Re: Call for testing - uvideo(4)
Would that include the webcam built into last year's models of MacBook Pro? When you buy from Apple, you do not get what you paid for. Instead you get exactly what you got suckered into buying.
Re: 4.3: netstat question
Hi, On Sat, 14.06.2008 at 01:39:29 +0200, Claudio Jeker [EMAIL PROTECTED] wrote: Nope. That is not the problem. The main issues is that a full view will need a lot of memory for the sysctl. This memory needs to be available as real memory because it is wired into the kernel. If you run bgpd with full views on a box with less then 512MB of RAM you're most probably run out of memory. Theo and I had a look at this and bailing out in this situation is the right thing to do. thanks for the explanation! The right fix is to just spend 50 bucks on 1-2GB of additional RAM. I'll look into finding appropriate RAM and/or putting that card into a different box. c) work around (ugly but works) netstat -rnfinet -M /dev/mem Nice! d) the route sysctl needs to be rewritten to be fully restartable and so small chunks of the table can be fetched one after the other. This is a massive change and it will not happen for the upcomming release. I'm not sure that I understand the need to copy the table, or parts thereof, correctly. Sure, the table changes all the time. So, the routes viewed when running 'netstat -r' are only a snapshot and may have changed by the time the user views them, anyway. Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? Kind regards, --Toni++
OT: App to get detailed http measurements
Hi, This is off topic, but does anyone know preferably commandline utility with which I could test HTTP server? What interests me is repeated connections and stats how long it took dns resolv, tcp connect, send request and finaly download of data. Really appreciate any tips. Thanks. -- best regards q#
Re: captivating window manager
On Fri, Jun 13, 2008 at 07:48:18PM +, Nicolas Legrand wrote: Pieter Verberne [EMAIL PROTECTED] writes: On Fri, Jun 13, 2008 at 10:08:47AM +, Nicolas Legrand wrote: Igor Zinovik [EMAIL PROTECTED] writes: I'm moving from dwm to cwm. I think I've never felt so comfortable with a WM, I'm very happy it's in base and I join you to thank the devs. Thanks ! Really..? So a tilling window manager was not your thing? kind of, tought you can use dwm without tilling. I like the idea I don't have to care about sizing or placing the windows. Anyway at the end they where never where I wanted them nor did they have the size I wanted. And I realize having no bits of my screen unused was nice on the paper but didn't meet my needs. So I finally wanted to change. I'm working almost only full screen. So DWM is not -that- usefull for me actually. I had a look on CWM first cause it was in base, and finaly I found it more attractive. Taste matter. ( CWM's binary is almost twice the size of DWM:) 32.0K /usr/bin/dwm 52.0K /usr/X11R6/bin/cwm But I really don't know about libraries and memory usage etc. ) What I need is a GNU-Screen-like graphical-window-manager. Smaller than DWM and have a permissive license.
Re: cwm keybindings misbehavior
Daniel B. [EMAIL PROTECTED] writes: Hi, I can't get the response desired to some of the default keybindings in cwm. Some of them: M-/, C-/, M-?. With the first and the third, I just hear a beep (or a Wuff!! in screen). The second delete my window if not in screen, or just Wuff!! in screen. Any hints? Thank you. I had the same problem on a very old iMac. It was the only computer who had the same problem you have. I could remap the keybindings in .cwmrc, but none of the ASCII characters could be used in a keybinding. Anyway I found a work around five minutes ago. The big difference with this one and the others is I have a xorg.conf on it with those rules for keyboard : Section InputDevice Identifier Keyboard0 Driver keyboard Option Protocol standard Option XkbRules xorg Option XkbModel macintosh Option XkbLayout fr EndSection I launch X, launch a xterm, I don't have the keybindings with fr layout. I usualy use the dvorak layout (don't ask), I type 'setxkbmap dvorak' and I don't have the keybindings. I try to comment all lines appart 'Identifier' and 'Driver' and add 'Option XkbLayout dvorak' and I don't have the keybindings. Finally I just wrote the .xinitrc I wrote on my others machines : setxkbmap dvorak cwm And it works. Going back to fr with 'setxkbmap fr' don't work, going back to dvorak layout after and keybindings still work. Writing fr in place of dvorak in .xinitrc make keybindings works for fr, but if I change keybindings to dvorak after cwm is launch it doesn't work anymore. Change your layout in .xinitrc before launching cwm, don't change your layout after : that's my workaround. Understanding truly why? is yet beyond my skills (thought I'd be interested in answers). I hope this description will tip people with skills and knowledge on real solutions :-).
