date:20231114

daily CVS update output

2023-11-14 Thread NetBSD source update



Updating src tree:
P src/sys/dev/pci/ixgbe/ix_txrx.c
P src/sys/dev/pci/ixgbe/ixv.c
P src/usr.sbin/altq/altqd/altqd.8

Updating xsrc tree:


Killing core files:



Updating release-8 src tree (netbsd-8):

Updating release-8 xsrc tree (netbsd-8):



Updating release-9 src tree (netbsd-9):

Updating release-9 xsrc tree (netbsd-9):



Updating release-10 src tree (netbsd-10):

Updating release-10 xsrc tree (netbsd-10):




Updating file list:
-rw-rw-r--  1 srcmastr  netbsd  41957944 Nov 15 03:14 ls-lRA.gz

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Ken Hornstein

>   hello Ken.  Yes, I missed that part of what you were trying to
>say.  You're right, I didn't try that.  I'm not sure that's possible
>when configuring SSL with sendmail.

It looks like as long as you have the "O ClientCertFile" and
"O ClientKeyFile" options commented out it won't use one in client mode.
That's how we've configured sendmail and we haven't seen any issues.

--Ken

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Brian Buhrow

hello Ken.  Yes, I missed that part of what you were trying to say.  
You're right, I
didn't try that.  I'm not sure that's possible when configuring SSL with 
sendmail.  I elected
to arrange for sendmail to hav access to valid public certificates so it could 
present a
certificate both as a server, when receiving mail, and as a client, when 
sending mail.  Thanks
for the clarification.
-thanks
-Brian

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Ken Hornstein

>   hello Ken.  It may be that the RFC says the client need not
>present a valid certificate, but I have found that smtp clients I
>manage that want to send mail to Microsoft managed domains cannot set
>up an SSL encrypted smtp session unless the client presents a valid
>certificate as part of the key negotiation process.

But wait, that's not exactly what I meant.  I could see that Microsoft
would reject a random self-signed certificate presented by a client, but
I was saying that I don't believe they require ANY certificate at all.
As in, "don't configure your SMTP server to send a client certificate";
You didn't say that you tried that.

--Ken

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Brian Buhrow

hello Ken.  It may be that the RFC says the client need not present a 
valid certificate, but
I have found that smtp clients I manage that want to send mail to Microsoft 
managed domains
cannot set up an SSL encrypted smtp session unless the client presents a valid 
certificate as
part of the key negotiation process.  This may be something they're doing in 
violation of the
RFC, but I found when I configured sendmail to present a valid certificate, one 
that could be
verified versus a self-signed certificate, mail which wasn't flowing began 
flowing again.  Note
I'm not talking about an smtp-auth situation where an individual user is 
authenticating to a
smtp service, but rather server-to-server communications where two smtp MTA 
agents want to
exchange mail with each other.

-thanks
-Brian

On Nov 14,  9:30am, Ken Hornstein wrote:
} Subject: Re: openssl3+postfix issue (ca md too weak)
} >   Hello Taylor.  Just as a point of reference, smtp clients that
} >connect to domains hosted by Microsoft, i.e. outlook.com and any other
} >domains that use their infrastructure for e-mail, will have to present
} >a valid SSL certificate in order to submit mail to their smtp servers.
} 
} I do not believe this statement is correct.  My reading of RFC 8461
} is that all it says is that the _server_ has to have a valid certificate
} and says nothing about client certificates.  In my limited experience
} configuring your SMTP _client_ to present a certificate is very very
} rare.
} 
} --Ken
>-- End of excerpt from Ken Hornstein

Re: ffmpeg6 and SSP?

2023-11-14 Thread Tobias Nygren

On Tue, 14 Nov 2023 11:30:27 +
Patrick Welche  wrote:

> Userland was built with MKUPDATE=yes - maybe I didn't rebuild whichever
> library should contain the extern definition of __ssp_protected_read ?

Same problem with a clean userland build. I'll also note it doesn't
work to override _FORTIFY_SOURCE with CFLAGS in pkgsrc, because SSP is
enforced through wrappers. Minimal reproducer:

#define _FORTIFY_SOURCE 2
#include 
ssize_t (*myread)(int d, void *buf, size_t nbytes);
int main(void) {
char c;
myread = 
return myread(STDIN_FILENO, , sizeof(c));
}

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Manuel Bouyer

On Mon, Nov 13, 2023 at 08:34:04PM +0100, Manuel Bouyer wrote:
> Hello
> I'm facing an issue with postfix+openssl3 which may be critical (depending
> on how it can be fixed).
> 
> Now my postfix setup fails to send mails with
> Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: 
> error:0A00018E:SSL routines::ca md too 
> weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
> 
> >From what I understood, this is the remote certificate which is not accepted:
> openssl 3 deprecated some signature algorithm, which are no longer accepted
> with @SECLEVEL=1 (which is the default).

