<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2015-02-28 20:25, Glenn Plas wrote :<br>
</div>
<blockquote cite="mid:54F2162F.9010901@byte-consult.be" type="cite">
<pre wrap="">Hey Andre,
localhost or 127.0.0.1 is ipv4 , why is your netstat only showing ipv6
ports ?
Glenn</pre>
</blockquote>
Excellent question !<br>
I know IPV6 since almost 20 years but I've never seen a V6
connection before this <span class="moz-smiley-s3"><span> ;-) </span></span><br>
And just a few weeks ago, I saw this in an e-mail:<br>
Received: from ?IPv6:::1? ([2a02:2788:4c4:111:4d35:ec63:fb5:b1a4])<br>
meaning that an acquaintance sent an e-mail to a Google server on
ipv6.<br>
<br>
Well, there is a mapping of ipv4 addresses to ipv6.<br>
For example, 127.0.0.1 is 0:0:0:0:0:ffff:7f00:1.<br>
And I conclude that when netstat finds an address in that range it
displays it as v4.<br>
It's more readable indeed, like old bank accounts.<br>
<br>
That mapping has important consequences.<br>
It means that a host (Internet user) needs not to have an ipv6
address to use ipv6.<br>
The only requirement is that routers use the ipv4 routing table to
route mapped addresses.<br>
I use just an ipv4 address and a bbox2.<br>
If the bbox2 were routing that way, and doing NAT v6, the other
routers probably do too,<br>
and I could also send most of the packets with ipv7 and do tests.<br>
Alas, with <strike>Belgamus</strike> Proxicom you need a bbox3 and
you get both ipv4+ipv6 addresses.<br>
<br>
Cheers
<br>
<br>
<table>
<tbody>
<tr>
<td>André.</td>
</tr>
</tbody>
</table>
<br>
<blockquote cite="mid:54F2162F.9010901@byte-consult.be" type="cite">
<pre wrap="">On 28-02-15 19:41, André Pirard wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 2015-02-28 17:58, Jo wrote :
</pre>
<blockquote type="cite">
<pre wrap="">It makes a connection to the website of openstreetmap and sends your
password over it. If you do that over http, all the routers in the
middle can simply see your password. Is that a big deal? Not in
itself, until somebody starts to 'impersonate' you. Making uploads
that weren't yours in your name.
Jo
</pre>
</blockquote>
<pre wrap="">I suppose you reply to me (1).
The "HTTPS support in the Remote Control preferences" controls Remote
Control which, usually, happens only inside the local computer, which is
obvious if you use local ports <a class="moz-txt-link-freetext" href="https://localhost:8112">https://localhost:8112</a> (or
<a class="moz-txt-link-freetext" href="http://localhost:8111">http://localhost:8111</a>) as in Glen's or Ruben's messages.
I showed 8111 in a previous message and I show it again in more detail,
just after a control:
$ netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp6 0 0 127.0.0.1:8111 :::*
LISTEN
tcp6 0 0 127.0.0.1:8111 127.0.0.1:56769
TIME_WAIT
You see JOSM LISTENing for control connections and the TCP connection
between JOSM 8111 and Firefox 56769 ports that has just been closed.
Convinced now?
Remote control could be to another computer as in wget
<a class="moz-txt-link-freetext" href="http://anotherhost:8111/">http://anotherhost:8111/</a>... but it's not what we are talking about here
and I don't think Firefox can be configured for that anyway.
The "connection to the website of openstreetmap" you speak of is
controlled by Edit>Preferences>Connection...>OSM Server URL:
If you use <a class="moz-txt-link-freetext" href="https://">https://</a>... there, you get SSL encryption between JOSM and
OSM.org,
if you use <a class="moz-txt-link-freetext" href="http://">http://</a>... you don't.
Cheers
André.
(1) and not to Glen or Ruben like in other messages. If we replied
inline on this mailing list we would know to whom and about what we're
writing.
