Re: [gentoo-user] Questions about CPU settings in kernel and USE
On Sat, Apr 19, 2014 at 12:12:46AM +0400, Andrew Savchenko wrote I'd like to recommend you this kernel gcc patch which enables -march=native support for kernel compilation: https://github.com/graysky2/kernel_gcc_patch Just select native and you will get both best performance and one less headache. I've been using -march=native for years. Is there any circumstance, other than a really old gcc, where it doesn't work? Thank you Andrew I didn't know about this patch. Walter, the kernel uses it's own CFLAGS defined in the makefiles. This patch adds some more options including native Regards, Dragostin Yanev
Re: [gentoo-user] Questions about CPU settings in kernel and USE
Am 18.04.2014 22:12, schrieb Andrew Savchenko: On Mon, 14 Apr 2014 22:11:05 -0400 Walter Dnes wrote: I'm (re)installing Gentoo on an older AMD notebook. The output from less /proc/cpuinfo includes... processor : 1 vendor_id : AuthenticAMD cpu family : 16 model : 6 model name : AMD Athlon(tm) II P320 Dual-Core Processor stepping: 3 microcode : 0x1b6 cpu MHz : 2100.000 cache size : 512 KB physical id : 0 siblings: 2 core id : 1 cpu cores : 2 apicid : 1 initial apicid : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nopl nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a 3dnowprefetch osvw ibs skinit wdt nodeid_msr hw_pstate npt lbrv svm_lock nrip_save bogomips: 4189.59 TLB size: 1024 4K pages Now for the questions * In make menuconfig, I'm not sure which of 2 CPU options to select in Processor type and features --- Processor family (*) --- ( ) Athlon/Duron/K7 ( ) Opteron/Athlon64/Hammer/K8 I'd like to recommend you this kernel gcc patch which enables -march=native support for kernel compilation: https://github.com/graysky2/kernel_gcc_patch Just select native and you will get both best performance and one less headache. or it creates code that is much slower or breaks in subtle and hard to catch ways. The kernel devs are very astute when it comes to gcc options - I wouldn't screw around with them. If an app is crashy, disturbing but not a big problem. If the kernel decides to write the wrong stuff all over a partition boundary you are screwed. Best regards, Andrew Savchenko
Re: [gentoo-user] Strange behaviour with LILO on new install on old laptop
On Sat, Apr 19, 2014 at 01:09:25AM -0400, cov...@ccs.covici.com wrote I don't let theebuild muck with lilo.conf,I edit it myself, so the root is no problem -- its an initrd anyway. I don't understand. The ebuild doesn't look at lilo.conf, rather, it tries to guess the root partition, and fails miserably from the chroot. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] Strange behaviour with LILO on new install on old laptop
Walter Dnes waltd...@waltdnes.org wrote: On Sat, Apr 19, 2014 at 01:09:25AM -0400, cov...@ccs.covici.com wrote I don't let theebuild muck with lilo.conf,I edit it myself, so the root is no problem -- its an initrd anyway. I don't understand. The ebuild doesn't look at lilo.conf, rather, it tries to guess the root partition, and fails miserably from the chroot. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications I don't let the ebuild build my lilo.conf at all, I build it myself, it never runs dolilo. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
[gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Questions about CPU settings in kernel and USE
Am 18.04.2014 22:12, schrieb Andrew Savchenko: On Mon, 14 Apr 2014 22:11:05 -0400 Walter Dnes wrote: I'm (re)installing Gentoo on an older AMD notebook. The output from less /proc/cpuinfo includes... processor : 1 vendor_id : AuthenticAMD cpu family : 16 model : 6 model name : AMD Athlon(tm) II P320 Dual-Core Processor stepping: 3 microcode : 0x1b6 cpu MHz : 2100.000 cache size : 512 KB physical id : 0 siblings: 2 core id : 1 cpu cores : 2 apicid : 1 initial apicid : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nopl nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a 3dnowprefetch osvw ibs skinit wdt nodeid_msr hw_pstate npt lbrv svm_lock nrip_save bogomips: 4189.59 TLB size: 1024 4K pages Now for the questions * In make menuconfig, I'm not sure which of 2 CPU options to select in Processor type and features --- Processor family (*) --- ( ) Athlon/Duron/K7 ( ) Opteron/Athlon64/Hammer/K8 I'd like to recommend you this kernel gcc patch which enables -march=native support for kernel compilation: https://github.com/graysky2/kernel_gcc_patch Just select native and you will get both best performance and one less headache. or it creates code that is much slower or breaks in subtle and hard to catch ways. The kernel devs are very astute when it comes to gcc options - I wouldn't screw around with them. If an app is crashy, disturbing but not a big problem. If the kernel decides to write the wrong stuff all over a partition boundary you are screwed. Best regards, Andrew Savchenko Hi Volker Armin Hemmann, Have you encountered -march=native related bugs? I haven't had any problems on mainstream amd/intel cpus. With regards to the kernel I would expect more problems from an aggressive -O flag than that of -march since -march just indicates the instruction set the compiler can use. That being said if the goal is stability I wouldn't be applying unofficial patches. Regards, Dragostin Yanev
[gentoo-user] Re: Allow delay for booting from USB device?