Re: Call for testing - uvideo(4)
On 2008-06-14, Lars Noodin [EMAIL PROTECTED] wrote: I see on undeadly a call for testing uvideo(4) in CURRENT which seems to require UVC (USB Video Class) compatible webcams. Would that include the webcam built into last year's models of MacBook Pro? What options, if any, are there for IEEE 1394? I have one such web cam lying around. There has been a post on this list one or two days ago where somebody asked about the support iSight cameras. Unfortunately it seems like these cameras do not comply with the usb video standard. I don't know if this applies to your cam, too but chances are that yes... Jona -- Pond-erosa Puff wouldn't take no guff Water oughta be clean and free So he fought the fight and he set things right With his OpenBSD
Re: captivating window manager
--- Pieter Verberne [EMAIL PROTECTED] wrote: I'm working almost only full screen. So DWM is not -that- usefull for me actually. I had a look on CWM first cause it was in base, and finaly I found it more attractive. Taste matter. ( CWM's binary is almost twice the size of DWM:) 32.0K /usr/bin/dwm 52.0K /usr/X11R6/bin/cwm But I really don't know about libraries and memory usage etc. ) What I need is a GNU-Screen-like graphical-window-manager. Smaller than DWM and have a permissive license. Do you know 'ratpoison' [0]? It's not under a permissive license nor smaller than dwm, but it's GNU-Screen-like. If you plan to develop a window manager which is GNU-Screen-like, smaller than dwm and under a permissive license, then drop me line as I'd be really interested. [0] http://www.nongnu.org/ratpoison/
4.3/amd64 install failure
When trying to install OpenBSD 4.3/amd64 on a PC (cpu: AMD 64 X2, board: Asus M2N SLI Deluxe), the system hangs at the (I)nstall (U)pgrade etc. prompt. I can't provide the complete dmesg because it scrolls by too fast for me to write down, but the last couple of lines are: isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 kbc: cmd word write error rd0: fixed, 4480 blocks root on rd0a swap on rd0b dump on rd0b erase ^?, werase ^W, kill ^U, intr ^C, status ^T (I)nstall, (U)pgrade or (S)hell? The marked line made me think of a keyboard error, but I've tried several keyboards (PS/2, USB, wired, wireless) and it doesn't make any difference. Also, the keyboards all work fine during BIOS setup, at the boot prompt and in the kernel config editor thingy. Any thoughts? Alphons -- If riding in an airplane is flying, then riding in a boat is swimming. If you want to experience the element, get out of the vehicle.
usb gamepads
Do they work on OpenBSD? I don't see any mention of them in the FAQ or man pages. It looks like some of the ports (generator, zsnes, xmame) link against usbhid, but others (snes9x) don't. Any hardware recommendations? -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
Re: OT: App to get detailed http measurements
I've had good results with SIEGE http://www.joedog.org/ /Pete On 14 Jun 2008, at 12:55, Mikolaj Kucharski wrote: Hi, This is off topic, but does anyone know preferably commandline utility with which I could test HTTP server? What interests me is repeated connections and stats how long it took dns resolv, tcp connect, send request and finaly download of data. Really appreciate any tips. Thanks. -- best regards q#
Re: cwm keybindings misbehavior
I can't get the response desired to some of the default keybindings in cwm. one interesting one i have found is that M-down will not work on firefox if there are tabs/multiple pages open. +-+ Glenn Becker - [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org +-+
Re: usb gamepads
On Sat, 14 Jun 2008, Stephen Takacs wrote: Do they work on OpenBSD? I don't see any mention of them in the FAQ or man pages. It looks like some of the ports (generator, zsnes, xmame) link against usbhid, but others (snes9x) don't. Any hardware recommendations? I have some cheap usb gamepad that won't work: uhidev0 at uhub0 port 2 configuration 1 interface 0 GreenAsia Inc. USB Joystick rev 1.00/1.07 addr 2 It wasn't expensive, just couple of bucks, so I don't mind :-) (http://www.dealextreme.com/details.dx/sku.3683) My friend has gamepad with dualshock which works: http://www.dealextreme.com/details.dx/sku.618 -- Antti Harri
Re: captivating window manager
What I need is a GNU-Screen-like graphical-window-manager. Smaller than DWM and have a permissive license. Do you know 'ratpoison' [0]? It's not under a permissive license nor smaller than dwm, but it's GNU-Screen-like. If you plan to develop a window manager which is GNU-Screen-like, smaller than dwm and under a permissive license, then drop me line as I'd be really interested. PWM is the tiniest WM I've never seen, you can use the tabs wich is a bit as screen. Licences thought are rather restrictive (GPLv2, Clarified Artistic License). http://modeemi.fi/~tuomov/ion/pwm.html
Re: pfctl -s labels vs netstat -I interface -b
Hi, On Tue, 05.06.2007 at 17:30:47 +0200, Stefan Castille [EMAIL PROTECTED] wrote: dmesg will follow as soon as i can reboot one of these machines look at /var/run/dmesg.boot. That might be what you're looking for. Kind regards, --Toni++
Re: pf.conf comment lines
2008/6/14 Philip Guenther [EMAIL PROTECTED]: Sadly, this varies among languages and file-formats. You just have to know how the one you're working in behaves. So, when in doubt, comment every line that needs to be comment out, should work in almost all cases? -- This e-mail may be confidential. You may not copy, forward, distribute, or, use any part of it. Note, this text has no effective legal binding on your part. There is no obligation to abide any or all parts of this, just as any texts appended to e-mail on rest of the Internet. For more information about disclaimers, please see: http://www.goldmark.org/jeff/stupid-disclaimers/
Re: captivating window manager
On Sat, Jun 14, 2008 at 05:59:26AM -0700, F. Caulier wrote: --- Pieter Verberne [EMAIL PROTECTED] wrote: I'm working almost only full screen. So DWM is not -that- usefull for me actually. I had a look on CWM first cause it was in base, and finaly I found it more attractive. Taste matter. ( CWM's binary is almost twice the size of DWM:) 32.0K /usr/bin/dwm 52.0K /usr/X11R6/bin/cwm But I really don't know about libraries and memory usage etc. ) What I need is a GNU-Screen-like graphical-window-manager. Smaller than DWM and have a permissive license. Do you know 'ratpoison' [0]? It's not under a permissive license nor smaller than dwm, but it's GNU-Screen-like. I've seen the name ratpoison many times before, but when I see it is GPL I don't look further for that WM. If you plan to develop a window manager which is GNU-Screen-like, smaller than dwm and under a permissive license, then drop me line as I'd be really interested. Right.. I think I'll plan to learn coding some day..
