be edited, /etc/fstab and /boot/loader.conf. Change your swap partition in /etc/fstab with suffix “.eli” (i.e. ad1s1b.eli) and enable geom_eli kernel module in /boot/loader.conf with “geom_eli_load=”YES”“. Your swap space will be encrypted on next reboot.

Alternatively, you can enable it without reboot with the steps below.

# swapoff /dev/ad0s1b

# kldload geom_eli

# geli onetime -e blowfish -l 128 -s 4096 -d ad0s1b

# swapon /dev/ad0s1b.eli

Note : you can refer to geli(8) manpage for more algorithm options. I used blowfish on the above example.

Verifying if swap space encryption is enabled

# dmesg | grep GEOM_ELI

GEOM_ELI: Device ad0s1b.eli created.
GEOM_ELI: Encryption: Blowfish-CBC 128
GEOM_ELI: Crypto: software

# geli list
Geom name: ad0s1b.eli
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 128
Crypto: software
Flags: ONETIME, W-DETACH, W-OPEN
Providers:
1. Name: ad0s1b.eli
Mediasize: 2147483648 (2.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: ad0s1b
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Mode: r1w1e1

Back in 2003, I used OpenBSD’s sysctl -w vm.swapencrypt.enable=1 or wm.swapencrypt.enable=1 in /etc/sysctl.conf for swap space encryption and this is made default on OpenBSD 4.3. Compare to FreeBSD implementation, OpenBSD’s method is simpler. However, FreeBSD’s geom geli(8) and gbde(8) offers more than just swap space encryption. It gives the capability to encryption disk partition.

More info can be found in the excellent FreeBSD handbook.

http://www.freebsd.org/doc/en/books/handbook/swap-encrypting.html

My usage has not reached the level that requires high confidentiality on storage. Perhaps, I will do a encrypted file system on my portable harddisk for porns next time.

I walked through routine maintenance of one of FreeBSD boxes, which was running as reverse proxy (Apache httpd + mod_security2 + mod_proxy) for OWA in my office. Everything went smoothly. But when it came to restarting of services, apache started to complain of unresolved symbol!

Cannot load /usr/local/libexec/apache22/mod_security2.so into server: /usr/local/libexec/apache22/mod_security2.so: undefined symbol: xmlFree

I reinstalled apache22, libxml2 and mod_security2 from ports. Nothing unusual was sighted. Asking our friend, google didn’t provide much of information. The latest that I managed to dig out was in 2005 and 2006. Some dudes had the same issue as me.

Anyhow I’m pretty convinced it is a bug from mod_security2-2.1.7_1 in FreeBSD’s ports. Here a quick workaround, just add the lines below to your Apache httpd.conf and the error message will go away!

LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module libexec/apache22/mod_security2.so

Here’s the note with easy steps to get pound running with SSL signed by CA.

Generating Certificate Signing Request
# cd /etc/ssl
# openssl req -new -nodes -subj '/C=MY/ST=Wilayah Persekutuan/L=Kuala Lumpur/CN=myshinny.webserver.com/O=My office./OU=IT department.' -key host.key -out host.csr

After generating certificate signing request, you need to copy and paste the contain of host.csr to Verisign for signing. Once you have got your certificate signed, save it as host.crt. Note: the naming convention here is for the demonstration below.

Obtaining Verisign intermediate CA certificate
Depending on which type of certificate that you have purchased, you could obtain Verisign CA certificate from this page. Copy the certificate content and save it as verisign.pem.

Now you have 4 files: host.key, host.csr, host.crt and verisign.pem. Only 3 of them are needed for pound ssl. Prepare the certificate to use with pound. Note: In server.pem that will be created, it is important that you follow the sequence as such.

1 Your key
2 Your certificate
3 CA certificate

# cat host.key host.crt verisign.pem > server.pem

Example pound configuration, pound.cfg:-

---snip---
ListenHTTPS
        Address x.x.x.x
        Port    443
        HeadRemove "X-SSL-.*"
        HeadRemove "X-Client-Verify.*"
        Cert    "/etc/ssl/server.pem"
        CAlist "/etc/ssl/verisign.pem"
        Ciphers "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
---snip---

End

Replace x.x.x.x with your server IP address. Restart pound and you are done!

On my previous post, I encountered problem with ssl-cert in chrooted environment. By installing ssl-cert via apt-get, these processes were triggered.

root 27799 0.0 0.4 4676 2256 pts/2 Ss+ 04:33 0:00 /usr/bin/dpkg --status-fd 13 --configure ssl-cert
root 27800 0.4 1.3 10016 7132 pts/2 S+ 04:33 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /var/lib/dpkg/info/ssl-cert.postinst configure
root 27806 0.0 0.2 3804 1192 pts/2 S+ 04:33 0:00 /bin/sh -e /var/lib/dpkg/info/ssl-cert.postinst configure
root 27808 0.0 0.2 3820 1280 pts/2 S+ 04:33 0:00 /bin/bash -e /usr/sbin/make-ssl-cert generate-default-snakeoil
root 27812 0.0 0.2 3780 1448 pts/2 S+ 04:33 0:00 openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key


Further investigation showed that process 27812 stuck. Running the openssl command manually brings up:

27830:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 5


The error message is exactly same as what Michael Prokop has found out.

The content of /tmp/tmp.OXerK27810 is:

#
# SSLeay example configuration file.
#

[ req_distinguished_name ]
commonName = myshinnybox


DIRTY SOLUTION
As I’m only interested to get packages such as Postfix, Postgresql Apache mod SSL to install, killed the “apt-get install ssl-cert” process and fired up vi and removed the line RANDFILE = $ENV::RANDFILE from /tmp/tmp.OXerK27810.


# openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key
Generating a 1024 bit RSA private key
................................................++++++
.......++++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
ssl-cert is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up ssl-cert (1.0.15) ...
#


I don’t understand why the package ssl-cert exist in the first place when user can just use “openssl” command to generate ssl certificate. Yet making the situation worst, ssl-cert was added as dependency to many packages. Duh! In additional, chroot seems to be buggy under Linux.

In my previous post, FreeBSD : Compaq Presario V3417AU, I could not get broadcom wifi running with FreeBSD 7. Luckily, just before the Chinese New Year, I managed to get it working again. It’s timely for the CNY break. Sweet!!!!!

Project Evil

# fetch ftp://ftp.hp.com/pub/softpaq/sp34001-34500/sp34152.exe
# cabextract -F 'bcmwl5*' sp34152.exe
# ndisgen bcmwl5.inf bcmwl5.sys
# cp bcmwl5_sys.ko /boot/modules/
# kldxref /boot/modules
# kldload bcmwl5_sys

Using ndis0 with wpa_supplicant

Set up /etc/wpa_supplicant.conf with your WIFI network information (an example of WEP protected WLAN with DHCP enabled). You may enable wpa_supplicant automatically by setting /etc/rc.conf with ifconfig_ndis0="WPA mywifi DHCP". To initialise it, run /etc/rc.d/netif start ndis0

Additional configurations

i) /boot/loader.conf

if_ndis_load="YES"
bcmwl5_sys_load="YES"
wlan_scan_sta_load="YES"
wlan_scan_ap_load="YES"
wlan_wep_load="YES"
wlan_ccmp_load="YES"
wlan_tkip_load="YES"
wlan_xauth_load="YES"
wlan_acl_load="YES

ii) /etc/rc.conf

ifconfig_ndis0="WPA mywifi DHCP"

iii) /etc/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=1
network={
ssid="mywifi"
scan_ssid=1
key_mgmt=NONE
wep_tx_keyidx=1
wep_key1=your_104bit_wep_key
}