Thanks to Joost Roeleveld and Brian Hesdorfer for helpful answers. Even before getting the new email, I googled on linux boot root delay and found the answer where previous Google search failed to yield results. That was an old Linux, Slackware 13.0 with kernel 2.6.29.6 where I remember trying to get started with Gentoo but the kernel I built, compile time 130 minutes, failed to boot. It still took many attempts before I was successful with the boot. No Internet access because the kernel is too old and the Ethernet too new. Tom
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Sat, Apr 19, 2014 at 7:43 AM, Walter Dnes waltd...@waltdnes.org wrote: I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. Are you mounting a proc filesystem within the to-be-chrooted filesystem before chrooting?
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Saturday 19 Apr 2014 07:43:18 Walter Dnes wrote: I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. The installation handbook used to include a command to write /etc/mtab in the chroot by grepping the host mtab, but it's been removed and I haven't been able to find it. Meanwhile, I think it's standard behaviour for mtab not to be populated during the installation process. So I'd also be interested to hear from anyone who knows what mtab should contain. -- Regards Peter
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 13:51, Mick wrote: On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. 1.) secp521r1 is *not* P-256 2.) I used secp384r1 aka P-384 as it's defined by RFC 6460 while secp521r1 is not, and all TLS1.2 implementations implement secp256r1 and secp384r1 as defined in RFC 6460, while secp521r1 is implemented only by some. So better to be RFC compliant and reach all possible users/customers as to violate the RFC and loose possible users/customers. https://tools.ietf.org/html/rfc6460 3.) Even the people behind http://safecurves.cr.yp.to have no proof that secp[256|384|521]r1 are unsecure, they just don't trust the NIST. So that list is mostly useless and possibly untrue. 4.) ECC in certificates is not widely used and therfor also not extensivly audited, so it might be less secure than SHA256+RSA, or may suffer from implementation failures like heartbeat did. 5.) ECDSA has the same problems i mentioned in 4, so it may be a bad idea to use it in production. Stick to ECDHE and as a fallback to DHE. I use the following ciphers for my services: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) - -- Kind Regards, Mit freundlichen Grüssen, Markus Kohlmeyer Markus Kohlmeyer PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTUneDAAoJEHWfQHzr315V9hcP/286xUPhj3TtJDZlAmP/lqM9 htEL2eE2Jr7l6GDX8/LNS5kWWN4ytEZEbGEIXijZSjss4AJiWq3b+CmW+n0F75E8 d94bEbl/voiTHS3yF5ytANzOLXdyKt3r7jJ6rAdEHCFI+8SYrV8oNM/u0Vx25saB mFabQrUqfd1pe5vMtYJyl9xGogKuQdWdSCAO4K2u62Ktrbh7XGxgzMnToxzOZh+G LxCSlRO+YdArW4pD5rOOfTm/6gPdq3t/KtM/+1sdkvhSP+t6VfbBZKFXBdyIto3+ B4vd2Wz2XtN1POAWezY2E9PjfeEo0jkfXUNgxo9FiCiX5M7u8/izirEQSw3yKONS WmEhu+Bc0zYfaHN/4Up+Pq+8yUEQMiY5llOS2YaiTivHCajq9+e5ULFI42GTY+dG BJcVFKz5nUQaACbhDJ1sXgrOh2GMMaUn61RF7a+5FbEDLhmo/Db7WYJzjfTSRqfa EGtFC++P4ZN6R6AXt1CThdUoJC1x4YAU5ncu77iTAr5bxD3SE4UGnLpE5NNOS4AH 53bF8RKNlp7GV8ukyt3FBnQt9+TQt+ePcyru6teLHfb0f2euz7dRTtgkL/P4wi30 XtWxVTsk0JrufFVpm7FZNaIvHnZ2SS0AU4NIvejTVOmlkP3vXBqzNHCzoapTW09d +6rVo7teibHK1B59e+0P =KASv -END PGP SIGNATURE-