I didn't understand. The message is not about the server certificate but the
client certificate (which, indeed, is quite old and uses a private CA).
Even though no client certificate is requested for this server, is seems
that postfix loads it and errors out if it's too weak. This is quite
confusing ...

The good news is, as it's a private CA I can rebuild it :)

-- 
Manuel Bouyer 
 NetBSD: 26 ans d'experience feront toujours la difference
--

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Ken Hornstein

>   Hello Taylor.  Just as a point of reference, smtp clients that
>connect to domains hosted by Microsoft, i.e. outlook.com and any other
>domains that use their infrastructure for e-mail, will have to present
>a valid SSL certificate in order to submit mail to their smtp servers.

I do not believe this statement is correct.  My reading of RFC 8461
is that all it says is that the _server_ has to have a valid certificate
and says nothing about client certificates.  In my limited experience
configuring your SMTP _client_ to present a certificate is very very
rare.

--Ken

Your patch works (Re: sys/dev/usb/if_axen.c

2023-11-14 Thread Makoto Fujiwara

|  Please could you try the patch I posted here:
| 
| 
| 
| There seems to be a difference in behaviour between the AX88179 and
| AX88179A, the driver in the tree is reported to work for the AX88179.
| 
| I think we need a change to the driver to detect the chip revision and
| choose between two different receive functions.

 Hi, Your patch works for me, really great, 
 
 axen0: flags=0x8843 mtu 1500
 capabilities=0x3ff80
 capabilities=0x3ff80
 capabilities=0x3ff80
 enabled=0
 ec_capabilities=0x1
 ec_enabled=0
 address: f8:e4:3b:5d:44:c8
 media: Ethernet autoselect (1000baseT full-duplex)
 status: active
 ...

and thank you
-- 
Makoto Fujiwara
m...@netbsd.org
mak...@if.t.u-tokyo.ac.jp
Key fingerprint = 0BFA FAEB EAD1 90BA 7498  8F85 6809 9E0B B7EF A12E

pkgsrc freshness:
http://www.ki.nu/~makoto/pkgsrc/check-update/00_Summary.html

Re: ffmpeg6 and SSP?

2023-11-14 Thread Patrick Welche

On Tue, Nov 14, 2023 at 10:32:01AM +, Patrick Welche wrote:
> On Mon, Nov 13, 2023 at 11:22:55AM +, Patrick Welche wrote:
> > I'm pretty sure ffmpeg6 compiled recently, but on today's NetBSD-current
> > with HAVE_GCC=12 and pkgsrc-current I'm seeing
> > 
> > => Bootstrap dependency digest>=20211023: found digest-20220214
> > ===> Checking for vulnerabilities in ffmpeg6-6.0nb6
> > ===> Building for ffmpeg6-6.0nb6
> > LD  ffmpeg6_g
> > LD  ffprobe6_g
> > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of 
> > `environ'
> > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of 
> > `environ'
> > ld: libavdevice/libavdevice.so: undefined reference to 
> > `__ssp_protected_read'
> > ld: libavdevice/libavdevice.so: undefined reference to 
> > `__ssp_protected_read'
> > gmake: *** [Makefile:131: ffprobe6_g] Error 1
> > gmake: *** Waiting for unfinished jobs
> > gmake: *** [Makefile:131: ffmpeg6_g] Error 1
> > *** Error code 2
> > 
> > 
> > Suggestions? Try no FORTIFY?
> 
> I tried "no FORTIFY" on ffmpeg6 as
> 
>   CONFIGURE_ENV+="CPPFLAGS=\"-D_FORTIFY_SOURCE=0\""
> 
> which didn't help.
> 
> I tried a NetBSD-current box with gcc 10.5.0 (i.e., without HAVE_GCC=12)
> which didn't help.
> 
> I also see the problem with the simpler lang/gawk package:
> 
> ld: awkgram.o: in function `get_src_buf':
> awkgram.c:(.text+0x2d8c): undefined reference to `__ssp_protected_read'
> ld: io.o: in function `iop_alloc':
> io.c:(.text+0xf03): undefined reference to `__ssp_protected_read'
> ld: io.o: in function `get_a_record':
> io.c:(.text+0x22d6): undefined reference to `__ssp_protected_read'
> ld: io.o: in function `after_beginfile':
> io.c:(.text+0x27c7): undefined reference to `__ssp_protected_read'
> ld: io.o: in function `redirect_string':
> io.c:(.text+0x55e7): undefined reference to `__ssp_protected_read'
> ld: io.o:io.c:(.text+0x5606): more undefined references to 
> `__ssp_protected_read' follow
> 
> If I simply edit /usr/include/ssp/ssp.h to remove the __gnu_inline__ from
> the definition of__ssp_inline and make it static again, then gawk builds,
> 
> i.e., reverting
> 
> -/* $NetBSD: ssp.h,v 1.14 2023/03/29 13:37:10 christos Exp $*/
> +/* $NetBSD: ssp.h,v 1.15 2023/11/10 23:03:37 christos Exp $*/
> 
> allows gawk to build.

