openvpn with ed25519 ca cert
Hi, Does libressl 3.9.0 on 7.5 lacks support for ed25519 certs using tls 1.3? Creating PKI with easy-rsa only works with ec secp521r1. with ed25519 certs openvpn says: xxx us=881571 OpenVPN 2.6.9 x86_64-unknown-openbsd7.5 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] xxx us=881757 library versions: LibreSSL 3.9.0, LZO 2.10 xxx us=890289 OpenSSL: error:14FFF18E:SSL routines:(UNKNOWN)SSL_internal:ca md too weak::/usr/src/lib/libssl/ssl_rsa.c:394: It works fine on FreeBSD (14) and linux (OpenSSL 3.x) Best regards, Peter
Re: ignore dns dhcpleased
I was using unwind, but i changed over to use unbound instead and so i noticed the changes made in resolv.conf by resolvd. On 1/3/24 13:37, Stuart Henderson wrote: On 2024-01-03, Peter Wens wrote: Hi Otto, I checked it, and yes it's slaacd ... rdns_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> PROPOSAL_CONFIGURED, timo: 3588 gen_rdns_proposal: iface 1: fe80::f... ... Don't know how to disable this (e.g. vultr), so for now i disable resolvd. If you want to force a specific server, that's often the right answer anyway. An alternative is to use unwind with its config file.
Re: ignore dns dhcpleased
Hi Otto,
I checked it, and yes it's slaacd
...
rdns_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED ->
PROPOSAL_CONFIGURED, timo: 3588
gen_rdns_proposal: iface 1: fe80::f...
...
Don't know how to disable this (e.g. vultr), so for now i disable resolvd.
On 1/3/24 13:20, Otto Moerbeek wrote:
On Wed, Jan 03, 2024 at 12:15:04PM +0100, Peter Wens wrote:
Hi,
I noticed that ignoring nameservers from leases only works
on IPv4 addresses.
in /etc/dhcpleased.conf
interface vio0 {
ignore dns
}
resolvd still adds a IPv6 nameserver
nameserver 2001:19f0:300:1704::6 # resolvd: vio0
Is this intentional?
Best regards,
Peter
This very likely happens via slaacd, as v6 route proposals can
contais DNS resolver info. AFAIK, there is no way to tell slaacd to
not send DNS entries to resolvd, so you should try to tell the device
sending the v6 route advertisements to stop include DNS info.
-Otto
ignore dns dhcpleased
Hi,
I noticed that ignoring nameservers from leases only works
on IPv4 addresses.
in /etc/dhcpleased.conf
interface vio0 {
ignore dns
}
resolvd still adds a IPv6 nameserver
nameserver 2001:19f0:300:1704::6 # resolvd: vio0
Is this intentional?
Best regards,
Peter
Re: AUTOCONF4 flag
Thanks for clearing this up. Peter On 5/1/21 5:08 PM, Theo de Raadt wrote: Peter Wens wrote: Hi, In OpenSBD 6.9 the AUTOCONF4 flag is not set with 'dhcp' set in hostname.if (from fresh install) You have described this incorrectly. In 6.8, choosing "dhcp" would run dhclient(8) in that interfaces, and dhclient would set the AUTOCONF4 flag. That was incorrect. AUTOCONF4 is supposed to work like AUTOCONF6. These are per-interface flags which indicate a request: "Someone please go get us a dynamic address". dhclient incorrectly believed the flag meant "I have gotten a dynamic address" If 'autoconf' instead of 'dhcp' is used with dhcpleased the flag is set. Is this intentional in 6.9? Yes, it is intentional. In 6.9: 1) 'autoconf' is to instruct dhcpleased(8), to do dhcp lease-learning, then dhcpleased(8) will communicate learned DNS configuration via route-socket to resolvd(8), which will make changes to /etc/resolv.conf 2) 'dhcp' runs a per-interface dhclient(8) which will manage /etc/resolv.conf The two dhcp modes of operation are incompatible. By 7.0 we hope to switch to the model described in (1), because this allows resolvd(8) to blend DNS configuration from multiple sources into /etc/resolv.conf, rather than havine one per-interface daemon smashing the file.
AUTOCONF4 flag
Hi, In OpenSBD 6.9 the AUTOCONF4 flag is not set with 'dhcp' set in hostname.if (from fresh install) If 'autoconf' instead of 'dhcp' is used with dhcpleased the flag is set. Is this intentional in 6.9? Best regards, Peter
Re: New support
0 C Netherlands P T Huizen Z 1273 LD O Wenka Computer Systems I A Delta 81 M i...@wenka.nl U http://www.wenka.nl/en/ B +31 85 111 8800 X N IT security, networking and open source software consultancy. OpenBSD-based networking and VoIP support.
New support
0 C Netherlands P T Huizen Z 1273 LD O Wenka Computer Systems I A Delta 81 M i...@wenka.nl U http://www.wenka.com/en/ B +31 85 111 8800 X N IT security, networking and open source software consultancy. OpenBSD-based networking and VoIP support.
Re: encrypted disk image
Many thanks for clearing that up. Regards, Peter On 05/21/2016 12:38 AM, Ted Unangst wrote: Peter Wens wrote: On a encrypted (sd1) OpenBSD 5.9 install (amd64, (qemu, virtio)): I created a diskimage (dd if=/dev/urandom of=disk.img bs=1m count=100 vnconfig vnd0 disk.img fdisk -iy vnd0 disklabel -E vnd0 ( a a RAID) bioctl -c C -l /dev/vnd0a softraid0 creates sd2newfs /dev/rsd2c mount /dev/rsd2c /mnt installboot -v -r /mnt sd2 /usr/mdec/biosboot /usr/mdec/boot then copy some files and at some point the systems locks up. The same procedure on a unencrypted install no troubles at all. any suggestion in what's happening? Stacking softraid doesn't work. This has irked me for some time, but it's the way things are for now.
Re: encrypted disk image
no typo, just for testing 100M is enough. On 05/20/2016 09:16 PM, Maurice McCarthy wrote: On Fri, May 20, 2016 at 05:33:44PM +0200 or thereabouts, Peter Wens wrote: Hi, On a encrypted (sd1) OpenBSD 5.9 install (amd64, (qemu, virtio)): I created a diskimage (dd if=/dev/urandom of=disk.img bs=1m count=100 Is that a typo or is your image really only 100M ?? Regards
encrypted disk image
Hi, On a encrypted (sd1) OpenBSD 5.9 install (amd64, (qemu, virtio)): I created a diskimage (dd if=/dev/urandom of=disk.img bs=1m count=100 vnconfig vnd0 disk.img fdisk -iy vnd0 disklabel -E vnd0 ( a a RAID) bioctl -c C -l /dev/vnd0a softraid0 creates sd2newfs /dev/rsd2c mount /dev/rsd2c /mnt installboot -v -r /mnt sd2 /usr/mdec/biosboot /usr/mdec/boot then copy some files and at some point the systems locks up. The same procedure on a unencrypted install no troubles at all. any suggestion in what's happening? Regards, -- Peter