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Sat, Apr 19, 2014 at 8:54 PM, Peter Humphrey pe...@prh.myzen.co.uk wrote: On Saturday 19 Apr 2014 07:43:18 Walter Dnes wrote: I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. The installation handbook used to include a command to write /etc/mtab in the chroot by grepping the host mtab, but it's been removed and I haven't been able to find it. Meanwhile, I think it's standard behaviour for mtab not to be populated during the installation process. So I'd also be interested to hear from anyone who knows what mtab should contain. /etc/mtab is practically outdated. It's supposed to contain the list of currently mounted filesystems and the corresponding options, to be updated by the mount command when doing changes. You'll notice, of course, that this doesn't at all sound anything like most of the files in /etc - that's because the list of filesystems in a modern Linux changes a lot more frequently than the original Unixes. Instead of a config file, /etc/mtab essentially holds system state, which is something that is more appropriate for /var or /proc or /sys. And that's what /etc/mtab today should contain. Linux automatically updates /proc/self/mounts to hold what /etc/mtab used to hold, and a modern /etc/mtab should essentially just be a symlink to that. But of course, legacy. So the mount command will fail to function properly if you are, for example, in a read-only filesystem, or in a chroot, or otherwise in some situation where /etc/mtab was not updated by the mount command to match the contents of /proc/self/mounts. -- This email is:[ ] actionable [x] fyi[ ] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate[ ] soon [x] none
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Sat, Apr 19, 2014 at 8:54 AM, Peter Humphrey pe...@prh.myzen.co.uk wrote: On Saturday 19 Apr 2014 07:43:18 Walter Dnes wrote: I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. The installation handbook used to include a command to write /etc/mtab in the chroot by grepping the host mtab, but it's been removed and I haven't been able to find it. Meanwhile, I think it's standard behaviour for mtab not to be populated during the installation process. So I'd also be interested to hear from anyone who knows what mtab should contain. I symlink /proc/self/mounts to /etc/mtab. But the handbook has grep -v rootfs /proc/mounts /etc/mtab.
[gentoo-user] xdriinfo: libGL is too old
Hi, in search of the reason for the overlay problem reported previously I cam across this: solfire:/home/usersudo xdriinfo libGL is too old. [1]23732 exit 1 sudo xdriinfo solfire:/home/user and solfire:/home/userl /usr/lib64/libGL.so lrwxrwxrwx 1 root root 33 2014-04-19 11:23 /usr/lib64/libGL.so - opengl/nvidia/lib/libGL.so.337.12 Why ist libGL too old if installed today (xdriinfo was recompiled after installation of the nvidia-drivers...). Best regards, mcc
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Change EFI to BIOS Boot
On Sun, Apr 13, 2014 at 11:08 AM, Jonathan Callen jcal...@gentoo.org wrote: On 04/12/2014 08:19 AM, Tom H wrote: You can have a gpt partition table with BIOS but if you want to boot from that disk, you need a bios_boot partition (which the OP has) for grub to embed a binary. Technically, I don't think you need a bios_boot partition if you leave enough space between the partition table and the first partition (I don't recall having a problem when my first partition started 2048 sectors (1MiB) into the disk). You're correct if you're talking about an msdos-labelled disk with bios firmware because having the first partition start on 2048 as it does now rather on 63 as it used to because the post-mbr gap will always be big enough for grub to embed core.img. But on a gpt-labelled disk with bios firmware, there's a something mbr into which grub embeds boot.img but there's no post-mbr gap. So a bios_boot partition's needed in order to embed core.img (IIRC parted calls it grub_bios or bios_grub).
