httpd: block return with a contentless status
If httpd is configured to do "block return" with a 1xx or 204 status, it sends a response with a Content-Length header and a body, which per RFC 7230 it must not. The use case for this is a webapp which wants the webserver itself to be configured to return a 204 response for certain requests. I'm running httpd behind relayd, and relayd doesn't accept the 204 responses httpd returns. Here's a possible patch. -- Carlin Index: usr.sbin/httpd/server_http.c === RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v retrieving revision 1.122 diff -u -p -u -r1.122 server_http.c --- usr.sbin/httpd/server_http.c20 Jun 2018 16:43:05 - 1.122 +++ usr.sbin/httpd/server_http.c5 Sep 2018 16:37:35 - @@ -846,6 +846,7 @@ server_abort_http(struct client *clt, un const char *httperr = NULL, *style; char*httpmsg, *body = NULL, *extraheader = NULL; char tmbuf[32], hbuf[128], *hstsheader = NULL; + char*clenheader = NULL; char buf[IBUF_READ_SIZE]; char*escapedmsg = NULL; int bodylen; @@ -961,6 +962,16 @@ server_abort_http(struct client *clt, un } } + if ((code >= 100 && code < 200) || code == 204) + clenheader = NULL; + else { + if (asprintf(, + "Content-Length: %d\r\n", bodylen) == -1) { + clenheader = NULL; + goto done; + } + } + /* Add basic HTTP headers */ if (asprintf(, "HTTP/1.0 %03d %s\r\n" @@ -968,15 +979,17 @@ server_abort_http(struct client *clt, un "Server: %s\r\n" "Connection: close\r\n" "Content-Type: text/html\r\n" - "Content-Length: %d\r\n" + "%s" "%s" "%s" "\r\n" "%s", - code, httperr, tmbuf, HTTPD_SERVERNAME, bodylen, + code, httperr, tmbuf, HTTPD_SERVERNAME, + clenheader == NULL ? "" : clenheader, extraheader == NULL ? "" : extraheader, hstsheader == NULL ? "" : hstsheader, - desc->http_method == HTTP_METHOD_HEAD ? "" : body) == -1) + desc->http_method == HTTP_METHOD_HEAD || clenheader == NULL ? + "" : body) == -1) goto done; /* Dump the message without checking for success */ @@ -987,6 +1000,7 @@ server_abort_http(struct client *clt, un free(body); free(extraheader); free(hstsheader); + free(clenheader); if (msg == NULL) msg = "\"\""; if (asprintf(, "%s (%03d %s)", msg, code, httperr) == -1) {
newfs_ext2fs: lost+found ifdefs
lost+found is always created and always has been, do the ifdefs need to stick around? -- Carlin Index: sbin/newfs_ext2fs/mke2fs.c === RCS file: /cvs/src/sbin/newfs_ext2fs/mke2fs.c,v retrieving revision 1.16 diff -u -p -u -r1.16 mke2fs.c --- sbin/newfs_ext2fs/mke2fs.c 14 Mar 2016 20:30:34 - 1.16 +++ sbin/newfs_ext2fs/mke2fs.c 7 Mar 2017 12:20:26 - @@ -853,39 +853,26 @@ cgoverhead(uint c) * Initialize the file system */ -#define LOSTDIR/* e2fsck complains if there is no lost+found */ - #definePREDEFDIR 2 - -#ifdef LOSTDIR #definePREDEFROOTDIR (PREDEFDIR + 1) -#else -#definePREDEFROOTDIR PREDEFDIR -#endif struct ext2fs_direct root_dir[] = { { EXT2_ROOTINO, 0, 1, 0, "." }, { EXT2_ROOTINO, 0, 2, 0, ".." }, -#ifdef LOSTDIR { EXT2_LOSTFOUNDINO, 0, 10, 0, "lost+found" }, -#endif }; -#ifdef LOSTDIR struct ext2fs_direct lost_found_dir[] = { { EXT2_LOSTFOUNDINO, 0, 1, 0, "." }, { EXT2_ROOTINO, 0, 2, 0, ".." }, }; struct ext2fs_direct pad_dir = { 0, sizeof(struct ext2fs_direct), 0, 0, "" }; -#endif int fsinit(const struct timeval *tv) { struct ext2fs_dinode node; -#ifdef LOSTDIR uint i, nblks_lostfound, blk; -#endif /* * Initialize the inode for the resizefs feature @@ -898,7 +885,6 @@ fsinit(const struct timeval *tv) * Initialize the node */ -#ifdef LOSTDIR /* * Create the lost+found directory */ @@ -949,7 +935,7 @@ fsinit(const struct timeval *tv) buf); } iput(, EXT2_LOSTFOUNDINO); -#endif + /* * create the root directory */ @@ -958,9 +944,7 @@ fsinit(const struct timeval *tv) sblock.e2fs.e2fs_features_incompat & EXT2F_INCOMPAT_FTYPE) { root_dir[0].e2d_type = EXT2_FT_DIR; root_dir[1].e2d_type = EXT2_FT_DIR; -#ifdef LOSTDIR root_dir[2].e2d_type = EXT2_FT_DIR; -#endif } node.e2di_mode = EXT2_IFDIR | EXT2_UMASK; node.e2di_uid_low = geteuid();