Re: cwm keybindings misbehavior
On Sat, Jun 14, 2008 at 02:09:38PM +, Glenn Becker wrote: one interesting one i have found is that M-down will not work on firefox if there are tabs/multiple pages open. I always configure my window managers to use the Windows key (i.e. Mod4) rather than Control or Alt (i.e. Meta). This prevents conflicts with the applications that are being managed by the window manager--since ordinary applications, like Firefox, don't use the Windows key. Note, I was told by one of the Fluxbox developers that I need to add the following line xmodmap -e 'add Mod4 = Super_L' to my .xinitrc file if I want the Windows key to be well-behaved, but I don't understand the reason why.
libc.so Problem with snapshot from 14 June
Good day everyone I tried today to upgrade to the snapshot of the 14 June. All went fine as usual. Before I used a snapshot from hmm about a month ago (don't remember correctly). After a final reboot xdm did no longer start with an error message of a missing libc.so.45.0 After some investigation there was infact really no .45.0 - only .43.0 and .46.0 A quick (and dirty) 'ln' solved the issue though... Don't know if I did a mistake or if there's something wrong with the snapshot. Maybe someone can clarify on this topic. Thank you very much Earin
Re: cwm keybindings misbehavior
one interesting one i have found is that M-down will not work on firefox if there are tabs/multiple pages open. I always configure my window managers to use the Windows key (i.e. Mod4) rather than Control or Alt (i.e. Meta). This prevents conflicts with the applications that are being managed by the window manager--since ordinary applications, like Firefox, don't use the Windows key. i subsequently discovered this was my own mistake - M-down _does_ work okay with tabbed Firefox. apologies. +-+ Glenn Becker - [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org +-+
Re: cwm keybindings misbehavior
On Sat, Jun 14, 2008 at 03:37:57PM +, Matthew Szudzik wrote: Note, I was told by one of the Fluxbox developers that I need to add the following line xmodmap -e 'add Mod4 = Super_L' to my .xinitrc file if I want the Windows key to be well-behaved, but I don't understand the reason why. I've done a little Googling, and apparently this is workaround for a bug in the X.org keycodes. See http://modeemi.fi/~tuomov/ion/faq/entries/Modifier_releases.html
Re: libc.so Problem with snapshot from 14 June
On Sat, Jun 14, 2008 at 06:21:35PM +0200, Earin Gregor wrote: Good day everyone I tried today to upgrade to the snapshot of the 14 June. All went fine as usual. Before I used a snapshot from hmm about a month ago (don't remember correctly). After a final reboot xdm did no longer start with an error message of a missing libc.so.45.0 After some investigation there was infact really no .45.0 - only .43.0 and .46.0 You are mistaken. There's been a .45.0 for a few weeks. The last bump was yesterday, it takes some time for new X snaps to be made. A quick (and dirty) 'ln' solved the issue though... this might work in this case , but is discouraged strongly in general. -Otto
Re: libc.so Problem with snapshot from 14 June
On Sat, Jun 14, 2008 at 06:21:35PM +0200, Earin Gregor wrote: Good day everyone I tried today to upgrade to the snapshot of the 14 June. All went fine as usual. Before I used a snapshot from hmm about a month ago (don't remember correctly). After a final reboot xdm did no longer start with an error message of a missing libc.so.45.0 After some investigation there was infact really no .45.0 - only .43.0 and .46.0 The snapshot X sets were build independently from the other sets and often may lag behind, e.g. on sparc64 they are still from may 29th. c.43.0 is the version from -release. Your X sets were build when c.45.0 was the actual version. Your (non-X) sets already use c.46.0. A quick (and dirty) 'ln' solved the issue though... Don't know if I did a mistake or if there's something wrong with the snapshot. Maybe someone can clarify on this topic. You may build X from source to resolve your problem or hope to a new X snapshot appearing in the next days. You may install snapshots a bit more often. Thank you very much Earin Regards, Markus
Re: libc.so Problem with snapshot from 14 June
Thank you Markus and Otto for your quick answers. That clarifies a lot!
