Re: TLS now supported on openbsd.org?

[Theo de Raadt]

> >It's great to see OpenBSD Project supporting Let's Encrypt.
> 
> I am absolutely not supporting Let's Encrypt. The client scares the
> shit out of me, and shows me how low the bar has become.

"client effectively containing millions of lines of code, connects
to server on the internet to get a cert"

Oh, but you can trust those guys at the other end...

Yeah, I can trust that if their client code is of this quality, their
server code is... probably a lot like it?

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Bob Beck]

it has been back for quite some time


On Mon, May 9, 2016 at 1:02 PM, Markus Rosjat  wrote:
> Hi there,
>
> just a short question about the site coming up again.
> Since our spamd-setup tries to get some blacklists form the site I was
> wondering if there is any info about the the time schedule for the
> maintenance?
>
> Regards
>
> Markus
>
>
> Am 08.05.2016 um 23:44 schrieb Stefan Wollny:
>>
>> Am 05/08/16 um 20:03 schrieb Bob Beck:
>>>
>>> There will be an extended downtime of the main ftp and www sites for
>>> an upgrade today starting in approximately one hour's time from now.
>>>
>>> The mirror sites should be unaffected - so use a mirror if you
>>> discover the main site is unavailable today.
>>>
>> Anyone know of an up2date mirror of 'current.html'?
>> (Google just found one with the latest entries from 2005...)
>> :-(
>>
>> TIA.
>>
>> STEFAN
>>
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you
> print it, think about your responsibility and commitment to the ENVIRONMENT

Re: TLS now supported on openbsd.org?

[Bob Beck]

>It's great to see OpenBSD Project supporting Let's Encrypt.

I am absolutely not supporting Let's Encrypt. The client scares the
shit out of me, and shows me how low the bar
has become. Considering all I need is put something on a web site that
I can convince a DNS server is the one they'll check, well, that's
pretty darn bad - you'd all probably be a lot better off pinning
self-signed certs.


> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https?

And statements like this - and people that think this is a good idea,
are why I spoof DNS answers in bars and coffee shops, and why I don't
read misc@.  This is never a good idea, unless you want the
connections intercepted and MITM'ed.

Remove translated versions of donations.html in the robots.txt file.

[Tae Wong]

These are the lines from the robots.txt [1] file.
Disallow: /cs/donations.html
Disallow: /de/donations.html
Disallow: /es/donations.html
Disallow: /fr/donations.html
Disallow: /hu/donations.html
Disallow: /ja/donations.html
Disallow: /lt/donations.html
Disallow: /nl/donations.html
Disallow: /pt/donations.html
Disallow: /ro/donations.html

The translated pages are removed back in April 2014.

For the sake of it, viewing the deleted pages results in a 404 error.

[1] http://www.openbsd.org/robots.txt

Re: apache-httpd-openbsd?

[Jeff Ross]

On 5/9/16 4:26 PM, Daniel Jakots wrote:


On Mon, 9 May 2016 15:03:30 -0600, Jeff Ross 
wrote:


Trying to install apache-httpd-openbsd in -current

https://marc.info/?l=openbsd-ports-cvs=146186762111571=2

Hmm--I went through all of the ports@ messages looking for a removal 
announcement but didn't find one.


Thank you, Daniel!

Jeff

Re: apache-httpd-openbsd?

[Jeff Ross]

On 5/9/16 4:25 PM, Fred wrote:


On 05/09/16 22:58, Jeff Ross wrote:

On 5/9/16 3:21 PM, arrowscr...@mail.com wrote:


try pkg_add
http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz 





That's apache 2.4, I want the 1.3.9 version that is, as my subject line
says, apache-httpd-openbsd.

Jeff



It was removed 11 days ago:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd-openbsd/Attic/Makefile 



You'll need a cvs version before 28 Apr 16 if you want to build it 
yourself.


Cheers

Fred


Thanks, Fred!  That explains the missing package!

Jeff

Re: apache-httpd-openbsd?

[Jeff Ross]

On 5/9/16 4:30 PM, Stuart Henderson wrote:


On 2016-05-09, Jeff Ross  wrote:

Trying to install apache-httpd-openbsd in -current and it seems the
package is no longer available.

Correct.

Options:

- (preferred) migrate your configuration to a maintained http
server version.


I need mod_rewrite so I guess I'm headed for apache2.

- install 5.9 release.

- checkout an old version of the port (mkdir -p
/usr/ports/mystuff/www; cd /usr/ports/mystuff/www; cvs get -D \
2016/04/01 -d apache-httpd-openbsd ports/www/apache-httpd-openbsd)
and build it yourself; things will break again at some point though.


I cvs uped my src and ports and built
the system from source but when I try to install apache-httpd-openbsd
from ports I'm getting the "reading plist|Error: unknown fragment SHARED
at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error.

that's not unexpected; the PFRAG.shared complexity has been removed
from ports now that vax is no longer a supported arch.

Okay--I think this must be above my pay grade because I can't see how 
vax is related, nor do I think I need to know ;-)


Thank you, Stuart, as always!

Jeff

Re: apache-httpd-openbsd?

[Stuart Henderson]

On 2016-05-09, Jeff Ross  wrote:
> Trying to install apache-httpd-openbsd in -current and it seems the 
> package is no longer available.

Correct.

Options:

- (preferred) migrate your configuration to a maintained http
server version.

- install 5.9 release.

- checkout an old version of the port (mkdir -p
/usr/ports/mystuff/www; cd /usr/ports/mystuff/www; cvs get -D \
2016/04/01 -d apache-httpd-openbsd ports/www/apache-httpd-openbsd)
and build it yourself; things will break again at some point though.

> I cvs uped my src and ports and built 
> the system from source but when I try to install apache-httpd-openbsd 
> from ports I'm getting the "reading plist|Error: unknown fragment SHARED 
> at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error.

that's not unexpected; the PFRAG.shared complexity has been removed
from ports now that vax is no longer a supported arch.