Userland was built with MKUPDATE=yes - maybe I didn't rebuild whichever
library should contain the extern definition of __ssp_protected_read ?

git grep ssp_protected_read

on https://github.com/NetBSD/src.git returned nothing - where should
the __ssp_protected_read symbol live?


Cheers,

Patrick

Re: ffmpeg6 and SSP?

2023-11-14 Thread Patrick Welche

On Mon, Nov 13, 2023 at 11:22:55AM +, Patrick Welche wrote:
> I'm pretty sure ffmpeg6 compiled recently, but on today's NetBSD-current
> with HAVE_GCC=12 and pkgsrc-current I'm seeing
> 
> => Bootstrap dependency digest>=20211023: found digest-20220214
> ===> Checking for vulnerabilities in ffmpeg6-6.0nb6
> ===> Building for ffmpeg6-6.0nb6
> LD  ffmpeg6_g
> LD  ffprobe6_g
> ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of `environ'
> ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of `environ'
> ld: libavdevice/libavdevice.so: undefined reference to `__ssp_protected_read'
> ld: libavdevice/libavdevice.so: undefined reference to `__ssp_protected_read'
> gmake: *** [Makefile:131: ffprobe6_g] Error 1
> gmake: *** Waiting for unfinished jobs
> gmake: *** [Makefile:131: ffmpeg6_g] Error 1
> *** Error code 2
> 
> 
> Suggestions? Try no FORTIFY?

I tried "no FORTIFY" on ffmpeg6 as

  CONFIGURE_ENV+="CPPFLAGS=\"-D_FORTIFY_SOURCE=0\""

which didn't help.

I tried a NetBSD-current box with gcc 10.5.0 (i.e., without HAVE_GCC=12)
which didn't help.

I also see the problem with the simpler lang/gawk package:

ld: awkgram.o: in function `get_src_buf':
awkgram.c:(.text+0x2d8c): undefined reference to `__ssp_protected_read'
ld: io.o: in function `iop_alloc':
io.c:(.text+0xf03): undefined reference to `__ssp_protected_read'
ld: io.o: in function `get_a_record':
io.c:(.text+0x22d6): undefined reference to `__ssp_protected_read'
ld: io.o: in function `after_beginfile':
io.c:(.text+0x27c7): undefined reference to `__ssp_protected_read'
ld: io.o: in function `redirect_string':
io.c:(.text+0x55e7): undefined reference to `__ssp_protected_read'
ld: io.o:io.c:(.text+0x5606): more undefined references to 
`__ssp_protected_read' follow

If I simply edit /usr/include/ssp/ssp.h to remove the __gnu_inline__ from
the definition of__ssp_inline and make it static again, then gawk builds,

i.e., reverting

-/* $NetBSD: ssp.h,v 1.14 2023/03/29 13:37:10 christos Exp $*/
+/* $NetBSD: ssp.h,v 1.15 2023/11/10 23:03:37 christos Exp $*/

allows gawk to build.


Cheers,

Patrick

Re: ffmpeg6 and SSP?

2023-11-14 Thread pin

On Tuesday, November 14th, 2023 at 8:48 AM, Vitaly Shevtsov  
wrote:

> Hello!
> 
> What if you put -D_FORTIFY_SOURCE=0 into Makefile, will it help?

Won't know until I try :)
Will have to wait a bit, though ... currently building firefox.

If someone else can try before tomorrow, it would be great.
Else, I can test it.