Re: OpenSSL On Openbsd help
On Sat, 14 Jun 2008, Khalid Schofield wrote: Hi, I need to get a proper signed ssl certificate for my ecommerce website hosted on my openbsd box. Getting confused as most websites describe how to do this in many different ways and most refere to self signed certificates. Wanted to ask the experts before I go and throw $100 at the task. First, I'd recommend that you spend a little time reading up on X.509 certificates and how they relate to public key cryptography. There are nasty consequences if you get things wrong that extend well past wasting $100 on a certificate you can't use. So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Certificates don't have passphrases, private keys do. A key passphrase gives some measure of protection should the file containing your key fall into someone else's hands, e.g. by compromising your server. If you private key is disclosed, an attacker could impersonate your sever. Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? Putting it in a configuration file would defeat the purpose, no? Yes, if you use a passphrase then you need to tell Apache about it every time it is reloaded. For this reason, many web servers do not set passphrases on their keys. Also what command do you use to do this? Please tell all :) openssl req OpenSSL is complex and patchily documented, it assumes that its users are quite familiar with x.509 certificates and public key cryptography. There are some frontends that make things more simple, and some good guides on the net. Try typing openssl certificate into your favourite search engine for a few. One last thing who would you recomend to sign my csr? Go for the cheapest certification authority that is supported by Firefox and Internet Explorer. Do not be fooled by any claims of premium certification as the overwhelming majority of users do not check the CA details. Thanks sorry for the stupid questions but I've never done this before and risked my actual money (only the companies). Like I said, risking $100 on a dud cert is the least of your worries. -d
Re: 4.3: netstat question
* Toni Mueller [EMAIL PROTECTED] [2008-06-14 11:29]: Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? userland can walk a kernel table since when exactly? (leave dirty /dev/mem style hacks aside) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenSSL On Openbsd help
Khalid Schofield wrote: So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? You do not need a pass phrase, in fact usually a pass phrase will prevent apache from starting until you respond to the prompt to enter the pass phrase. If your server is going to be somewhere where there might be a power outage, or rebooted by someone who does not have the pass phrase it's generally a big headache. That being said, if there is a risk that someone could read your private key off your webserver, either by physically stealing the server or an untrusted admin, a pass phrase isn't a bad idea. But in this case you have to consider what else would be compromised, and if it's easier just to revoke that cert and get another one. My recommendation would be to not use a pass phrase for SSL services, but use a passphrase for a certificate that you use to sign other certificates: i.e. VPN user authentication, authenticating SSL users by issuing them each their own certificate, or similar. The process of setting up signed cert is as follows: 1. Generate your private key and secure file permissions (you want to do this in a secure fashion, i.e. on the box directly as a root or a private user). Guard this file: if it is compromised the security SSL provides is compromised.: openssl genrsa -out secure.example.com.key 4096 chmod 400 secure.example.com.key 2. Generate your certificate signing request (CSR), you will be prompted to answer a bunch of questions country, state, location, organization, organization unit, common name and email address, answer these accuratly or else the certificate authority will not sign your key, there is one of special note: Common Name (CN) needs to be the exact domain name of your SSL site i.e. secure.example.com in this example: openssl req -new -nodes -key secure.example.com.key -out secure.example.com.csr 3. Send the CSR (you can open the file and copy and paste the contents into an email, or the certificate authority's website) to the certificate authority along with what ever other documentation they require (there job is to verify you are who you are requesting a certificate for before signing the key, they usally require some proof of domain ownership and everything else you entered in step 2). 4. You will then receive your signed certificate, you can either keep the certificate in a separate file from your private key, or cat them together to make a .pem file: cat secure.example.com.key secure.example.com.cert secure.example.com.pem; chmod 400 secure.example.com.pem Configure apache to use your new cert and key: SSLCertificateFile /etc/ssl/secure.example.com.cert SSLCertificateKeyFile /etc/ssl/secure.example.com.key - or - SSLCertificateFile /etc/ssl/secure.example.com.key Since apache is chrooted, have to restart it to read the new key and certificate. Dustin Lundquist
Re: openbgp: operation not permitted
2008/6/13 Claudio Jeker [EMAIL PROTECTED]: On Fri, Jun 13, 2008 at 12:47:26PM -0700, Lu Vo wrote: Greetings, I set up 2 routers running openbgpd. The first one is working well. The 2nd one is not. I am seeing these errors in the syslog Jun 13 14:18:13 router2 bgpd[9453]: neighbor xxx.191.188.137: write error: Operation not permitted Jun 13 14:22:23 router2 bgpd[9453]: neighbor xxx.191.188.137: connect: Operation not permitted Smells like a pf block rule hitting you. First thing I checked. Also disabled it just to make sure. It is not pf Thanks
Re: pf.conf comment lines
On Sat, Jun 14, 2008 at 8:58 AM, Sunnz [EMAIL PROTECTED] wrote: 2008/6/14 Philip Guenther [EMAIL PROTECTED]: Sadly, this varies among languages and file-formats. You just have to know how the one you're working in behaves. So, when in doubt, comment every line that needs to be comment out, should work in almost all cases? The ambiguous case is a comment line that ends with a backslash, so commenting out all the lines in a group of continued lines works in all cases, yes. (Beware how you phrase things: comment every line that needs to be comment[ed] out is a tautology, as the meaning of needs to be commented out depends on the file format, which isn't what you wanted to ask...) Philip Guenther