Re: tls_config_parse_protocols vs httpd in snapshot
On Thu, Jan 05, 2017 at 06:02:53PM -0500, Michael W. Lucas wrote: > > Hi, > > Something doesn't seem right between httpd.conf and > tls_config_parse_protocols. Running today's snapshot, but was first > attempted in the 15 Dec snapshot. > > httpd.conf(5) says to get TLS protocols from > tls_config_parse_protocols(3). That page says: > > The tls_config_parse_protocols() function parses a protocol string and > returns the corresponding value via the protocols argument. This value > can then be passed to the tls_config_set_protocols() function. The > protocol string is a comma or colon separated list of keywords. > > Comma or colon delimited. Seems fine. > > My httpd.conf is this: > > server "www3.mwlucas.org" { > listen on * port 80 > block return 302 "https://$SERVER_NAME$REQUEST_URI; > } > > server "www3.mwlucas.org" { > alias tarpit.mwlucas.org > listen on * tls port 443 > hsts > # TLS certificate and key files created with acme-client(1) > tls certificate "/etc/ssl/acme/fullchain.pem" > tls key "/etc/ssl/acme/private/privkey.pem" > tls ocsp "/etc/ssl/acme/ocsp.der" > tls protocols tlsv1.0,tlsv1.1 > >location "/.well-known/acme-challenge/*" { >root "/acme" >root strip 2 >} > } > > > The man page says I can use a comma instead of a colon, so I change it > like so. > > tls protocols tlsv1.0,tlsv1.1 Quote the string. Unquoted strings in the httpd.conf can't contain certain characters, such as commas and exclamation points. -- Carlin > > This gives me > > # httpd -n > /etc/httpd.conf:16: syntax error > > Looks like something doesn't match. > > The man page also says: > > If a value has a negative prefix (in the form > of a leading exclamation mark) then it is removed from the list of > available protocols, rather than being added to it. > > I read this as the following should work. > > tls protocols all:!tlsv1.0 > > Instead, I get: > > httpd -n > /etc/httpd.conf:16: invalid tls protocols > > ==ml > > -- > Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ >
Re: gmtime return value
On Mon, Sep 19, 2016 at 06:48:32AM -0600, Todd C. Miller wrote: > Committed, thanks. > > - todd > Thanks. Is there any chance of this going into -stable? This was found because it was causing test failures in Tor and tor devs are worried that there might be some edge-cases where it can cause real issues. -- Carlin
gmtime return value
If gmtime_r(3) fails it should return NULL, it currently returns a pointer to the unitialised tm struct it was given. -- Carlin Index: lib/libc/time/localtime.c === RCS file: /cvs/src/lib/libc/time/localtime.c,v retrieving revision 1.58 diff -u -p -u -r1.58 localtime.c --- lib/libc/time/localtime.c 14 Mar 2016 15:26:52 - 1.58 +++ lib/libc/time/localtime.c 10 Sep 2016 06:06:24 - @@ -1350,8 +1350,7 @@ gmtsub(const time_t *timep, long offset, struct tm * gmtime_r(const time_t *timep, struct tm *p_tm) { - gmtsub(timep, 0L, p_tm); - return p_tm; + return gmtsub(timep, 0L, p_tm); } DEF_WEAK(gmtime_r);
ps -o etime