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 19, 2014, at 16:17, Joe User mailingli...@rootservice.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 13:51, Mick wrote: On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. 1.) secp521r1 is *not* P-256 2.) I used secp384r1 aka P-384 as it's defined by RFC 6460 while secp521r1 is not, and all TLS1.2 implementations implement secp256r1 and secp384r1 as defined in RFC 6460, while secp521r1 is implemented only by some. So better to be RFC compliant and reach all possible users/customers as to violate the RFC and loose possible users/customers. https://tools.ietf.org/html/rfc6460 3.) Even the people behind http://safecurves.cr.yp.to have no proof that secp[256|384|521]r1 are unsecure, they just don't trust the NIST. So that list is mostly useless and possibly untrue. Which of the safecurves are supported by openssl? 4.) ECC in certificates is not widely used and therfor also not extensivly audited, so it might be less secure than SHA256+RSA, or may suffer from implementation failures like heartbeat did. 5.) ECDSA has the same problems i mentioned in 4, so it may be a bad idea to use it in production. Stick to ECDHE and as a fallback to DHE. I use the following ciphers for my services: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) What program do you use to provide IMAP-SSL/TLS? I have not gotten ECDHE to work with courieropenssl. Anyways I fail to see any logic with courier-setup... Postfix and apache on the other hand are easy to setup to use the correct ciphers. -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 19, 2014, at 18:29, Dale rdalek1...@gmail.com wrote: Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideResults=on -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Saturday 19 Apr 2014 16:29:34 Dale wrote: How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Some banks have reverted to RC4 to protect against TLS v1.0 attacks from the BEAST. I don't think that FF shows the algos used for key exchange and encryption in enough detail. You can see them if you use Chromium and click on the green padlock. I use openssl s_client, e.g.: openssl s_client -connect www.wellsfargo.com:443 and look for this info: New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 17:38, Matti Nykyri wrote: On Apr 19, 2014, at 16:17, Joe User mailingli...@rootservice.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 13:51, Mick wrote: On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. 1.) secp521r1 is *not* P-256 2.) I used secp384r1 aka P-384 as it's defined by RFC 6460 while secp521r1 is not, and all TLS1.2 implementations implement secp256r1 and secp384r1 as defined in RFC 6460, while secp521r1 is implemented only by some. So better to be RFC compliant and reach all possible users/customers as to violate the RFC and loose possible users/customers. https://tools.ietf.org/html/rfc6460 3.) Even the people behind http://safecurves.cr.yp.to have no proof that secp[256|384|521]r1 are unsecure, they just don't trust the NIST. So that list is mostly useless and possibly untrue. Which of the safecurves are supported by openssl? openssl ecparam -list_curves But openssl is not used by the major browsers and other clients, so it is not a reference here. 4.) ECC in certificates is not widely used and therfor also not extensivly audited, so it might be less secure than SHA256+RSA, or may suffer from implementation failures like heartbeat did. 5.) ECDSA has the same problems i mentioned in 4, so it may be a bad idea to use it in production. Stick to ECDHE and as a fallback to DHE. I use the following ciphers for my services: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) What program do you use to provide IMAP-SSL/TLS? I have not gotten ECDHE to work with courieropenssl. Anyways I fail to see any logic with courier-setup... Postfix and apache on the other hand are easy to setup to use the correct ciphers. I use Dovecot as IMAPd. If you're interested in how i setup my servers then have a look at my corresponding howtos (in order): http://www.rootservice.org/howtos/freebsd/remote_install.html http://www.rootservice.org/howtos/freebsd/certificate_authority.html http://www.rootservice.org/howtos/freebsd/hosting_system.html My Gentoo-HowTos are out of date, so don't look at them ;) But the configs should work also on Gentoo with little tweaks. - -- Kind Regards, Mit freundlichen Grüssen, Markus Kohlmeyer Markus Kohlmeyer PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTUqcFAAoJEHWfQHzr315VY+cP/2mv/IJV8jkFMEtanP7WasYt gHWLNXW170+iTY7LbtEoZr9Or9U/RDWsXAEpb7kKO/G628zwOXOjMZAlBCr/O7U3 ZP0KNQfl7m+/BwIJ3uvjjHPExMHTF6f/w8U+9bhgPUMkGfBPqUEHF8jRRgn5wEdz Gd4l+fyQnWkheeb7TE1/ggEDrtHu232SumF3niDEkZlvO5ENoXquXw3YkFQ05Iyw LIU+j/yWCvajUN7CPEHEn7/KSJVzkwaH+6hqme2IxoyFjDScDBps2QqyqQgnX8gO 4QyCtn+/w8DChFs/gx2DUDTEKwhcjbzP3832RmejBoHpxFdwEUiT5ZMUNFqY33QP QlXhtQCogED6RJpJfeysaHt35p8B0Pb8wU4pR4GbFsvU0yBrUKK1aTFKsJqK9kQq +1U7sbgWFc+4kImIIHX/v5uOBlaCoQSrZ6gaBk2EGWc5uNnrW7qLvszA0VcRPwGo cgEuPZDgBedOdDSSA1oeHyk2mAk3f1pU8gxOEXZPEDpAzHlGGKyV/DkG+Co/YwC4 39kmWLJPfHT3sy5U8i9yC2P5zDHvO4dBalcsQ9BY+N+ynv1MfMN5NI0YT2EXCsEO upHPs4g8Y6LpJcVuERbiqYj1urRegGKj4N83p+0NaNk2mz0lP20OxVWaYdUw/bTW yMyf/oLzxxmgMF4kKtbg =n7KU -END PGP SIGNATURE-
[gentoo-user] Re: WEFT Why Every F Time ?