Re: apache-httpd-openbsd?

[Fred]

On 05/09/16 22:58, Jeff Ross wrote:

On 5/9/16 3:21 PM, arrowscr...@mail.com wrote:


try pkg_add
http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz



That's apache 2.4, I want the 1.3.9 version that is, as my subject line
says, apache-httpd-openbsd.

Jeff



It was removed 11 days ago:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd-openbsd/Attic/Makefile

You'll need a cvs version before 28 Apr 16 if you want to build it yourself.

Cheers

Fred

Re: apache-httpd-openbsd?

[Daniel Jakots]

On Mon, 9 May 2016 15:03:30 -0600, Jeff Ross 
wrote:

> Trying to install apache-httpd-openbsd in -current

https://marc.info/?l=openbsd-ports-cvs=146186762111571=2

Re: apache-httpd-openbsd?

[Jeff Ross]

On 5/9/16 3:21 PM, arrowscr...@mail.com wrote:


try pkg_add 
http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz

That's apache 2.4, I want the 1.3.9 version that is, as my subject line 
says, apache-httpd-openbsd.


Jeff

Re: TLS now supported on openbsd.org?

[Marc Espie]

On Mon, May 09, 2016 at 08:42:32PM +, Stuart Henderson wrote:
> On 2016-05-09, arrowscr...@mail.com  wrote:
> > - Do you plan to support ftp.openbsd.org? Would be great to 
> > download packages with more security
> 
> https is meant to provide privacy from eavesdroppers on the network
> path between the endpoints. security is a different matter (packages
> have been signed for several releases now which gives far greater
> benefit than https).
> 
> (also with often 500-1000 short connections for a package update,
> https is going to suck with the current implementation, there is
> no pipelining or session caching).

Admittedly, I have an http 1.1 implementation somewhere in pkg_add.
But the http servers have been lacking.  Losing the connection for no
reason and not knowing about it for a while is much worse than the current
flurry of small connections.

I don't fancy reimplementing some RTT estimate in the http client code to 
know when the connection goes dead... :-/

Re: TLS now supported on openbsd.org?

[Theo de Raadt]

> Giancarlo Razzolini  wrote:
> > It is really nice to finally see TLS on openbsd.org. How about redirecting
> > http to https? 
> 
> I dislike the idea.

Let me be more clear, both of you.

Those decisions will made by the people (Bob et all) who maintain the
back end.

They don't need your opinions.  Go take your opinions and give them
to your BANKS INSTEAD.

Re: TLS now supported on openbsd.org?

[Theo de Raadt]

> Giancarlo Razzolini  wrote:
> > It is really nice to finally see TLS on openbsd.org. How about redirecting
> > http to https? 
> 
> I dislike the idea.

And noone cares what you like or dislike.  It is not your site.

Re: TLS now supported on openbsd.org?

[Rubén Llorente]

Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

An http->https redirect does not prevent a MITM by itself.

It also prevents the easy use of caching or proper proxies with the site.
Purely informative sites are ok without https for the most part. If
the user feels that TLS is somehow required, he can enable it by
different means. http->https redirection does not add much in terms of
security unless the user takes additional steps, but if the user is
going to take additional steps he does not really require the
redirection.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: watchdog issues ?

[Ryan Freeman]

On Sun, May 08, 2016 at 11:46:11AM +0200, Sjöholm Per-Olov wrote:
> > On 08 May 2016, at 00:39, Sjöholm Per-Olov  wrote:
> >
> > Hi
> >
> > I have skipped all major releases of OpenBSD after 5.4 for one firewall due
> to
> > watchdog timeout resets on the em driver. Earlier today I fired up a 5.9
> > release and patched it up to 5.9 stable and let it take over from the old
> one.
> > It seems to go very well. But I do have one question.
> >
> >
> > The system seems to work as it should.
> >
> > But what does this mean?
> > Is it bad?
> >
> >
> > root@xanadu:~#grep -i watchdog /var/log/messages
> > May  8 00:12:15 xanadu /bsd: em1: watchdog: head 118 tail 182 TDH 118 TDT
> 118
> > May  8 00:25:33 xanadu /bsd: em1: watchdog: head 181 tail 246 TDH 181 TDT
> 181
> > May  8 00:26:35 xanadu /bsd: em1: watchdog: head 137 tail 202 TDH 137 TDT
> 137
> > root@xanadu:~#
> >

Hey,

At the very least, you'll want to fire up the 5.9 install and provide a full
dmesg output, or better yet ``sendbug -P''.

Cheers!

> >
> >
> >
> > Thanks in advance
> >
> > Regards
> > Peo
> > --
> > GPG keyID: 9429C093
> > GPG fingerprint: 5F37 4298 A07F C614 647B 458C A756 5C4E 9429 C093
> >
> 
> 
> Well??? It was not good. I once again had to go back to the old 5.4 as the
> network traffic was not stable.
> 
> 
> I have two nics (PCI pass through in KVM).
> em0 at pci0 dev 3 function 0 "Intel 82576" rev 0x01: irq 11, address
> 00:1b:21:cc:51:7c
> em1 at pci0 dev 4 function 0 "Intel 82576" rev 0x01: irq 10, address
> 00:1b:21:cc:51:7d
> 
> I use a couple of VLANs and also IPv6 on top on em0. em1 on the other hand is
> just an interface with an IP and an IP alias on it, no VLANs or so.
> 
> Any clues of how to track this down? I can fire the machine up again and to
> some test...
> 
> Thanks
> Peo

Re: kernel logs "v_type 1" and "f_type 1"

[Axel Rau]

Hi Ville,

> Am 09.05.2016 um 18:04 schrieb Ville Valkonen :
> 
> On 9 May 2016 at 16:03, Axel Rau  wrote:
>> A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current
> (GENERIC.MP)
>> #1219)
>> suddenly started logging
>>v_type 1
>>f_type 1
>> (up to 40 times/sec) and stopped routing.
>> 
>> The effect went away after disconnecting all but one nic.
>> 
>> Any help appreciated,

> Hi,
> 
> you forgot to attach:
> - dmesg
> - routes
> - netstat
> 
> and probably something else.