Re: OpenSSL On Openbsd help
On Sat, 14 Jun 2008, Chris Kuethe wrote: On 6/14/08, Khalid Schofield [EMAIL PROTECTED] wrote: One last thing who would you recomend to sign my csr? I got my cert through godaddy. ~$20. took about 4hrs, start to finish... I started looking at godaddy and almost bought a 4 year certificate but the website seemed full of rubbish. Cluttered with adverts and you don't seem to just be able to order your certificate. You mess around creating an account, then entering your address and credit card which they store finally allowing you to buy the certificate after 10 minutes of fafing around. There cheap though so I'll probably buy through them. i'm not sure i *recommend* godaddy - nothing about the transaction made me say i'd never use anyone else or i'd never use them again, but they did an adequate job at providing a cert that works with firefox and IE. Have you had problems with godaddy yet? Anything to say other than so so? CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: OpenSSL On Openbsd help
This is REALLY useful. Thanks. Gets right to the matter! Although this will fix my issue the other people's replys are an interesting insight and I shall follow advice and read about how x509 works. On Sat, 14 Jun 2008, Dustin Lundquist wrote: Khalid Schofield wrote: So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? You do not need a pass phrase, in fact usually a pass phrase will prevent apache from starting until you respond to the prompt to enter the pass phrase. If your server is going to be somewhere where there might be a power outage, or rebooted by someone who does not have the pass phrase it's generally a big headache. That being said, if there is a risk that someone could read your private key off your webserver, either by physically stealing the server or an untrusted admin, a pass phrase isn't a bad idea. But in this case you have to consider what else would be compromised, and if it's easier just to revoke that cert and get another one. My recommendation would be to not use a pass phrase for SSL services, but use a passphrase for a certificate that you use to sign other certificates: i.e. VPN user authentication, authenticating SSL users by issuing them each their own certificate, or similar. The process of setting up signed cert is as follows: 1. Generate your private key and secure file permissions (you want to do this in a secure fashion, i.e. on the box directly as a root or a private user). Guard this file: if it is compromised the security SSL provides is compromised.: openssl genrsa -out secure.example.com.key 4096 chmod 400 secure.example.com.key 2. Generate your certificate signing request (CSR), you will be prompted to answer a bunch of questions country, state, location, organization, organization unit, common name and email address, answer these accuratly or else the certificate authority will not sign your key, there is one of special note: Common Name (CN) needs to be the exact domain name of your SSL site i.e. secure.example.com in this example: openssl req -new -nodes -key secure.example.com.key -out secure.example.com.csr 3. Send the CSR (you can open the file and copy and paste the contents into an email, or the certificate authority's website) to the certificate authority along with what ever other documentation they require (there job is to verify you are who you are requesting a certificate for before signing the key, they usally require some proof of domain ownership and everything else you entered in step 2). 4. You will then receive your signed certificate, you can either keep the certificate in a separate file from your private key, or cat them together to make a .pem file: cat secure.example.com.key secure.example.com.cert secure.example.com.pem; chmod 400 secure.example.com.pem Configure apache to use your new cert and key: SSLCertificateFile /etc/ssl/secure.example.com.cert SSLCertificateKeyFile /etc/ssl/secure.example.com.key - or - SSLCertificateFile /etc/ssl/secure.example.com.key Since apache is chrooted, have to restart it to read the new key and certificate. Dustin Lundquist
Re: OpenSSL On Openbsd help
Hi! Even if I'm not the OP, this is a good guide... Cool. On Sat, Jun 14, 2008 at 10:42:37AM -0700, Dustin Lundquist wrote: [...] The process of setting up signed cert is as follows: 1. Generate your private key and secure file permissions (you want to do this in a secure fashion, i.e. on the box directly as a root or a private user). Guard this file: if it is compromised the security SSL provides is compromised.: openssl genrsa -out secure.example.com.key 4096 chmod 400 secure.example.com.key Before all that: umask 077, so there'll be no window of time when the key will be group/world readable. [...] 3. Send the CSR (you can open the file and copy and paste the contents into an email, or the certificate authority's website) to the certificate authority along with what ever other documentation they require (there job is to verify you are who you are requesting a certificate for before signing the key, they usally require some proof of domain ownership and everything else you entered in step 2). 4. You will then receive your signed certificate, you can either keep the certificate in a separate file from your private key, or cat them together to make a .pem file: cat secure.example.com.key secure.example.com.cert secure.example.com.pem; chmod 400 secure.example.com.pem Configure apache to use your new cert and key: SSLCertificateFile /etc/ssl/secure.example.com.cert SSLCertificateKeyFile /etc/ssl/secure.example.com.key - or - SSLCertificateFile /etc/ssl/secure.example.com.key Again, before the cat, use umask 077, for the same reason. Since apache is chrooted, have to restart it to read the new key and certificate. Dustin Lundquist Again, thanks for the cool explanations and step-by-step kind of guide. Will probably be helpful for more than the original poster. Kind regards, Hannah.