The "etime" keyword is currently an alias for "start". posix says it should be the amount of time since the program started running, in the format [[dd-]hh:]mm:ss, I've encountered some code that doesn't work on openbsd because that's what it expects. The commit that added this in '97 says it was for XPG4 compat, but XPG4 gives the same definition of etime as posix does now. Given that the alias is old enough to vote, too late to change this? -- Carlin Index: bin/ps/extern.h === RCS file: /cvs/src/bin/ps/extern.h,v retrieving revision 1.19 diff -u -p -u -r1.19 extern.h --- bin/ps/extern.h 10 Jan 2016 14:04:16 - 1.19 +++ bin/ps/extern.h 8 Sep 2016 10:59:32 - @@ -48,6 +48,7 @@ void command(const struct kinfo_proc *, voidcputime(const struct kinfo_proc *, VARENT *); int donlist(void); voidemulname(const struct kinfo_proc *, VARENT *); +voidelapsed(const struct kinfo_proc *, VARENT *); double getpcpu(const struct kinfo_proc *); double getpmem(const struct kinfo_proc *); voidgname(const struct kinfo_proc *, VARENT *); Index: bin/ps/keyword.c === RCS file: /cvs/src/bin/ps/keyword.c,v retrieving revision 1.43 diff -u -p -u -r1.43 keyword.c --- bin/ps/keyword.c30 Dec 2015 14:59:10 - 1.43 +++ bin/ps/keyword.c8 Sep 2016 10:59:32 - @@ -101,7 +101,7 @@ VAR var[] = { {"cwd", "CWD", NULL, LJUST, curwd, CWDLEN}, {"dsiz", "DSIZ", NULL, 0, dsize, 4}, {"emul", "EMUL", NULL, LJUST, emulname, KI_EMULNAMELEN - 1}, - {"etime", "ELAPSED", "start"}, + {"etime", "ELAPSED", NULL, USER, elapsed, 12}, {"f", "F", NULL, 0, pvar, 7, 0, POFF(p_flag), INT32, "x"}, {"flags", "", "f"}, GID("gid", "GID", pvar, POFF(p_gid)), Index: bin/ps/print.c === RCS file: /cvs/src/bin/ps/print.c,v retrieving revision 1.68 diff -u -p -u -r1.68 print.c --- bin/ps/print.c 1 Sep 2016 09:44:06 - 1.68 +++ bin/ps/print.c 8 Sep 2016 10:59:32 - @@ -439,6 +439,50 @@ lstarted(const struct kinfo_proc *kp, VA (void)printf("%-*s", v->width, buf); } +void elapsed(const struct kinfo_proc *kp, VARENT *ve) +{ + VAR *v; + static time_t now; + time_t secs; + char buf[64]; + long days, hours, minutes, seconds; + + v = ve->var; + if (!kp->p_uvalid) { + (void)printf("%*s", v->width, "-"); + return; + } + + if (!now) + (void)time(); + secs = now - kp->p_ustart_sec; + + if (secs < 0) { + (void)printf("%*s", v->width, "-"); + return; + } + + days = secs / SECSPERDAY; + secs %= SECSPERDAY; + + hours = secs / SECSPERHOUR; + secs %= SECSPERHOUR; + + minutes = secs / 60; + seconds = secs % 60; + + if (days > 0) + (void)snprintf(buf, sizeof(buf), "%ld-%02ld:%02ld:%02ld", + days, hours, minutes, seconds); + else if (hours > 0) + (void)snprintf(buf, sizeof(buf), "%02ld:%02ld:%02ld", + hours, minutes, seconds); + else + (void)snprintf(buf, sizeof(buf), "%02ld:%02ld", + minutes, seconds); + (void)printf("%*s", v->width, buf); +} + void wchan(const struct kinfo_proc *kp, VARENT *ve) { Index: bin/ps/ps.1 === RCS file: /cvs/src/bin/ps/ps.1,v retrieving revision 1.106 diff -u -p -u -r1.106 ps.1 --- bin/ps/ps.1 25 Apr 2016 20:34:55 - 1.106 +++ bin/ps/ps.1 8 Sep 2016 10:59:32 - @@ -211,6 +211,8 @@ Current working directory. Data size, in Kilobytes. .It Cm emul Name of system call emulation environment. +.It Cm etime +Elapsed time since the process was started. .It Cm flags Alias: .Cm f . @@ -386,8 +388,6 @@ Sleep time (in seconds; 127 = infinity). .It Cm ssiz Stack size, in Kilobytes. .It Cm start -Alias: -.Cm etime . The time the command started. If the command started less than 24 hours ago, the start time is displayed using the
Re: rebound: getpw pledge
On Sat, 28 Nov 2015, at 09:31 AM, Theo de Raadt wrote: > > rebound wants getpw, as of kern_pledge.c 1.123 > > You must be running snapshots, which tricky bit in libc which tests > for "getpw" on non-YP systems. > > This diff will work, or the getpwnam use in rebound.c should be hoisted > up higher, similar to the most recent change in ntpd/constraint.c Something like this? Index: usr.sbin/rebound/rebound.c === RCS file: /cvs/src/usr.sbin/rebound/rebound.c,v retrieving revision 1.46 diff -u -p -u -r1.46 rebound.c --- usr.sbin/rebound/rebound.c 27 Nov 2015 21:12:08 - 1.46 +++ usr.sbin/rebound/rebound.c 27 Nov 2015 22:13:28 - @@ -416,14 +416,13 @@ readconfig(FILE *conf, struct sockaddr_s } static int -launch(const char *confname, int ud, int ld, int kq) +launch(const char *confname, int ud, int ld, int kq, struct passwd *pwd) { struct sockaddr_storage remoteaddr; struct kevent ch[2], kev[4]; struct timespec ts, *timeout = NULL; struct request reqkey, *req; struct dnscache *ent; - struct passwd *pwd; FILE *conf; int i, r, af; pid_t parent, child; @@ -443,9 +442,6 @@ launch(const char *confname, int ud, int kq = kqueue(); - if (!(pwd = getpwnam("_rebound"))) - logerr("getpwnam failed"); - if (chroot(pwd->pw_dir) == -1) logerr("chroot failed (%d)", errno); if (chdir("/") == -1) @@ -611,12 +607,16 @@ main(int argc, char **argv) int one; int childdead, hupped; pid_t child; + struct passwd *pwd; struct kevent kev; struct rlimit rlim; struct timespec ts, *timeout = NULL; const char *conffile = "/etc/rebound.conf"; - if (pledge("stdio rpath getpw inet proc id", NULL) == -1) + if (!(pwd = getpwnam("_rebound"))) + logerr("getpwnam failed"); + + if (pledge("stdio rpath inet proc id", NULL) == -1) logerr("pledge failed"); while ((ch = getopt(argc, argv, "c:d")) != -1) { @@ -682,7 +682,7 @@ main(int argc, char **argv) err(1, "listen"); if (debug) { - launch(conffile, ud, ld, -1); + launch(conffile, ud, ld, -1, pwd); return 1; } @@ -695,7 +695,7 @@ main(int argc, char **argv) while (1) { hupped = 0; childdead = 0; - child = launch(conffile, ud, ld, kq); + child = launch(conffile, ud, ld, kq, pwd); if (child == -1) logerr("failed to launch"); -- Carlin
Re: export directive in make
On Wed, 11 Nov 2015, at 12:55 PM, Ted Unangst wrote: > Carlin Bingham wrote: > > GNU make and NetBSD's bmake (which is also used by FreeBSD) > > support this. > > > > This is based on the implementation from bmake. > > Do you have a makefile that needs this? I think adding features that > exist > elsewhere, but not adding all of GNU compat (which we're clearly not > doing) > results in our make only becoming bigger, but not more useful. tor started needing this recently. It hasn't hit a stable build yet but their latest rc and alpha releases need it. -- Carlin
export directive in make
GNU make and NetBSD's bmake (which is also used by FreeBSD) support this. This is based on the implementation from bmake. Index: usr.bin/make/config.h === RCS file: /cvs/src/usr.bin/make/config.h,v retrieving revision 1.20 diff -u -p -u -r1.20 config.h --- usr.bin/make/config.h 18 Oct 2014 07:50:06 - 1.20 +++ usr.bin/make/config.h 8 Nov 2015 20:17:13 - @@ -64,6 +64,12 @@ #define SYSVVARSUB /* + * GMAKEEXPORT + * Recognize gmake like variable export directives [export =] + */ +#define GMAKEEXPORT + +/* * SUNSHCMD * Recognize SunOS and Solaris: * VAR :sh= CMD# Assign VAR to the command substitution of CMD @@ -94,6 +100,11 @@ #else #define DOFEATURE_SYSVVARSUB 0 #endif +#ifdef GMAKEEXPORT +#define DOFEATURE_GMAKEEXPORT FEATURE_GMAKEEXPORT +#else +#define DOFEATURE_GMAKEEXPORT 0 +#endif #ifdef SUNSHCMD #define DOFEATURE_SUNSHCMD FEATURE_SUNSHCMD #else @@ -101,7 +112,10 @@ #endif #ifndef DEFAULT_FEATURES -#define DEFAULT_FEATURES (FEATURE_UPPERLOWER | DOFEATURE_SYSVVARSUB | DOFEATURE_SYSVINCLUDE | DOFEATURE_SUNSHCMD | FEATURE_RECVARS | FEATURE_CONDINCLUDE) +#define DEFAULT_FEATURES (FEATURE_UPPERLOWER | DOFEATURE_SYSVVARSUB | \ +DOFEATURE_SYSVINCLUDE | DOFEATURE_SUNSHCMD | \ +FEATURE_RECVARS | FEATURE_CONDINCLUDE | \ +DOFEATURE_GMAKEEXPORT) #endif #define FEATURES(x)((DEFAULT_FEATURES & (x)) != 0) @@ -116,6 +130,7 @@ #define FEATURE_CONDINCLUDE256 #define FEATURE_ASSIGN 512 #define FEATURE_EXECMOD1024 +#define FEATURE_GMAKEEXPORT2048 /* * There are several