Thanks for answering.

I attach:
dmesg with above error logs (startup protocol did not fit) . . .
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 4
bad fd type
syslogd(6521): syscall 27
.
Historical dmesg, showing hardware [fw2:/etc] root# dmesg
OpenBSD 4.7 (GENERIC.MP) #1: Sat May 29 21:00:26 CEST 2010
r...@openbsd.in.chaos1.de:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR
real mem  = 2137485312 (2038MB)
avail mem = 2062290944 (1966MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/25/09, BIOS32 rev. 0 @ 0xfa7d0, SMBIOS 
rev. 2.2 @ 0xf (45 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/25/2009
bios0: PhoenixAward 945GSE
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP MCFG APIC SSDT
acpi0: wakeup devices PEG1(S3) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) 
PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) 
USBE(S3) AC97(S5) AZAL(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG1)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus 2 (PEX1)
acpiprt4 at acpi0: bus 3 (PEX2)
acpiprt5 at acpi0: bus 4 (PEX3)
acpiprt6 at acpi0: bus -1 (PEX4)
acpiprt7 at acpi0: bus -1 (PEX5)
acpiprt8 at acpi0: bus 5 (HUB0)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpitz0 at acpi0: critical temperature 70 degC
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xe400! 0xef000/0x1000!
cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1067, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0 at vga1: apic 2 int 16 (irq 5)
drm0 at inteldrm0
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 2 int 16 
(irq 5)
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
16 (irq 5), address 00:0f:c9:04:da:7a
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 2 int 17 
(irq 11)
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
17 (irq 11), address 00:0f:c9:04:da:7b
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 2 int 18 
(irq 10)
pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
18 (irq 10), address 00:0f:c9:04:da:7c
ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 2 int 19 
(irq 15)
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 "Intel PRO/1000 PF (82572EI)" rev 0x06: apic 2 int 
19 (irq 15), address 00:0f:c9:04:da:7d
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 2 int 23 
(irq 15)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 2 int 19 
(irq 15)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 2 int 18 
(irq 10)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 2 int 16 
(irq 5)
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 2 int 23 
(irq 15)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci5 at ppb4 bus 5
em4 at pci5 dev 10 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 2 int 
19 (irq 15), address 00:0f:c9:04:da:7e
em5 at pci5 dev 11 function 0 "Intel PRO/1000MT (82541GI)" 

Re: TLS now supported on openbsd.org?

[Rubén Llorente]

Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

For one, it does not stop a MITM by itself. 

In addition, enforced encryption makes it hard to cache and/or use proper 
http proxies with the site.

Purely informative sites don't need TLS. The user can opt to use TLS if
he thinks the content he needs to read is somehow sensitive, or configure
his browser not to use the regular http version if he feels like doing
 that. A pure simple redirect does not add much to security unless the
user takes extra steps - but if the user takes extra steps he does not
need a redirect at all.  

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

apache-httpd-openbsd?

[arrowscript]

try pkg_add 
http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz

apache-httpd-openbsd?

[Jeff Ross]

Hi all,

Trying to install apache-httpd-openbsd in -current and it seems the 
package is no longer available.  I cvs uped my src and ports and built 
the system from source but when I try to install apache-httpd-openbsd 
from ports I'm getting the "reading plist|Error: unknown fragment SHARED 
at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error.

As I saw suggested in a recent message to ports@ (1) I rebuilt pkg_add 
from /usr/src/usr.sbin/pkg_add/ but that made no difference.

dmesg below

Thanks,

Jeff Ross

(1) http://marc.info/?l=openbsd-ports=146213655323699=2

OpenBSD 5.9-current (GENERIC.MP) #1: Mon May  9 13:08:53 MDT 2016
r...@fw.openvistas.net:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 
1.84 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR
real mem  = 1040486400 (992MB)
avail mem = 1007853568 (961MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 07/29/05, SMBIOS rev. 2.4 @ 0xe (38 entries)
bios0: vendor Apple Inc. version "MM21.88Z.009A.B00.0706281359" date 
06/28/07
bios0: Apple Inc. Macmini2,1
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT
acpi0: wakeup devices PXS1(S4) PXS2(S4) USB1(S3) USB2(S3) USB3(S3) 
USB4(S3) USB7(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 
1.84 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (PCIB)
acpicpu0 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS
acpicpu1 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS
acpibtn0 at acpi0: PWRB
"APP0001" at acpi0 not configured
acpivideo0 at acpi0: GFX0
bios0: ROM list: 0xc/0xe600!
cpu0: Enhanced SpeedStep 1834 MHz: speeds: 1833, 1667, 1500, 1333, 1000 MHz
memory map conflict 0xe00f8000/0x1000
memory map conflict 0xfed1c000/0x4000
memory map conflict 0xfffb/0x3
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0x4000, size 0x1000
inteldrm0: apic 1 int 16
error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, 
remainder is 30
Raw EDID:

00 ff ff ff ff ff ff 00  4c 2d 15 15 39 31 53 53
11 0f 01 03 6c 26 1e 78  2a 6f 86 a2 5a 4d 94 24
1a 4f 54 bf ef 80 81 81  71 4f 01 01 01 01 01 01
01 01 01 01 01 01 30 30  00 98 51 51 2a 40 30 30
13 00 78 2d 11 00 00 00  00 00 00 00 00 38 4b 4b
51 0e 00 0a 20 20 20 20  20 20 00 00 00 fc 00 53
79 6e 63 4d 61 73 74 74  72 0a 20 20 00 00 00 00
00 48 39 39 59 34 33 33  38 33 39 39 20 20 00 00
error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, 
remainder is 30
Raw EDID:

00 ff ff ff ff ff ff 00  4c 2d 15 15 39 31 53 53
11 0f 01 03 6c 26 1e 78  2a 6f 86 a2 5a 4d 94 24
1a 4f 54 bf ef 80 81 81  71 4f 01 01 01 01 01 01
01 01 01 01 01 01 30 30  00 98 51 51 2a 40 30 30
13 00 78 2d 11 00 00 00  00 00 00 00 00 38 4b 4b
51 0e 00 0a 20 20 20 20  20 20 00 00 00 fc 00 53
79 6e 63 4d 61 73 74 74  72 0a 20 20 00 00 00 00
00 48 39 39 59 34 33 33  38 33 39 39 20 20 00 00
error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, 
remainder is 30
Raw EDID:

00 ff ff ff ff ff ff 00  4c 2d 15 15 39 31 53 53
11 0f 01 03 6c 26 1e 78  2a 6f 86 a2 5a 4d 94 24
1a 4f 54 bf ef 80 81 81  71 4f 01 01 01 01 01 01
01 01 01 01 01 01 30 30  00 98 51 51 2a 40 30 30
13 00 78 2d 11 00 00 00  00 00 00 00 00 38 4b 4b
51 0e 00 0a 20 20 20 20  20 20 00 00 00 fc 00 53
79 6e 63 4d 61 73 74 74  72 0a 20 20 00 00 00 00
00 48 39 39 59 34 33 33  38 33 39 39 20 20 00 00
error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, 
remainder is 30
Raw EDID:

00 ff ff ff ff ff ff 00  4c 2d 15 15 39 31 53 53
11 0f 01 03 6c 26 1e 78  2a 6f 86 a2 5a 4d 94 24
1a 4f 54 bf ef 80 81 81  71 4f 01 01 01 01 01 01
01 01 01 01 01 01 30 30  00 98 51 51 2a 40 30 30
13 00 78 2d 11 00 00 00  00 00 00 00 00 38 4b 

Re: TLS now supported on openbsd.org?

[Stuart Henderson]

On 2016-05-09, arrowscr...@mail.com  wrote:
> - Do you plan to support ftp.openbsd.org? Would be great to 
> download packages with more security

https is meant to provide privacy from eavesdroppers on the network
path between the endpoints. security is a different matter (packages
have been signed for several releases now which gives far greater
benefit than https).

(also with often 500-1000 short connections for a package update,
https is going to suck with the current implementation, there is
no pipelining or session caching).

Re: TLS now supported on openbsd.org?

[Juan Francisco Cantero Hurtado]

On Mon, May 09, 2016 at 06:23:51PM +, Giancarlo Razzolini wrote:
> > Let's Encrypt uses 4096.
> > 
> 
> I think lets encrypt uses by default 2048, not 4096.

You're right. The default is 2048.

> Also, 4096 might indeed cause trouble with some old software. I recall
> issues with mono and older java versions.
> 
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? Also, it seems STS isn't being used. I don't know if this is a
> testing phase, but it would be nice to have those nevertheless.
> 
> Cheers,
> Giancarlo Razzolini
> 

-- 
Juan Francisco Cantero Hurtado http://juanfra.info

kernel: protection fault trap, code=0

[Atanas Vladimirov]

Hi,
I got a "kernel: protection fault trap, code=0" on OpenBSD 5.9-current
(GENERIC.MP) #2008: Sat May  7 08:16:29 MDT 2016 snapshot.
It seems that this is not a kernel panic:
ddb{2}> show panic
the kernel did not panic
If you need more info just ask.

kernel: protection fault trap, code=0
Stopped at  rtisvalid+0x59: testb   
$0x2,mptramp_gdt32_desc+0x3a(%rdx)


ddb{0}> ps
   TID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 77614  72948  45849  0  30x1000b2  poll  ping
 72948  45849  45849  0  30x10008a  pause sh
 16140  48265  48265518  30x92  kqreadauth
 21498  48265  48265  0  30x92  kqreadconfig
 35620  42242  35620   1000  30x100083  ttyin more
 42242  93172  42242   1000  30x100083  wait  man
 18260  60693  18260   1000  30x100083  kqreadtmux
 60693  43846  60693   1000  30x10008b  pause ksh
 43846   4619   4619   1000  30x90  selectsshd
  4619  64071   4619  0  30x92  poll  sshd
 60800  17751  60800   1000  30x100083  kqreadtail
 28106  82380  51669 95  30x92  kqread
filter-spamassas