Re: OpenSSL On Openbsd help
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khalid Schofield Sent: Saturday, June 14, 2008 12:34 To: misc@openbsd.org Subject: OpenSSL On Openbsd help Hi, I need to get a proper signed ssl certificate for my ecommerce website hosted on my openbsd box. Getting confused as most websites describe how to do this in many different ways and most refere to self signed certificates. Wanted to ask the experts before I go and throw $100 at the task. So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? Also what command do you use to do this? Please tell all :) One last thing who would you recomend to sign my csr? Thanks sorry for the stupid questions but I've never done this before and risked my actual money (only the companies). For info. I'm integrating google checkout into my website to do payments. Not done this before but paypal is charging me an arm and a leg. Khalid == If, as you've indicated, you're going to use the cert for e-commerce, then self-signed is NOT the way to go. FREE, no cost, non-testing, one-year SSLs are available from http://cert.startcom.org. starcom's root CA is recognized by the major browsers and should satisfy your needs. There is a registration process -- starcom must be convinced that you control the domains and then sites that you're applying to get certs for. This can take a bit of time and there are a few pre-requisites. Also, if it matters to you, starcom is not North American. /S
Re: in-kernel pppoe problems
Hello,
sorry, version 4.1 and 4.2. Thanks for your reply, I'll check that.
Regards
Hagen Volpers
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Pierre Riteau
Gesendet: Samstag, 14. Juni 2008 00:28
An: misc(at)openbsd.org
Cc: misc@openbsd.org
Betreff: Re: in-kernel pppoe problems
On Fri, Jun 13, 2008 at 11:24:32PM +0200, misc(at)openbsd.org wrote:
Hello,
it looks like the in-kernel pppoe causes systems to hang up
sometimes. I
testet with two systems (completly different hardware) and
two different
dsl-modems (I'm from germany - standard tcom modems).
Did someone else notice such problems?
Here is my hostname.pppoe0:
#cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev bge1 authproto pap \
authname 'USERNAME' authkey 'PASSWORD' up
dest 0.0.0.1
!/sbin/route add default 0.0.0.1
# cat /etc/hostname.bge1
up
Here is the output from the kernel panic:
cached lines from terminal server:
ddb{0} start of buffer
13/6/2008 11:49:39pppoe0: LCP keepalive timeout
13/6/2008 11:49:39kernel: page fault trap, code=0
13/6/2008 11:49:41Stopped at softclock+0x2d: movl
%edx,0x4(%eax)
13/6/2008 11:49:41ddb{0}
13/6/2008 18:29:27ddb{0}
end of buffer
You don't provide information about which version of OpenBSD you are
running. Anyway, this seems identical to PR 5794 which was fixed in
-current on May 17.
Re: usb gamepads
On Sat, Jun 14, 2008 at 09:33:01AM -0400, Stephen Takacs wrote: Hi! Do they work on OpenBSD? I don't see any mention of them in the FAQ or man pages. Not exactly same but few days ago I tested USB Wheel(http://www.speed-link.com/?p=2cat=314pid=1804paus=1) and it worked. uhidev0 at uhub3 port 1 configuration 1 interface 0 AMPAQ ?USB Steering Wheel\^O\^O\^O\^E\^O\^O\^G\^F\^O USB Steering Wheel rev 1.00/1.00 addr 2 uhidev0: iclass 3/0 uhid0 at uhidev0: input=7, output=7, feature=0 It was possible to record events using usbhidctl -lv and at least bzflag-2.0.8p3 from ports worked. -- rix http://www.ripe.net/perl/[EMAIL PROTECTED]
Re: snmpd
I get: SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.3 = OID: SNMPv2-MIB::snmp SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::mib-2.17 SNMPv2-MIB::sysORID.5 = OID: IF-MIB::ifMIB SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.30155.2 Or more importantly, are HOST-RESOURCES-MIB and UCD-DISKIO-MIB supported? Also, PF-MIB. ~BAS I gues this means HOST-RESOURCES-MIB::hrStorageTable and UCD-DISKIO-MIB::diskIOTable are not loaded? How can i load them? Tnx in advance, Tim - Original Message From: Brian A. Seklecki [EMAIL PROTECTED] To: Tim Kuijsten [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Friday, May 9, 2008 1:35:46 AM Subject: Re: snmpd On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote: It looks like there is no info about disk usage, memory usage, load and other sensor stuff. I have no clue where to find the mibs (locate mib or locate .txt | grep snmp have no results) or how to load them.. That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB Try: $ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable $ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable The sensor stuff should be committed into the Ports version of Net-SNMP by now. I can get it committed to Pkgsrc if not. Its just not been at the top of my priority list. -- Brian A. Seklecki Collaborative Fusion, Inc. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc.