places where expandable buffers are used (parse.c and Index: usr.bin/make/parse.c === RCS file: /cvs/src/usr.bin/make/parse.c,v retrieving revision 1.112 diff -u -p -u -r1.112 parse.c --- usr.bin/make/parse.c23 Jan 2015 22:35:57 - 1.112 +++ usr.bin/make/parse.c8 Nov 2015 20:17:13 - @@ -151,6 +151,7 @@ static bool lookup_bsd_include(const cha static void lookup_sysv_style_include(const char *, const char *, bool); static void lookup_sysv_include(const char *, const char *); static void lookup_conditional_include(const char *, const char *); +static void handle_gmake_export(char *, const char *); static bool parse_as_special_line(Buffer, Buffer, const char *); static unsigned int parse_operator(const char **); @@ -1226,6 +1227,28 @@ lookup_conditional_include(const char *f lookup_sysv_style_include(file, directive, false); } +static void +handle_gmake_export(char *line, const char *directive) +{ + char *variable = line; + char *value; + + while (isspace((unsigned char)*variable)) + variable++; + + for (value = variable; *value && *value != '='; value++) + continue; + + if (*value != '=') { + Parse_Error(PARSE_FATAL, + "Variable/Value missing from \"%s\"", directive); + return; + } + *value++ = '\0'; + + value = Var_Subst(value, NULL, false); + setenv(variable, value, 1); +} /*** *** BSD-specific . constructs @@ -1469,6 +1492,13 @@ parse_as_special_line(Buffer buf, Buffer ISSPACE(line[8]) && strchr(line, ':') == NULL) { lookup_conditional_include(line+8, "-include"); + return true; + } + if (FEATURES(FEATURE_GMAKEEXPORT) && + strncmp(line, "export", 6) == 0 && + ISSPACE(line[6]) && + strchr(line, ':') == NULL) { + handle_gmake_export((char *)line+6, "export"); return true; } return false; Index: usr.bin/make/make.1 === RCS file: /cvs/src/usr.bin/make/make.1,v retrieving revision 1.120 diff -u -p -u -r1.120 make.1 --- usr.bin/make/make.1 13 Mar 2015 19:58:41 - 1.120 +++ usr.bin/make/make.1 8 Nov 2015 20:17:13 - @@ -974,6 +974,14 @@ in .At V variable substitutions is not mandated by POSIX, though it is fairly common. +.Pp +The +.Ic export +directive can be used to export a variable to the environment, +using the syntax: +.Bd -unfilled -offset indent +.Ic export Ar NAME Ns = Ns Ar value +.Ed .Sh INCLUDE STATEMENTS, CONDITIONALS AND FOR LOOPS Makefile inclusion, conditional structures and for loops reminiscent of the C programming language are provided in -- Carlin
Re: httpd: hsts (rfc 6797)
On Sat, 18 Jul 2015, at 12:14 PM, Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as a HSTS host. +The default is one year. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/
Re: keyboard and mouse problems
On Thu, 12 Mar 2015, at 04:11 AM, Theo de Raadt wrote: Two related problems regarding mice and keyboards came to my attention during s2k15 in Brisbane and I worked with jcs@ on solutions. The first problem is some newer machines (such as the thinkpad x1) have keyboard repeat or stuttering during install -- this issue only happes on the RAMDISK kernel. Eventually we figured out that this is due to the large touchpad! Even a light brush against it would mess up the pckbc driver subtly, causing 10 second pauses. This happens because the RAMDISK media lacks the pms driver. Had a similar problem with the ramdisk kernel on my Thinkpad T440p; any slight bump of the nipple mouse in the centre of the keyboard would cause the keyboard to start repeating characters. With this patch applied the problem goes away. Thanks a lot :-) dmesg, in case it's useful to see the hardware I tested it on: OpenBSD 5.7-current (GENERIC.MP) #6: Fri Mar 13 04:30:46 NZDT 2015 car...@vorpal.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16835846144 (16055MB) avail mem = 16321662976 (15565MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xacd3d000 (66 entries) bios0: vendor LENOVO version GLET70WW (2.24 ) date 05/21/2014 bios0: LENOVO 20ANCTO1WW acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB FPDT UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.55 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.22 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.22 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.22 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 2, package 0