 49488  82380  51669 95  30x92  kqreadfilter-regex
 45904  82380  51669 95  30x92  kqreadfilter-pause
 41200  82380  51669 95  30x92  kqreadfilter-dnsbl
 66585  82380  51669 95  30x92  kqreadfilter-dnsbl
 52012  82380  51669 95  30x92  kqreadfilter-dnsbl
 57249  82380  51669 95  30x92  kqreadfilter-clamav
 89008  51669  51669 95  30x100090  kqreadsmtpd
 82380  51669  51669 95  30x100090  kqreadsmtpd
 56714  51669  51669 95  30x100090  kqreadsmtpd
 86769  51669  51669 95  30x100090  kqreadsmtpd
 30104  51669  51669 95  30x100090  kqreadsmtpd
 40810  51669  51669103  30x100090  kqreadsmtpd
 51669  1  51669  0  30x100080  kqreadsmtpd
  2453  28186  28186 67  30x90  netconphp-fpm-5.6
 93172   9678  93172   1000  30x10008b  pause ksh
 52489  97510  97510506  30x90  selectperl
 63318  97510  97510506  30x90  selectperl
 97510  1  97510  0  30x80  selectperl
 26203  1  26203539  30x90  poll  clamd
 59058  1  26203539  3   0x490  poll  clamd
 78110  1  26203539  3   0x490  thrsleep  clamd
 17751   9678  17751   1000  30x10008b  pause ksh
 63217  1  63217577  30x90  poll  openvpn
  3246  48265  48265  0  30x92  kqreadlog
 84044  48265  48265518  30x92  kqreadanvil
 48265  1  48265  0  30x80  kqreaddovecot
 94685   9678  94685   1000  30x100083  ttyin ksh
  9678  1   9678   1000  30x100080  kqreadtmux
 60655  1  60655  0  30x100083  ttyin getty
 43560  1  1  0  30x8a  pause ldattach
 45643  1  45643  0  30x100083  ttyin getty
 90081  1  90081  0  30x100083  ttyin getty
 44894  1  44894  0  30x100083  ttyin getty
 52716  1  52716  0  30x100083  ttyin getty
 77261  1  77261  0  30x100083  ttyin getty
 30777  1  30777  0  30x100098  poll  cron
 91021  1  91021562  30x82  netconperl
 93287  1  93287529  30x90  poll  upsd
 99640  1  99640529  30x90  selectpowercom
 99471  98271  99471550  30x90  poll  nagios
 22929  98271  22929550  30x82  poll  nagios
 50322  98271  50322550  30x82  poll  nagios
 43604  98271  43604550  30x82  poll  nagios
 53216  98271  53216550  30x82  poll  nagios
 22362  98271  22362550  30x82  poll  nagios
 89569  98271  89569550  30x82  poll  nagios
 98271  1  98271550  30x90  poll  nagios
  3330  1   3330562  30x80  nanosleep perl
 70355   3562  70355503  30x80  netio postgres
 42194  1  94080 67  30x83  nanosleep php-5.6
 60435  1  60435  0  30x80  selectsymux
 57128  1  57128535  30x90  nanosleep symon
 60385  1  22802697  30x80  poll  cvsyncd
 57549  79829  18199515  30x82  netio 
log_file_daemon

 79829  18199  18199515  30xb2  kqreadsquid
 18199  1  18199515  30x90  wait  squid
 22859  69480  69480 67  30x90  kqreadnginx
 69480  1  69480  0  30x88  pause 

Re: TLS now supported on openbsd.org?

[Christian Weisgerber]

On 2016-05-09, arrowscr...@mail.com  wrote:

> - The RSA is 4096 bits. If I remember correctly, reyk@ said once 
> that 4096 is overkill. Any specific reason to use 4096 instead of
> 2048? 

That was then, this is now.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

IKED Host to Host VPN

[Scott Seekamp]

I have a couple questions regarding IKED use that I couldn’t find in the
docs:

Is it capable of use for host-to-host tunnels or just net-to-net?


In my case I’m trying to do a simple tunnel between hosts for spamd synching
and a few other misc things. Running OpenBSD 5.9.

PF rules:
set skip on enc0
pass in on egress proto udp from $ipsec_peer  to any port {500, 4500}

Host A
/etc/iked.conf:

remote_gw = “x.x.x.x"
ikev2 active esp from any to any \
 local y.y.y.y peer $remote_gw \
 srcid y.y.y.y

Host B
/etc/iked.conf

remote_gw = “y.y.y.y"
 ikev2 esp from any to any \
 local x.x.x.x peer $remote_gw \
 srcid x.x.x.x

I’ve tried a few variations and never get any flows in the ipsecctl -sa
output.

What am I missing?

Thanks!
Scott

IKED Host to Host VPN

[Scott Seekamp]

I have a couple questions regarding IKED use that I couldn’t find in the
docs:

Is it capable of use for host-to-host tunnels or just net-to-net?


In my case I’m trying to do a simple tunnel between hosts for spamd synching
and a few other misc things. Running OpenBSD 5.9.

PF rules:
set skip on enc0
pass in on egress proto udp from $ipsec_peer  to any port {500, 4500}

Host A
/etc/iked.conf:

remote_gw = “x.x.x.x"
ikev2 active esp from any to any \
local y.y.y.y peer $remote_gw \
srcid y.y.y.y

Host B
/etc/iked.conf

remote_gw = “y.y.y.y"
ikev2 esp from any to any \
local x.x.x.x peer $remote_gw \
srcid x.x.x.x

I’ve tried a few variations and never get any flows in the ipsecctl -sa
output.

What am I missing?

Thanks!
Scott

generic.mp #2018 amd64 install and packages.

[Andrew]

Hi misc@,

Just a user experience for your consideration.

I picked up a new bsd.rd from snapshots in toronto. Checked the sha256
and signify to make sure it's good. Moved it to / and rebooted with:

boot> hd0a:/bsd.rd
selected Install with standard options.
clean download from the mirror followed by reboot.
--
logged in as root
--
# pkg_info
quirks-2.232
rtwn-formware-1.0
#
--
# pkg_add nano
Can't installl libiconv-1.14p3 because of libraries
|library.c.86.0 not found
| /usr/lib/libc.so.87.0 (system) bad major
Can't install gettext-0.19.7: can't resolve libiconv-1.14p3
Can't install nano-25.3: can't resolve gettext-0.19.7
--
Just looked at the toronto mirror ../snapshots/packages/amd64 and
libiconv-1.14p3 is in the directory from May 8.
--
Switched /etc/pkg.conf from "%c" to "snapshots"
-- 
Same error as above

As always I want to express my gratitude to Theo and all the past and
present devs --- have a great week ahead !!

Re: TLS now supported on openbsd.org?

[trondd]

On Mon, May 9, 2016 12:57 pm, arrowscr...@mail.com wrote:
>
> - I don't know in modern browsers, but Links 2.12 say that the
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem?

