Re: Thinkpad P50 "OpenBSD 6.9 freeze using X"

2021-05-20 Thread jacky 
Hi, the issue with X freezing was due to me adjusting the clock with the 
date command from the terminal in CWM, I don't know if this is a 
security measure or a bug!!!


I dual boot the  laptop with linux and in the FAQ/Time-Zones does 
explain the problem with the clock, so after following the instruction 
from the FAQ, I don't have any problem with the time and I haven't 
experience any more freezing  of X.  bye


On 5/9/21 10:43 AM, jacky wrote:

Hello,

I'm running 6.9 fresh install with cwm on Thinkpad P50, OS freeze 
after 5 to 10 min of use, on text mode the system is fine only when 
using X the system freeze.


Any suggestions would be great.

Thanks

Jacky

OpenBSD 6.9 (GENERIC.MP) #473: Mon Apr 19 10:40:28 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 33679724544 (32119MB)
avail mem = 32643620864 (31131MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x8702f000 (65 entries)
bios0: vendor LENOVO version "N1EET89W (1.62 )" date 06/18/2020
bios0: LENOVO 20EQS1J600
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI SSDT SSDT ECDT HPET APIC MCFG SSDT DBGP 
DBG2 BOOT BATB SLIC SSDT SSDT MSDM SSDT SSDT ASF! FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) PXSX(S4) PXSX(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) XHCI(S3)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz, 2594.92 MHz, 06-5e-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz, 2593.97 MHz, 06-5e-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz, 2593.96 MHz, 06-5e-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz, 2593.96 MHz, 06-5e-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus -1 (EXP1)
acpiprt5 at acpi0: bus -1 (EXP3)
acpiprt6 at acpi0: bus -1 (EXP4)
acpiprt7 at acpi0: bus 2 (EXP5)
acpiprt8 at

Relayd TLS inspection and SNI

2021-05-20 Thread BS Daemon 
I am hoping that I'm just doing something wrong, but it appears
that while relayd supports some Server Name Identification (SNI)
functionality, it does not support SNI for it's man-in-the-middle
/ TLS inspection configuration. Years ago I used relayd to permit access
only to certain browsers
by User_Agent string and was hoping to do the same now. But with
SNI not working, and the amount of use of SNI in the world today,
this is no longer workerable. I peaked at the code, but don't have the
expertise to to make the
feature work.  I like using the base OpenBSD utilities, and was
wondering if I'm doing something wrong, if relayd could be made to
support SNI for man-in-the-middle, or if there is an alternative
tool for doing this which would work. As an example:
At the time of writing, BSDCan, a BSD conference in Canada, has a
web site with two names: www.bsdcan.org and www.bsdcan.ca. They
both are hosted at a single IP and Port. Each site uses it's own
server certificate. The default site as far as TLS is concerned is
www.bsdcan.ca, so unless one provides the SNI host name, one gets
the certificate for this server name. Interestingly, www.bsdcan.ca
redirects the clients to www.bsdcan.org. When a client goes to
www.bsdcan.org, but does not provide the SNI server name, one gets
the certificate for www.bsdcan.ca.  The result is that if the client
does not have SNI abilities enabled, the browsers throws a warning
message.
Without relayd in the path:
# This will get certificate for bsdcan.ca:
libressl s_client -connect www.bsdcan.ca:443
# This will also get certificate for bsdcan.ca (no SNI in request):
libressl s_client -connect www.bsdcan.org:443
# This will get certificate for bsdcan.org
libressl s_client -servername www.bsdcan.org -connect www.bsdcan.org:443
# This will also get certificate for bsdcan.org (SNI requests this site)
libressl s_client -servername www.bsdcan.org -connect www.bsdcan.ca:443With
relayd in the path, as configured below,
# This will get certificate for bsdcan.ca
# (SNI requested, but relayd is not handling SNI for TLS inspection)
libressl s_client -servername www.bsdcan.org -connect www.bsdcan.org:443
relayd.conf:
log connection
http protocol httpfilter {
# Return HTTP/HTML error pages to the client
return error
match header log "User-Agent"
match url log
# Block disallowed sites
match request label "URL filtered!"
block request quick url "www.example.com/" value "*"
# Pass allowed browsers
match request label "User-Agent Good"
pass request quick header "User-Agent" \
value "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:*.0) Gecko/20100101
Firefox/*"
pass request quick header "User-Agent" \
value "Microsoft-CryptoAPI/10.0"
# Block all other browsers
match request label "Please try a different Browser"
block request quick header "User-Agent" \
value "*"
tls ca key "/etc/ssl/relayd/private/ca.key" password "PASSWORD"
tls ca cert "/etc/ssl/relayd/ca.crt"
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
relay tlsinspect {
listen on 127.0.0.1 port 8443 tls
protocol httpfilter
forward with tls to destination
}