Re: Authenticated TLS contraints in ntpd(8)
On Wed, 11 Feb 2015, at 12:32 AM, Reyk Floeter wrote: Let me share the answer to a question that I got in a private mail: On Tue, Feb 10, 2015 at 10:55:53AM +0100, Reyk Floeter wrote: ---snip--- servers pool.ntp.org constraints from https://www.google.com/search?q=openntpd; constraints from www.twitter.com constraint from www.apple.com ---snap--- Is the last constraint in singular pointing to www.apple.com valid or is it a typo? Yes, it is valid. As mentioned in the man page, it works like the existing server vs. servers for NTP peers. When a hostname or URL is specified, ntpd(8) will resolve the host. The singular version will use only one of the returned IP addresses and the plural version will use it as a pool and use all of the returned IP addresses. Following the example, a dig A on www.google.com or www.apple.com will typically show you a number of addresses, while the Akamai-hosted www.apple.com only returns one address near you. You're free to use any host, and some people might prefer to use their own trusted servers, I just picked some examples with good availability and seemingly good time. Reyk Using `constraints` I see it trying to query both the IPv4 addresses and the IPv6 addresses that the hostname resolves to, even though the machine has no IPv6 access. Is this expected? -- Carlin
Re: httpd: redirect to https, or www, or non-www
On Wed, 24 Dec 2014, at 11:03 PM, Stuart Henderson wrote: On 2014/12/24 06:44, Carlin Bingham wrote: ngninx and apache support url rewriting, letting you redirect from arbitrary urls with pattern matching. In my experience the primary uses for this are to redirect from http to https or to remove/add www in the hostname, so I thought it might be useful to have options making these specific uses possible and simple to do. [...] For https redirects, a better option would be to add support for adding the Strict-Transport-Security header to responses (HSTS, RFC 6797), it's safer than issuing a redirect. For HSTS to work you first need to redirect to https and issue the header over https. My plan was to propose a way to set the HSTS header if this proposal was well received, since there isn't much point having a built-in way to set the header if you're still having to use FCGI anyway to do the redirects. -- Carlin
rand()/random() warning
There is no warning when compiling code that calls random() but two warnings when compiling code that calls rand() - : warning: random() may return determinstic values, is that what you want?warning: rand() may return determinstic values, is that what you want? Is the first parameter to __warn_references in random.c supposed to be 'random' not 'rand'? Index: lib/libc/stdlib/random.c === RCS file: /cvs/src/lib/libc/stdlib/random.c,v retrieving revision 1.26 diff -u -p -u -r1.26 random.c --- lib/libc/stdlib/random.c9 Dec 2014 08:00:53 - 1.26 +++ lib/libc/stdlib/random.c16 Dec 2014 20:22:12 - @@ -417,6 +417,6 @@ random(void) } #if defined(APIWARN) -__warn_references(rand, +__warn_references(random, warning: random() may return determinstic values, is that what you want?); #endif