Make sure you go to www.openbsd.org as it seems the cert is not valid for
openbsd.org without the www.

Tim.

Re: generic.mp #2018 amd64 install and packages.

[Theo de Raadt]

> Just a user experience for your consideration.
> 
> I picked up a new bsd.rd from snapshots in toronto. Checked the sha256
> and signify to make sure it's good. Moved it to / and rebooted with:
> 
> boot> hd0a:/bsd.rd
> selected Install with standard options.
> clean download from the mirror followed by reboot.
> --
> logged in as root
> --
> # pkg_info
> quirks-2.232
> rtwn-formware-1.0
> #
> --
> # pkg_add nano
> Can't installl libiconv-1.14p3 because of libraries
> |library.c.86.0 not found
> | /usr/lib/libc.so.87.0 (system) bad major
> Can't install gettext-0.19.7: can't resolve libiconv-1.14p3
> Can't install nano-25.3: can't resolve gettext-0.19.7
> --
> Just looked at the toronto mirror ../snapshots/packages/amd64 and
> libiconv-1.14p3 is in the directory from May 8.
> --
> Switched /etc/pkg.conf from "%c" to "snapshots"
> -- 
> Same error as above
> 
> As always I want to express my gratitude to Theo and all the past and
> present devs --- have a great week ahead !!
> 

Andrew, you are using snapshots.  Those are at the head of active
development.  When we make big changes, there is a lag until all the
parts fit together.  This is well documented all over the place.

Between 6-month releases, you can expect snapshots to experience
this approximately 2-10 times.

Because ... it isn't a problem, it is how active development works in
a system that changes binary interfaces to make advancements.

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Markus Rosjat]

Hi there,

just a short question about the site coming up again.
Since our spamd-setup tries to get some blacklists form the site I was 
wondering if there is any info about the the time schedule for the 
maintenance?


Regards

Markus

Am 08.05.2016 um 23:44 schrieb Stefan Wollny:

Am 05/08/16 um 20:03 schrieb Bob Beck:

There will be an extended downtime of the main ftp and www sites for
an upgrade today starting in approximately one hour's time from now.

The mirror sites should be unaffected - so use a mirror if you
discover the main site is unavailable today.


Anyone know of an up2date mirror of 'current.html'?
(Google just found one with the latest entries from 2005...)
:-(

TIA.

STEFAN



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: TLS now supported on openbsd.org?

[Giancarlo Razzolini]

Let's Encrypt uses 4096.



I think lets encrypt uses by default 2048, not 4096. Also, 4096 might indeed
cause trouble with some old software. I recall issues with mono and older java
versions.

It is really nice to finally see TLS on openbsd.org. How about redirecting
http to https? Also, it seems STS isn't being used. I don't know if this is a
testing phase, but it would be nice to have those nevertheless.

Cheers,
Giancarlo Razzolini

Re: TLS now supported on openbsd.org?

[Martin Schröder]

2016-05-09 18:57 GMT+02:00  :
> - I don't know in modern browsers, but Links 2.12 say that the
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem?

All's good. See
https://www.ssllabs.com/ssltest/analyze.html?viaform=on=www.openbsd.org

Re: TLS now supported on openbsd.org?

[Juan Francisco Cantero Hurtado]

On Mon, May 09, 2016 at 06:57:52PM +0200, arrowscr...@mail.com wrote:
> It's great to see OpenBSD Project supporting Let's Encrypt.  I don't
> know if you folks still configuring it, but there's some points
> that I noticed: 
> - I don't know in modern browsers, but Links 2.12 say that the 
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem? 

Works for me with Lynx on -current and 5.8.

> - The RSA is 4096 bits. If I remember correctly, reyk@ said once 
> that 4096 is overkill. Any specific reason to use 4096 instead of
> 2048? 

Let's Encrypt uses 4096.

> - Do you plan to support ftp.openbsd.org? Would be great to 
> download packages with more security

You only need to check the signify keys using https
(https://www.openbsd.org/59.html). I don't see how TLS is going to add
"more security" to the download sites.

-- 
Juan Francisco Cantero Hurtado http://juanfra.info

TLS now supported on openbsd.org?

[arrowscript]

It's great to see OpenBSD Project supporting Let's Encrypt.  I don't
know if you folks still configuring it, but there's some points
that I noticed: 
- I don't know in modern browsers, but Links 2.12 say that the 
certificate is not valid. It's just old browsers, or firefox also
have this same problem? 
- The RSA is 4096 bits. If I remember correctly, reyk@ said once 
that 4096 is overkill. Any specific reason to use 4096 instead of
2048? 
- Do you plan to support ftp.openbsd.org? Would be great to 
download packages with more security

Re: Claws-mail without Dbus

[Jeremie Courreges-Anglas]

m...@pmars.jp writes:

> Hi,
> Thanks a lot for all the really nice job you re doing here.
>
> I'm trying to install Claws-mail without Dbus but that seems not
> possible.

The ports tree tries to provide packages usable by most.  What if
another user wants claws-mail linked against dbus, but not against xz?

> Is there a way to do that via pkg_add or pkg_delete?
>
> I saw smtg on the man with the -D option and 'libdepends' value,
> stating the lib might not be fulfilled;
> would it be the way

Once you start to use this kind of option, you're on your own.

> (I doubt as Dbus is not a lib) ?

dbus is also a lib.

> I tried to ftp only the claws package and nulled $PKG_PATH,
> that didn't work.
> Pkg_add told me it needs claws' dependencies;
> ie. dbus and its lib(and a wrapper named enchant).

Obviously dbus is needed, since by default claws-mail links against it.
Even if you untarred the package and installed claws manually, you
wouldn't be able to run it.

> Below are info about the systm Im using,
> if you need more, please tell me

Looks like you have packages that depend on dbus, but dbus doesn't
appear in the list you provide.  That kind of custom setup isn't
supported.