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Manuel Bouyer

On Mon, Nov 13, 2023 at 07:16:14PM -0800, Brian Buhrow wrote:
>   Hello Taylor.  Just as a point of reference, smtp clients that connect 
> to domains hosted by
> Microsoft, i.e. outlook.com and any other domains that use their 
> infrastructure for e-mail, will
> have to present a valid SSL certificate in order to submit mail to their smtp 
> servers.  But
> that is a different issue than Manuel is describing, as I understand it.  I 
> think he is saying
> that the server is presenting an SSL certificate that his client doesn't like 
> when he tries to
> send mail to an external smtp server.  In that case, I agree with you, his 
> client shouldn't be
> overly concerned about whether the server presented SSL certificate can be 
> verified all the way
> down the verification chain.  I guess it's fine if it does the verification 
> and puts a note in
> the headers, but it shouldn't stop mail from going out.

Actually, the client is using SMTP AUTH, so making sure he's sending the
auth credentials to the right SMTP server is critical.

-- 
Manuel Bouyer 
 NetBSD: 26 ans d'experience feront toujours la difference
--

Re: openssl3+postfix issue (ca md too weak)

2023-11-14 Thread Manuel Bouyer

On Tue, Nov 14, 2023 at 02:39:53AM +, Taylor R Campbell wrote:
> [trimming tech-crypto from cc because this is a policy and
> configuration issue, not a cryptography issue]
> 
> > Date: Mon, 13 Nov 2023 20:34:04 +0100
> > From: Manuel Bouyer 
> > 
> > I'm facing an issue with postfix+openssl3 which may be critical (depending
> > on how it can be fixed).
> > 
> > Now my postfix setup fails to send mails with
> > Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: 
> > error:0A00018E:SSL routines::ca md too 
> > weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
> 
> 1. This says `warning'; does the mail actually fail to go through, or
>are you just alarmed by the warning?

it fails:
Nov 13 20:21:48 comore postfix/smtp[4182]: warning: TLS library problem: 
error:0A00018E:SSL routines::ca md too 
weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
Nov 13 20:21:48 comore postfix/smtp[4182]: D2EF31805C: to=, 
relay=mail.soc.lip6.fr[132.227.86.2]:465, delay=1441, delays=1441/0.05/0.02/0, 
dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)


> 
> 2. Can you describe your mail topology?

This is a simple mail client (my laptop); outgoing emails go through
2 mails servers (depending on the from, and a relay map). Both mail
servers requires SMTP AUTH (which is why I enforce
smtp_tls_security_level = verify), configured as:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/home/bouyer/.postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

> 
> 3. Can you describe the postfix configuration on every node involved
>in the topology?

the mails servers this client talks to are both running sendmail,
on netbsd-9

> 4. Can you share master.cf on every node involved if it's not the
>default?

on the client master.cf is the default, with this additional line:
relay-smtps unix -  -   n   -   -   smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=verify
-o smtp_tls_wrappermode=yes
-o smtp_starttls_timeout=60
-o smtp_helo_timeout=60
> 
> 5. If you connect to the server with `openssl s_client', what happens?

It works:
openssl s_client -connect mail.soc.lip6.fr:465 -verify_return_error
[...]
Start Time: 1699948718
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 asim.lip6.fr ESMTP Sendmail 8.15.2/8.15.2; Tue, 14 Nov 2023 08:58:37 +0100 
(MET)

Also, tnftp talking to a web server with the exact same certificate and
certificate chain has no problem either

This is one of the thing I have a hard time to understand: why can't I
reproduce this error with other TLS client ?

> 
> > So, as far as I understand, we end up with a postfix installation which
> > can't talk to servers with valid certificates.
> 
> Unless anything has changed in the past couple years, I don't think
> there is any widespread deployment of SMTP TLS server authentication
> that means anything for general MTAs -- at best, TLS in SMTP serves as
> opportunistic encryption to defend against passive eavesdroppers.

There is actually, for SMTP AUTH
And I don't think using an MTA for SMTP AUTH is that unusual

-- 
Manuel Bouyer 
 NetBSD: 26 ans d'experience feront toujours la difference
--

daily CVS update output

Re: openssl3+postfix issue (ca md too weak)

Re: openssl3+postfix issue (ca md too weak)

Re: openssl3+postfix issue (ca md too weak)

Re: openssl3+postfix issue (ca md too weak)

Re: ffmpeg6 and SSP?

Re: openssl3+postfix issue (ca md too weak)

Re: openssl3+postfix issue (ca md too weak)

Your patch works (Re: sys/dev/usb/if_axen.c

Re: ffmpeg6 and SSP?

Re: ffmpeg6 and SSP?

Re: ffmpeg6 and SSP?

Re: openssl3+postfix issue (ca md too weak)

Re: openssl3+postfix issue (ca md too weak)

14 matches

Site Navigation

Mail list logo

Footer information