On 2014-04-16, James wirel...@tampabay.rr.com wrote: Is there another easy to use front end read/post to gentoo-user? (Please do not say NNTP) Mind if I ask why not? -- Grant
Re: [gentoo-user] Re: Change EFI to BIOS Boot
2014-04-19 12:34 GMT-03:00 Tom H tomh0...@gmail.com: On Sun, Apr 13, 2014 at 11:08 AM, Jonathan Callen jcal...@gentoo.org wrote: On 04/12/2014 08:19 AM, Tom H wrote: You can have a gpt partition table with BIOS but if you want to boot from that disk, you need a bios_boot partition (which the OP has) for grub to embed a binary. Technically, I don't think you need a bios_boot partition if you leave enough space between the partition table and the first partition (I don't recall having a problem when my first partition started 2048 sectors (1MiB) into the disk). You're correct if you're talking about an msdos-labelled disk with bios firmware because having the first partition start on 2048 as it does now rather on 63 as it used to because the post-mbr gap will always be big enough for grub to embed core.img. But on a gpt-labelled disk with bios firmware, there's a something mbr into which grub embeds boot.img but there's no post-mbr gap. So a bios_boot partition's needed in order to embed core.img (IIRC parted calls it grub_bios or bios_grub). As I could not fix it, I solved it making backup, formating with ms_dos table, and restoring backup. :P
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Saturday 19 Apr 2014 14:17:56 Joe User wrote: On 19.04.2014 13:51, Mick wrote: It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. 1.) secp521r1 is *not* P-256 I beg your pardon! I went all cross-eyed scanning different RFC pages and tables. 2.) I used secp384r1 aka P-384 as it's defined by RFC 6460 while secp521r1 is not, and all TLS1.2 implementations implement secp256r1 and secp384r1 as defined in RFC 6460, while secp521r1 is implemented only by some. So better to be RFC compliant and reach all possible users/customers as to violate the RFC and loose possible users/customers. https://tools.ietf.org/html/rfc6460 Yes, you are right. Also, some of these 'safe curves' are not currently available through openssl and some are just toy examples. One would have to be technically competent enough to develop their own implementation of e.g. Curve25519 - in my case this would be decidedly dangerous to attempt! ha, ha! 3.) Even the people behind http://safecurves.cr.yp.to have no proof that secp[256|384|521]r1 are unsecure, they just don't trust the NIST. So that list is mostly useless and possibly untrue. Well, from what I understand their argument is that the alleged criteria of efficiency assumed by the standards are not necessarily supportive of a better security model and often do not provide computational efficiency either. In addition, the derivation of the supposedly random integers k are allegedly either not random, or in any case arbitrarily chosen. 4.) ECC in certificates is not widely used and therfor also not extensivly audited, so it might be less secure than SHA256+RSA, or may suffer from implementation failures like heartbeat did. 5.) ECDSA has the same problems i mentioned in 4, so it may be a bad idea to use it in production. Stick to ECDHE and as a fallback to DHE. I use the following ciphers for my services: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Thanks! I need to use certificates with strongswan, so I think I will be limited to: prime256v1 secp384r1 secp521r1 http://wiki.strongswan.org/projects/strongswan/wiki/EcDsaSecret -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] libreoffice uses openssl?
On Saturday 19 Apr 2014 02:29:35 walt wrote: Not long ago I started building my own libreoffice from their git repo because I wanted to bisect a recent libreoffice bug in localc. In the process of finding the bug I discovered that libreoffice ships its own copy of openssl along with many other common opensource libraries. The libreoffice team committed the heartbleed fix to their git repo a few days ago, which got me thinking about why libreoffice needs ssl. I'm thinking maybe for odbc, maybe webdav? I dunno because all I really use is localc and I don't know anything about the other stuff. Are the users of libreoffice-stable at risk from heartbleed? I don't know enough to judge, but I worry about it. I thought that they used NSS for digital signing of documents, but in any case it seems that LO is also impacted by the Heartbleed bug of openssl: http://secunia.com/community/advisories/57881 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] libreoffice uses openssl?