You'd better reconsider the reasons why you do not want dbus installed
in the first place.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Stuart Henderson]

On 2016-05-08, Stefan Wollny  wrote:
> Am 05/08/16 um 20:03 schrieb Bob Beck:
>> There will be an extended downtime of the main ftp and www sites for
>> an upgrade today starting in approximately one hour's time from now.
>> 
>> The mirror sites should be unaffected - so use a mirror if you
>> discover the main site is unavailable today.
>> 
> Anyone know of an up2date mirror of 'current.html'?
> (Google just found one with the latest entries from 2005...)
>:-(
>
> TIA.

Any anoncvs server, in the www repository.

Re: kernel logs "v_type 1" and "f_type 1"

[Ville Valkonen]

On 9 May 2016 at 16:03, Axel Rau  wrote:
> A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current
(GENERIC.MP)
> #1219)
> suddenly started logging
> v_type 1
> f_type 1
> (up to 40 times/sec) and stopped routing.
>
> The effect went away after disconnecting all but one nic.
>
> Any help appreciated,
> Axel
> ---
> PGP-Key:29E99DD6  ☀  computing @ chaos claudius

Hi,

you forgot to attach:
- dmesg
- routes
- netstat

and probably something else.

--
Regards,
Ville

Claws-mail without Dbus

[mett]

Hi,
Thanks a lot for all the really nice job you re doing here.

I'm trying to install Claws-mail without Dbus but that seems not 
possible.

Is there a way to do that via pkg_add or pkg_delete?

I saw smtg on the man with the -D option and 'libdepends' value,
stating the lib might not be fulfilled;
would it be the way (I doubt as Dbus is not a lib) ?

I tried to ftp only the claws package and nulled $PKG_PATH,
that didn't work.
Pkg_add told me it needs claws' dependencies;
ie. dbus and its lib(and a wrapper named enchant).

Below are info about the systm Im using,
if you need more, please tell me

TALIA!
OpenBSD ecs.tamerr 5.9 GENERIC.MP#1616 i386


totally fresh install with only fluxbox as GUI
(except installing/deinstalling claws-mail)

mett:/home/mett/downloads:12$ pkg_info -A
  
[15/554]

aspell-0.60.6.1p2   spell checker designed to eventually replace Ispell
atk-2.18.0  accessibility toolkit used by gtk+
bzip2-1.0.6p7   block-sorting file compressor, unencumbered
cairo-1.14.6vector graphics library
curl-7.47.0 get files from FTP, Gopher, HTTP or HTTPS servers
cyrus-sasl-2.1.26p15 RFC  SASL (Simple Authentication and Security 
Layer)

desktop-file-utils-0.22p0 utilities for dot.desktop entries
fluxbox-1.3.7p0 window manager based on the original Blackbox code
fribidi-0.19.7  library implementing the Unicode Bidirectional 
Algorithm

gdk-pixbuf-2.32.3   graphic library for gtk+2
gettext-0.19.7  GNU gettext runtime libraries and programs
giflib-5.1.2tools and library routines for working with GIF 
images

glib2-2.46.2p0  general-purpose utility library
gmp-5.0.2p3 library for arbitrary precision arithmetic
gnome-icon-theme-3.12.0p3 base icon theme for GNOME
gnome-icon-theme-symbolic-3.12.0p2 base icon theme extension for special 
UI contexts

gnupg-1.4.19p0  GNU privacy guard - a free PGP replacement
gnutls-3.3.21   GNU Transport Layer Security library
gpgme-1.5.1p1   GnuPG Made Easy
graphite2-1.3.5 rendering for complex writing systems
gtk+2-2.24.29   multi-platform graphical toolkit
gtk-update-icon-cache-3.18.7 gtk+ icon theme caching utility
harfbuzz-1.1.3  text shaping library
hicolor-icon-theme-0.15 fallback theme of the icon theme specification
imlib2-1.4.7image manipulation library
jasper-1.900.1p4reference implementation of JPEG-2000
jpeg-9a IJG's JPEG compression utilities
libarchive-3.1.2p0  multi-format archive and compression library
libassuan-2.1.1 IPC library used by GnuPG and gpgme
libcanberra-0.30p2  implementation of the Freedesktop sound theme spec.
libcanberra-gtk-0.30p3 gtk+2 helper for libcanberra
libcroco-0.6.11 generic CSS parsing library for GNOME project
libelf-0.8.13p3 read, modify, create ELF files on any arch
libetpan-1.6p0  mail purpose library
libexecinfo-0.2p5v0 clone of backtrace facility found in the GNU libc
libffi-3.2.1p0  Foreign Function Interface
libgpg-error-1.21   error codes for GnuPG related software
libiconv-1.14p3 character set conversion library
libid3tag-0.15.1bp4 library for reading ID3 tags
libidn-1.32 internationalized string handling
libltdl-2.4.2p1 GNU libtool system independent dlopen wrapper
libnettle-3.2   cryptographic library
libnotify-0.7.6p0   send desktop notifications to a notification daemon
libogg-1.3.2p0  Ogg bitstream library
librsvg-2.40.13 SAX-based render library for SVG files
libtasn1-4.7Abstract Syntax Notation One structure parser 
library

libvorbis-1.3.5 audio compression codec library
libxml-2.9.3XML parsing library
lzo2-2.09   portable speedy lossless data compression library
nghttp2-1.6.0   library for HTTP/2
p11-kit-0.22.1p1library for loading and enumurating of PKCS#11 
modules

pango-1.38.1library for layout and rendering of text
pcre-8.38   perl-compatible regular expression library
png-1.6.20  library for manipulating PNG images
python-2.7.11   interpreted object-oriented programming language
quirks-2.197exceptions to pkg_add rules
shared-mime-info-1.5 shared mime database for desktops
sound-theme-freedesktop-0.8p0 XDG sound theme
startup-notification-0.12p4 library for tracking application startup
tiff-4.0.6p0tools and library routines for working with TIFF 
images

xz-5.2.2p0  LZMA compression and decompression tools


mett:/home/mett/downloads:11$ dmesg  
  
[79/484]

OpenBSD 5.9 (GENERIC.MP) #1616: Fri Feb 26 01:28:13 MST 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz ("GenuineIntel" 686-class) 
2.40 GHz
cpu0: 

kernel logs "v_type 1" and "f_type 1"

[Axel Rau]

A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current (GENERIC.MP)
#1219)
suddenly started logging
v_type 1
f_type 1
(up to 40 times/sec) and stopped routing.