Re: 4.3: netstat question
On Sat, Jun 14, 2008 at 1:11 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Toni Mueller [EMAIL PROTECTED] [2008-06-14 11:29]: Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? userland can walk a kernel table since when exactly? (leave dirty /dev/mem style hacks aside) If the kernel table is kept in an ordered state, userland could provide a starting value or key. The kernel can then return the requested chunk (up to the size requested) starting at the next table item that comes after the key. Also depends if you're willing to let netstat display routes that are may appear inconsistent. Just thinking off the top of my head for ways to avoid allocating the whole table at once. Apologies if it's too gross an API change or has other, worse repercussions. --david
Re: OpenSSL On Openbsd help
Khalid, A certificate bought from a trusted Certificate Authority simply means a client can verify the certificate's validity through a third party. This does not mean the web page data is securely encrypted, does not mean the data on the site is valid and does not mean that the data can not be compromised on the client or server machines. A basic SSL certificate says that the person or persons who bought the certificate are the same person or persons that own the domain. This is the simplest check done by the Certificate Authority when a certificate request (purchase) is made. The more expensive certs require that the company ordering the certificate verify their legal credentials. This may mean they have to FAX proof of their physical location, their business status (INC, CO, etc.) and contact information to the Certificate Authority and comply with an investigation. This extended verification (EV) process is expensive and can take weeks to complete. I agree that an expensive SSL cert is only worth the money if the name of the certificate authority means anything to the clients contacting your site. 99.9% of the people do not know or care what a CA is. Hope this helps. Guide to SSL Certificates https://calomel.org/ssl_certs.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote: On Sat, 14 Jun 2008, Khalid Schofield wrote: Hi, I need to get a proper signed ssl certificate for my ecommerce website hosted on my openbsd box. Getting confused as most websites describe how to do this in many different ways and most refere to self signed certificates. Wanted to ask the experts before I go and throw $100 at the task. First, I'd recommend that you spend a little time reading up on X.509 certificates and how they relate to public key cryptography. There are nasty consequences if you get things wrong that extend well past wasting $100 on a certificate you can't use. So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Certificates don't have passphrases, private keys do. A key passphrase gives some measure of protection should the file containing your key fall into someone else's hands, e.g. by compromising your server. If you private key is disclosed, an attacker could impersonate your sever. Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? Putting it in a configuration file would defeat the purpose, no? Yes, if you use a passphrase then you need to tell Apache about it every time it is reloaded. For this reason, many web servers do not set passphrases on their keys. Also what command do you use to do this? Please tell all :) openssl req OpenSSL is complex and patchily documented, it assumes that its users are quite familiar with x.509 certificates and public key cryptography. There are some frontends that make things more simple, and some good guides on the net. Try typing openssl certificate into your favourite search engine for a few. One last thing who would you recomend to sign my csr? Go for the cheapest certification authority that is supported by Firefox and Internet Explorer. Do not be fooled by any claims of premium certification as the overwhelming majority of users do not check the CA details. Thanks sorry for the stupid questions but I've never done this before and risked my actual money (only the companies). Like I said, risking $100 on a dud cert is the least of your worries. -d
Re: OpenSSL On Openbsd help
On 2008-06-14, General Delivery [EMAIL PROTECTED] wrote: If, as you've indicated, you're going to use the cert for e-commerce, then self-signed is NOT the way to go. FREE, no cost, non-testing, one-year SSLs are available from http://cert.startcom.org. starcom's root CA is recognized by the major browsers and should satisfy your needs. major browsers in the case of Startcom's free certificate means Firefox and Safari. Internet Explorer does not have their root key.
Re: 4.3: netstat question
* David Higgs [EMAIL PROTECTED] [2008-06-15 01:59]: On Sat, Jun 14, 2008 at 1:11 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Toni Mueller [EMAIL PROTECTED] [2008-06-14 11:29]: Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? userland can walk a kernel table since when exactly? (leave dirty /dev/mem style hacks aside) If the kernel table is kept in an ordered state, userland could provide a starting value or key. The kernel can then return the requested chunk (up to the size requested) starting at the next table item that comes after the key. wow. you completely miss the point. userland cannot poke in kernel memory. (footnote: ok, it can, but assuming it can't is better) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Get rid of windows limit in 'window'?
I just discovered 'window' in base, a very usefull tool! I was used to install 'screen' to get a terminal multiplexer but as I found 'window' which gives me multiplexing without 'screen's' bloat and restrictive license. Just two questions: Is there an example.windowrc available somewhere or would someone be so kind a send me his own customized one? I already searched the web on this but couldn't find much. Is there a way to go beyond the limit of 9 windows beside executing 'window' in 'window'? Suggestions welcome
Re: 4.3: netstat question
On Sat, Jun 14, 2008 at 9:16 PM, Henning Brauer [EMAIL PROTECTED] wrote: * David Higgs [EMAIL PROTECTED] [2008-06-15 01:59]: On Sat, Jun 14, 2008 at 1:11 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Toni Mueller [EMAIL PROTECTED] [2008-06-14 11:29]: Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? userland can walk a kernel table since when exactly? (leave dirty /dev/mem style hacks aside) If the kernel table is kept in an ordered state, userland could provide a starting value or key. The kernel can then return the requested chunk (up to the size requested) starting at the next table item that comes after the key. wow. you completely miss the point. userland cannot poke in kernel memory. (footnote: ok, it can, but assuming it can't is better) I knew that, but I explained myself poorly. I was thinking something along the lines of making a different route sysctl (other than NET_RT_DUMP) that can copy out smaller portions of the routing table at a time. Userland programs could then iterate their way through the routing table. Depending on the structures being copied out, this might be completely unworkable. On top of that, you'd at best just push back the limits on available real memory. Best to wait for a restartable route sysctl. Apologies for the noise and my out-loud musings. --david