On Saturday 19 Apr 2014 18:18:39 Mick wrote: On Saturday 19 Apr 2014 02:29:35 walt wrote: Not long ago I started building my own libreoffice from their git repo because I wanted to bisect a recent libreoffice bug in localc. In the process of finding the bug I discovered that libreoffice ships its own copy of openssl along with many other common opensource libraries. The libreoffice team committed the heartbleed fix to their git repo a few days ago, which got me thinking about why libreoffice needs ssl. I'm thinking maybe for odbc, maybe webdav? I dunno because all I really use is localc and I don't know anything about the other stuff. Are the users of libreoffice-stable at risk from heartbleed? I don't know enough to judge, but I worry about it. I thought that they used NSS for digital signing of documents, but in any case it seems that LO is also impacted by the Heartbleed bug of openssl: http://secunia.com/community/advisories/57881 and here: http://www.libreoffice.org/about-us/security/advisories/cve-2014-0160/ -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] libreoffice uses openssl?
Am Samstag, 19. April 2014, 19:19:41 schrieb Mick: On Saturday 19 Apr 2014 18:18:39 Mick wrote: On Saturday 19 Apr 2014 02:29:35 walt wrote: Not long ago I started building my own libreoffice from their git repo because I wanted to bisect a recent libreoffice bug in localc. In the process of finding the bug I discovered that libreoffice ships its own copy of openssl along with many other common opensource libraries. The libreoffice team committed the heartbleed fix to their git repo a few days ago, which got me thinking about why libreoffice needs ssl. I'm thinking maybe for odbc, maybe webdav? I dunno because all I really use is localc and I don't know anything about the other stuff. Are the users of libreoffice-stable at risk from heartbleed? I don't know enough to judge, but I worry about it. I thought that they used NSS for digital signing of documents, but in any case it seems that LO is also impacted by the Heartbleed bug of openssl: http://secunia.com/community/advisories/57881 and here: http://www.libreoffice.org/about-us/security/advisories/cve-2014-0160/ Users are recommended to upgrade to 4.2.3 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of openssl. However, we build from sources and use the system libraries. huettel@porto ~ $ lsof|grep soffice|grep libssl soffice.b 31006 huettel mem REG8,1 423840 795269 /usr/lib64/libssl.so.1.0.0 -- Andreas K. Huettel Gentoo Linux developer (council, kde) dilfri...@gentoo.org http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Mick wrote: On Saturday 19 Apr 2014 16:29:34 Dale wrote: How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Some banks have reverted to RC4 to protect against TLS v1.0 attacks from the BEAST. I don't think that FF shows the algos used for key exchange and encryption in enough detail. You can see them if you use Chromium and click on the green padlock. I use openssl s_client, e.g.: openssl s_client -connect www.wellsfargo.com:443 and look for this info: New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA I have this little padlock looking thing too. I dug around and found this info: CN = VeriSign Class 3 Extended Validation SSL SGC CA OU = Terms of use at https://www.verisign.com/rpa (c)06 OU = VeriSign Trust Network O = VeriSign, Inc. C = US PKCS #1 RSA Encryption There is another place with info but it doesn't allow me to highlight it so that I can copy and paste. Hmm. Anyway, is that reasonable for a bank to use? In case you haven't noticed, I'm not a wealth of info on encryption, just rich in questions. I just know that it is supposed to make things unreadable without a password, pass key or whatever. This is currently my bank. http://cadencebank.com/ Since they changed to a card that a lot of stores don't take, that could be changing real soon. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Matti Nykyri wrote: On Apr 19, 2014, at 18:29, Dale rdalek1...@gmail.com mailto:rdalek1...