The effect went away after disconnecting all but one nic.

Any help appreciated,
Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Christoph Viethen]

Hello,

on 08.05.2016 23:44, Stefan Wollny wrote:


Anyone know of an up2date mirror of 'current.html'?
(Google just found one with the latest entries from 2005...)
:-(


In case of doubt,

http://web.archive.org/web/20160401125246/http://www.openbsd.org/faq/current.html

isn't far too "way back", either. (Cheap pun intended.)


  Christoph

--
 open...@aixplosive.net

Re: NFS over IPSec (NAT-T)

[Zé Loff]

On Fri, Jun 12, 2015 at 10:46:48AM +0100, Zé Loff wrote:
> Hi all
> 
> I have a IKEv1 setup that allows my roaming laptop (amd64 -current) to
> connect to the office LAN (i386 patched 5.6) using outgoing NAT. Everything*
> works fine, I can ssh machines, browse internal websites, the works.
> 
> The office LAN has a machine (amd64 patched 5.4, I know, I know) with
> some NFS shares. Any machine inside the LAN -- this includes my laptop
> when "at home" -- can mount those shares and all works fine.
> 
> However, when I'm roaming NFS mounts fail with mountd stating "Refused
> mount RPC from host". As far as I can tell, this happens because for
> some reason the request issued by the laptop comes from a not reserved
> port (tcpdump confirms this) when the connection is made through the
> tunnel. All requests made "at home" come from <2048 ports and everything
> works fine there.
> 
> Any ideas as to why the requests come from high ports when on the tunnel
> and reserved ports when "at home" and, more importantly? Cluebats and
> flamethrowers welcome.
> 
> Thanks in advance
> Zé
> 
> 
> * Actually there's something weird going on with getent and DNS queries
> through the tunnel, but I'll save that for some other time
> 
> -- 
> 

Just for the archives, I'm answering my own question (almost a year
later):

Cause: pf rewriting the source port when NATing, bumping it to >2048
Solution: add "static-port" to the match rule

Cheers
Zé

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Mariano Baragiola]

On 08/05/16 18:44, Stefan Wollny wrote:

Am 05/08/16 um 20:03 schrieb Bob Beck:

There will be an extended downtime of the main ftp and www sites for
an upgrade today starting in approximately one hour's time from now.

The mirror sites should be unaffected - so use a mirror if you
discover the main site is unavailable today.


Anyone know of an up2date mirror of 'current.html'?
(Google just found one with the latest entries from 2005...)
:-(

TIA.

STEFAN



It's up now, but for next time: http://openbsd.md5.com.ar/faq/current.html

Re: rdomain and dhcrelay

[Holger Glaess]

> Am 05/09/16 um 08:20 schrieb Holger Glaess:
>> hi
>>
>> is there an possiblity to forward dhcp request from
>> an rdomain X to the runing dhcp server in rdomain 0 ?
>>
>>
>> if i start the dhcrelay -i em1 192.168.131.250,
>>
>> i see that he forward the request but never reach the server.
>>
>> the clients in rdoamin 0 works with the dhcp server.
>>
>> or it is need to modify the dhcrelay with an option ,
>>
>> route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250
>>
>> ?
>> em1 is part of rdomain 2.
>> 192.168.131.xxx ist part of rdomain 0
>>
>> holger
>>
>
> You can shove the packets to the correct rdomain with pf or pair(4)
> maybe of help:
>
> "Add pair(4), a vether-based virtual Ethernet driver to interconnect
> rdomains and bridges on the local system."
>
> http://www.openbsd.org/plus59.html
>
>
> HTH,
> Marc
>
>

Hi ,


i know pair because it breaks the isolation of the rdomain.

and forward a forward req. from dhcrelay with pf it´s ugly.

ok i will try.

thanks

holger

Re: rdomain and dhcrelay

[Marc Peters]

Am 05/09/16 um 08:20 schrieb Holger Glaess:
> hi
> 
> is there an possiblity to forward dhcp request from
> an rdomain X to the runing dhcp server in rdomain 0 ?
> 
> 
> if i start the dhcrelay -i em1 192.168.131.250,
> 
> i see that he forward the request but never reach the server.
> 
> the clients in rdoamin 0 works with the dhcp server.
> 
> or it is need to modify the dhcrelay with an option ,
> 
> route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250
> 
> ?
> em1 is part of rdomain 2.
> 192.168.131.xxx ist part of rdomain 0
> 
> holger
> 

You can shove the packets to the correct rdomain with pf or pair(4)
maybe of help:

"Add pair(4), a vether-based virtual Ethernet driver to interconnect
rdomains and bridges on the local system."

http://www.openbsd.org/plus59.html


HTH,
Marc

rdomain and dhcrelay

[Holger Glaess]

hi

is there an possiblity to forward dhcp request from
an rdomain X to the runing dhcp server in rdomain 0 ?


if i start the dhcrelay -i em1 192.168.131.250,

i see that he forward the request but never reach the server.

the clients in rdoamin 0 works with the dhcp server.

or it is need to modify the dhcrelay with an option ,

route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250

?
em1 is part of rdomain 2.
192.168.131.xxx ist part of rdomain 0

holger