</pre>
<blockquote type="cite">
<pre wrap="">2015-02-28 17:51 GMT+01:00 André Pirard <<a class="moz-txt-link-abbreviated" href="mailto:A.Pirard.Papou@gmail.com">A.Pirard.Papou@gmail.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:A.Pirard.Papou@gmail.com"><mailto:A.Pirard.Papou@gmail.com></a>>:
On 2015-02-28 16:57, Ruben Maes wrote :
</pre>
<blockquote type="cite">
<pre wrap=""> Maybe you can circumvent the issue by doing this:
Open JOSM and make sure you have Remote Control enabled. In Firefox,
go to this address: <a class="moz-txt-link-freetext" href="https://127.0.0.1:8112/">https://127.0.0.1:8112/</a>
You should get a warning screen saying "This Connection is Untrusted".
Click "I Understand the Risks" and press the "Add Exception..."
button.
A window pops up. (You can press "View" and inspect the certificate if
you like. Close the details window if you have done so.) Make sure
"Permanently store this exception" is checked and click "Confirm
Security Exception".
Now you should see a Bad Request error page because you haven't asked
JOSM to do anything ;)
This worked for me. The website still emits an alert that editing
failed, but JOSM loads the data.
Ruben
</pre>
</blockquote>
<pre wrap=""> That's only if HTTPS support is enabled in the Remote Control
preferences.
If it's not, my config, 8112 port -> unable to connect.
And I conclude that the alert I receive too may be because of
trying to use
closed port 8112 before using port 8111.
And my question is: why enable HTTPS if it causes problems?
It encrypts information that's stays in your computer, doesn't it?
Fearing that NSA would learn the locations you load via remote
control?
Cheers
André.
</pre>
<blockquote type="cite">
<pre wrap=""> 2015-02-27 9:20 GMT+01:00 Glenn Plas <a class="moz-txt-link-rfc2396E" href="mailto:glenn@byte-consult.be"><glenn@byte-consult.be></a> <a class="moz-txt-link-rfc2396E" href="mailto:glenn@byte-consult.be"><mailto:glenn@byte-consult.be></a>:
</pre>
<blockquote type="cite">
<pre wrap=""> StartSSL is a free certificate provider, and most probably firefox
doesn't have the intermediate certificate chain on board which means it
cannot verify.
That is probably the reason, although I do not see startSSL as the
certificate writer, I see rapidSSL instead. startSSL is not really a
great one to use actually for a site like this.
Apple products have the same problem with the latest GoDaddy certificates.
<a class="moz-txt-link-freetext" href="https://www.sslshopper.com/cheapest-ssl-certificates.html">https://www.sslshopper.com/cheapest-ssl-certificates.html</a>
You might want to try this in firefox:<a class="moz-txt-link-freetext" href="https://127.0.0.1:8112/">https://127.0.0.1:8112/</a>
<a class="moz-txt-link-freetext" href="https://www.sslshopper.com/ssl-checker.html#hostname=https://www.openstreetmap.org">https://www.sslshopper.com/ssl-checker.html#hostname=https://www.openstreetmap.org</a>
And see if it gives you a chain error or not. It will work in chrome,
but it depends on the browser.
If you don't get the all-green in firefox, you just need to assemble a
chain file with the missing intermediate certificates so the browser can
validate.
Note, this heavily depends on firefox (/browser) version, I see in my FF
that it loads the intermediates fine:
Common name: RapidSSL CA
Organization: GeoTrust, Inc.
Location: US
Valid from February 19, 2010 to February 18, 2020
Serial Number: 145105 (0x236d1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: GeoTrust Global CA
Common name: GeoTrust Global CA
Organization: GeoTrust Inc.
Location: US
Valid from May 20, 2002 to August 20, 2018
Serial Number: 1227750 (0x12bbe6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Equifax
Glenn
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
_______________________________________________
Talk-be mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Talk-be@openstreetmap.org">Talk-be@openstreetmap.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openstreetmap.org/listinfo/talk-be">https://lists.openstreetmap.org/listinfo/talk-be</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>