Re: 4.3: netstat question
On Sat, Jun 14, 2008 at 10:55:52PM -0400, David Higgs wrote: On Sat, Jun 14, 2008 at 9:16 PM, Henning Brauer [EMAIL PROTECTED] wrote: * David Higgs [EMAIL PROTECTED] [2008-06-15 01:59]: On Sat, Jun 14, 2008 at 1:11 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Toni Mueller [EMAIL PROTECTED] [2008-06-14 11:29]: Would it be possible to walk along the live table, without copying the table, or would the continuous stream of route inserts and deletes lead to a corrupted view and/or access to the wrong parts of the system's memory (which must to be prevented), or would this be such a performance hit that this is unfeasible? userland can walk a kernel table since when exactly? (leave dirty /dev/mem style hacks aside) If the kernel table is kept in an ordered state, userland could provide a starting value or key. The kernel can then return the requested chunk (up to the size requested) starting at the next table item that comes after the key. wow. you completely miss the point. userland cannot poke in kernel memory. (footnote: ok, it can, but assuming it can't is better) I knew that, but I explained myself poorly. I was thinking something along the lines of making a different route sysctl (other than NET_RT_DUMP) that can copy out smaller portions of the routing table at a time. Userland programs could then iterate their way through the routing table. Depending on the structures being copied out, this might be completely unworkable. On top of that, you'd at best just push back the limits on available real memory. Best to wait for a restartable route sysctl. Apologies for the noise and my out-loud musings. Yes that's more or less what needs to be done. I'm willing to look at diffs and help working out the evil guts of this. -- :wq Claudio
Macbook Pro Core Duo and 4.3
Hey all, I have previously been able to run OpenBSD 4.2-current on my Macbook Pro. It's been a while since I did so, but I wanted to go ahead and reinstall my machine with 4.3. The biggest change that I expected to affect me was the automatic enabling of ACPI for the kernel. I thought this would be a good thing. As it turns out, something must have changed since I last used OpenBSD to make things troublesome. Usually, what I used to do was build my own custom boot only image and change the bsd.rd kernel to have acpi enabled. However, this didn't seem necessary for 4.3, and I went ahead and tried to boot. However, it hangs near the end of the kernel messages with an rd0 line. I thought that I heard about someone having trouble with 4.3 hanging on a Macbook so I tried searching for a solution, but I couldn't find anything specific. The only things that seem to relate to the stable release after May 1st are unrelated items. One other thing I noted was that someone tried to boot his Macbook using the bsd.mp kernel, which obviously won't work until the OS is installed. However, I notice that the dmesg seems a bit different for the MP kernel with some acpi information put at the top that I don't see in the rd kernel. I am able to get the mp kernel to boot up to the point where it asks for a root device, but obviously I can't go past that. Anyways, I remembered in a chat that there was possibly a conflict between apm and acpi, so I went ahead, disabled apm, and this didn't work either. Can any of you provide some assistance with this matter? Has anyone had success with the 4.3 release and Core Duo Macbook Pros? I am of course using i386 as the architecture. Am I just missing something obvious? - Aaron Hsu
Re: Macbook Pro Core Duo and 4.3
Try a new snapshot in a few days, things in ACPI land have changed a lot since 4.3. On Sat, Jun 14, 2008 at 09:27:52PM -0700, Aaron Hsu wrote: Hey all, I have previously been able to run OpenBSD 4.2-current on my Macbook Pro. It's been a while since I did so, but I wanted to go ahead and reinstall my machine with 4.3. The biggest change that I expected to affect me was the automatic enabling of ACPI for the kernel. I thought this would be a good thing. As it turns out, something must have changed since I last used OpenBSD to make things troublesome. Usually, what I used to do was build my own custom boot only image and change the bsd.rd kernel to have acpi enabled. However, this didn't seem necessary for 4.3, and I went ahead and tried to boot. However, it hangs near the end of the kernel messages with an rd0 line. I thought that I heard about someone having trouble with 4.3 hanging on a Macbook so I tried searching for a solution, but I couldn't find anything specific. The only things that seem to relate to the stable release after May 1st are unrelated items. One other thing I noted was that someone tried to boot his Macbook using the bsd.mp kernel, which obviously won't work until the OS is installed. However, I notice that the dmesg seems a bit different for the MP kernel with some acpi information put at the top that I don't see in the rd kernel. I am able to get the mp kernel to boot up to the point where it asks for a root device, but obviously I can't go past that. Anyways, I remembered in a chat that there was possibly a conflict between apm and acpi, so I went ahead, disabled apm, and this didn't work either. Can any of you provide some assistance with this matter? Has anyone had success with the 4.3 release and Core Duo Macbook Pros? I am of course using i386 as the architecture. Am I just missing something obvious? - Aaron Hsu
[Error code 1] Compiling -STABLE fails
I'm currently trying to follow the -STABLE branch, so I followed all the instructions found in ttp://openbsd.org/stable.html until building the kernel with 'make clean make depend make'. This is what I get: #: make clean make depend make rm -f eddep *bsd bsd.gdb tags *.[io] [a-z]*.s [Ee]rrs linterrs makelinks assym.h rm -f param.c cp /usr/src/sys/arch/i386/compile/GENERIC/../../../../conf/param.c cp: ./param.c: Permission denied *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 812 of Makefile). #: I use OpenBSD-4.3, GENERIC Kernel and also tried fetching the tree from different anoncvs servers ([EMAIL PROTECTED]:/cvs, [EMAIL PROTECTED]:/cvs, [EMAIL PROTECTED]:/cvs) Suggestions welcome