@gmail.com wrote: Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Well you can use ssllabs.com http://ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideResults=on -Matti I get this. https://www.ssllabs.com/ssltest/analyze.html?d=cadencebank.comhideResults=on I don't know a lot about this encryption stuff but mine don't look to good. :/ You got your test graded and mine seems to be bad enough to not even deserve a grading. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 21:33, Dale wrote: Matti Nykyri wrote: On Apr 19, 2014, at 18:29, Dale rdalek1...@gmail.com mailto:rdalek1...@gmail.com wrote: Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Well you can use ssllabs.com http://ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideResults=on - -Matti I get this. https://www.ssllabs.com/ssltest/analyze.html?d=cadencebank.comhideResults=on I don't know a lot about this encryption stuff but mine don't look to good. :/ You got your test graded and mine seems to be bad enough to not even deserve a grading. Dale :-) :-) You have to use the https-URLs like this one: https://www.ssllabs.com/ssltest/analyze.html?d=secure1.cadencebanking.comhideResults=on Very secure your banks customer-login ;) Time to move to a safer bank... - -- Kind Regards, Mit freundlichen Grüssen, Markus Kohlmeyer Markus Kohlmeyer PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTUtHkAAoJEHWfQHzr315VmSsQALxIc+McPiO66/eHX2SURyiP ruo56b2NnB/8h2PNM6u9yeqfqwQeMjuj3CmNM6NnM8R4S1CUBGNP14iubAvgKdWc JSjkWZZMO/zkdpJQPatWsFriKNRAWncybrc/cQ/h6b9SXsHu0PYtk3grFlKm7fSp k8bLWTJCTy3pKQW86g3rJ5vGjXP8n1BjF0GgQ5WJjBKJK8iUn8oGzG0M4He2Zi33 t1HONE1lpkpgUG1r7PycKCobQMypMbd/h5zXLrd6RwM5qP6tK/ZzNsFkGXoT3bWt icZCdlH2vmWUlFMB0fdGORyu0u0qhQ5VVL4PS+rd//aq8WhAobGoTomRU+woSBQY xuzqmm1ssxrqiPeHCbXvTOnl6EPAWIcCj9YloonPLB9SpNizXufqD5exVJWme/2H BZYMmfRK2kkIhvEnxb2js7COQtyVcajQ8paQfaYMmKjk/HtdZwfvYy4OV9TLXI7g zfPKo9vnXPnmg2DvVFnhRZC+KTlqyMC8fZ3TI6uPOWhaQIspx6gN0FpA8gEzD1mt 6Z38C7IdJrv72B3hDoXrZnIA6kmCEVQgky3G5Um1h+qNT19Xb2UuJPnYJoG9Q7KP idvxPaZBlXUvUePB2CZu2o1plS4m6Nyoglv6HCCdRB9tbonx5NOas6LefiZCpHkk ceNA84TmDiuVdt32nRZY =mc4j -END PGP SIGNATURE-
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Sat, Apr 19, 2014 at 10:24:17AM -0400, Tom H wrote I symlink /proc/self/mounts to /etc/mtab. But the handbook has grep -v rootfs /proc/mounts /etc/mtab. I re-checked the AMD64 install docs in Firefox {CTRL}F mtab in... http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1 The ***Default: Setting up GRUB using grub-install*** section has... Code Listing 4.5: Creating /etc/mtab # grep -v rootfs /proc/mounts /etc/mtab The lilo install does not have these instructions, neither does grub-2, just legacy grub. I've installed Gentoo with lilo a lot of times over the past several years (since November 2004), and I have never had to tweak /etc/mtab. This implies one of... * either the behaviour of /etc/mtab has changed. * or grepping mount output is a recent new and improved feature of the lilo ebuild. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
[gentoo-user] Re: Allow delay for booting from USB device?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/18/2014 01:49 PM, Brian Hesdorfer wrote: On 4/18/2014 1:38 PM, Joost Roeleveld wrote: On Friday 18 April 2014 10:01:35 Brian Hesdorfer wrote: On 4/18/2014 9:05 AM, Joost Roeleveld wrote: On Friday 18 April 2014 12:02:01 Thomas Mueller wrote: Is there a way to make Gentoo or other Linux allow extra time when root is on a USB device? Any way to say just a second or more like 15 seconds before aborting with the message that root partition does not exist? In this case it's an IDE hard drive in a USB enclosure. FreeBSD seems to handle this situation better. I would get a mountroot prompt, to which I would respond ufs:/dev/ada0p3 and be good. I could avoid this situation with /boot/loader.conf legal.realtek.license_ack=1 rsu-rtl8712fw_load=YES kern.cam.scsi_delay=13000 # Delay (in ms) before probing SCSI kern.cam.boot_delay=16000# Delay (in ms) of root mount for CAM bus hint.re.0.disabled=1 but don't know if Linux has anything like this. Only lines 3 and 4 are relevant to this issue; other lines are for different issues. Tom Try adding rootdelay = 15 to the kernel commandline. This should make the kernel wait 15 seconds before trying to access the root- device. See: http://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/r e58.html I used this myself in the past when booting from USB-devices. Kind regards, Joost Tiny Core linux, which is primarily booted over usb, does something similar. If I'm understanding this right, they have a loop in their initrd that just waits a maximum of X seconds until it shows up. I'm not sure how easy this would be to move into something else. Lines 114-128: http://git.tinycorelinux.net/index.cgi?url=Core-scripts.git/tree/etc/init.d/ tc-config rootdelay is a standard linux kernel option. No need to use a special script. -- Joost Agreed! Hadn't heard of that option until you mentioned it. Learn a new thing everyday :) There is also a rootwait option, which simply waits until the root device is available, no matter how long that takes. (So you don't end up waiting longer than required just in case). - -- Jonathan Callen -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTUuiUAAoJELHSF2kinlg4qOIQALBaZwqhCpDAoPuDB2uKGoQB pOfoSJUYuP/XEsQJSOp3sjeMrJnlclGqe2KgFtVFZPZ7qYBthhqWY+c3q1Bnuggu HfJUD7W0R7H5AqvzFKltKPuTJ+3pvhV8C+QxuanV/vZdrqbiiLblOQvi7+ymUKfH Myfe3ogMKX4YPgqVoFw/1MlvxMDx+7a5nRlh4lqtJQgHR8294L7k9XUaSuk9NMT3 lflAjapgPx/0Ly3Nqcf/ilXjUaE6ND6hIEDsRCAMCrRU/E/1SVDvQra1w/wsuET1 VzoLvZGvnwINXhPeIJZshczeRlDmXOXJqegykjvfPWwJRx4CMcFghiNNSjrj9yoo YmnpSkRXpnzQZjJUIXVvFN1k+mThZsOj73FPkkOw9RF49KMvHT6zuxuCjAOzmP9I FmuA6qNP0ucaEzqzV8VyHeZcFCXk7afYc6izPAMkiq9h227hV6wCwKsNnc84Mgbw W96pEwrri5ZEaRF3aGfy99L4ciq17DiZRjwN7BBvLsJt2lP5NWxT8roXeoXQJoXc hav6xpd8fLTYZanyM5a9RKqCc40UHgq1gbzJegSnuiduBU8m6VtnqSMOtMGTWP9u ddqKafbtE/Niaf/OKLay6BsYemOLoyKGzJNLQ868GDtwDaxgapFHcqbqC6sMymmd v3s5D4d0DCbNtfi5WCYo =S+Ff -END PGP SIGNATURE-
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Joe User wrote: On 19.04.2014 21:33, Dale wrote: Matti Nykyri wrote: On Apr 19, 2014, at 18:29, Dale rdalek1...@gmail.com mailto:rdalek1...@gmail.com wrote: Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Well you can use ssllabs.com http://ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideResults=on -Matti I get this. https://www.ssllabs.com/ssltest/analyze.html?d=cadencebank.comhideResults=on I don't know a lot about this encryption stuff but mine don't look to good. :/ You got your test graded and mine seems to be bad enough to not even deserve a grading. Dale :-) :-) You have to use the https-URLs like this one: https://www.ssllabs.com/ssltest/analyze.html?d=secure1.cadencebanking.comhideResults=on Very secure your banks customer-login ;) Time to move to a safer bank... Well, I have had doubts about their security for a while now since I think they run windoze anyway. This sort of confirms it. They changed from Visa for their debit card to Discover about a year ago. I'm get pretty fed up with going places and them NOT take my card and me being stuck in awkward situations. Then finding out that their security is just barely half what it should be, yep, time to find a new bank. I been putting this off for a while now. As some know, my brother had cancer and I been busy dealing with that. We lost him about a month ago so I'm trying to play catch up. He beat the cancer but we think he took to much meds by mistake and it was to late by the time he realized it. Changing banks is on my todo list and may have just took a higher priority. It just went from not worth much to not worth spit. ;-) At least now I know how to check any potential new banks that I am interested in too. Thanks for sharing that howto info. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideRes ults=on Well, that's an eye-opener and no mistake. I see my bank is rated B overall. Could be worse I suppose. Maybe I should forward the results to them. -- Regards Peter