Re: Fund raising
I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. Note: Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. (history repeats itself)
Re: httpd tls - what am i missing?
On Thu, 26 Mar 2015 08:30:23 +0100 mxb wrote: Thank you for the suggestion. I was not aware of pound. I?d rather go for relayd. Which is out of the box. No need to install ?yet another port and make sure it is up2date?. httpd is based on relayd code which would reduce the scope of the test (a cluestick). When I try https://10.0.128.67/index.html; - I get a nice message from firefox asking me to accept a problem certificate (this was expected, the certificate is the correct one), and when I do accept the certificate, I get the index page. So, I am not sure what is wrong, but it appears httpd is not responding to https requests, even with the listen on tls line in the configuration file. Is there anything for me to look at/consider in trying to correct this? I don't understand what you are saying by 'correct one' but to me this suggests you have issues even with pound and perhaps I would try another browser or firefox on another client and try another certificate perhaps from another CA or install a newer snapshot or re-install a release before wondering if there is an issue with httpd or libressl whilst monitoring the list to see if anyone else has an issue? Thankfully re-install on OpenBSD is super quick but you do have to follow www.openbsd.org/current.html for snapshots and I think www.openbsd.org/plus.html for release upgrades (4.5 - 4.6 etc.) Hello: I started httpd as: httpd -d -v -v -v -v -v -v -v And I see: startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_tls_load_keypair: using certificate /etc/ssl/server.crt server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default server_launch: running server default server_launch: running server default server_launch: running server default but, if I try to connect using https, there is no output on the terminal indicating that httpd is doing anything at all. Ctrl-c to kill the server gives: ^C logger exiting, pid 28447 server exiting, pid 23445 server exiting, pid 20653 server exiting, pid 12690 parent terminating, pid 29581 So, it seems that httpd does, in fact, see the cert and key, but does nothing with them. (the cert is PEM encoded) So, I also tried: openssl s_server -accept 443 -www -cert /etc/ssl/server.crt -key /etc/ssl/private/server.key and then connected to the machine with a browser. This connection works without an issue. The output to the browser from openssl s_server is: s_server -accept 443 -www -cert /etc/ssl/server.crt -key /etc/ssl/private/server.key Secure Renegotiation IS supported Ciphers supported in s_server binary TLSv1/SSLv3:ECDHE-ECDSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-CHACHA20-POLY1305 TLSv1/SSLv3:DHE-RSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-AES256-GCM-SHA384 TLSv1/SSLv3:ECDHE-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA384 TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA TLSv1/SSLv3:DHE-DSS-AES256-GCM-SHA384 TLSv1/SSLv3:DHE-RSA-AES256-GCM-SHA384TLSv1/SSLv3:DHE-RSA-AES256-SHA256 TLSv1/SSLv3:DHE-DSS-AES256-SHA256TLSv1/SSLv3:DHE-RSA-AES256-SHA TLSv1/SSLv3:DHE-DSS-AES256-SHA TLSv1/SSLv3:GOST2012256-GOST89-GOST89 TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA256 TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA TLSv1/SSLv3:GOST2001-GOST89-GOST89 TLSv1/SSLv3:ECDH-RSA-AES256-GCM-SHA384 TLSv1/SSLv3:ECDH-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDH-RSA-AES256-SHA384 TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA384 TLSv1/SSLv3:ECDH-RSA-AES256-SHA TLSv1/SSLv3:ECDH-ECDSA-AES256-SHATLSv1/SSLv3:AES256-GCM-SHA384 TLSv1/SSLv3:AES256-SHA256TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:CAMELLIA256-SHA256 TLSv1/SSLv3:CAMELLIA256-SHA TLSv1/SSLv3:ECDHE-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1/SSLv3:ECDHE-RSA-AES128-SHA256 TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA256 TLSv1/SSLv3:ECDHE-RSA-AES128-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA TLSv1/SSLv3:DHE-DSS-AES128-GCM-SHA256TLSv1/SSLv3:DHE-RSA-AES128-GCM-SHA256 TLSv1/SSLv3:DHE-RSA-AES128-SHA256TLSv1/SSLv3:DHE-DSS-AES128-SHA256 TLSv1/SSLv3:DHE-RSA-AES128-SHA TLSv1/SSLv3:DHE-DSS-AES128-SHA TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA256 TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA TLSv1/SSLv3:ECDH-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDH-ECDSA-AES128-GCM-SHA256 TLSv1/SSLv3:ECDH-RSA-AES128-SHA256 TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA256 TLSv1/SSLv3:ECDH-RSA-AES128-SHA TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA TLSv1/SSLv3:AES128-GCM-SHA256TLSv1/SSLv3:AES128-SHA256 TLSv1/SSLv3:AES128-SHA TLSv1/SSLv3:CAMELLIA128-SHA256 TLSv1/SSLv3:CAMELLIA128-SHA
Re: Set PKG_PATH using Time Zone?
On 2015-03-26, L.R. D.S. arrowscr...@mail.com wrote: Is really boring write the package repository everytime we install. Why not set the repository using the Time Zone as a reference? If you do a network install, the installer already writes an /etc/pkg.conf pointing at the download mirror (and the mirror selection offers nearby mirrors first, and proposes a timezone). For example, if you set Japan as your zone, then run export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/ That should be arch -s (it matters for powerpc, arm, loongson etc), and doesn't take snapshots into account.
Re: SNMP and PID file
On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running Weird. What are the contents of /etc/rc.d/snmpd?
Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?
Dmitrij D. Czarkoff (2015-03-27 09:29 +0100): Some Developer said: So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it missing some extra security features that the OpenBSD team have added to their version of GCC? First and foremost it is missing platform support. Also, as miod@ once explained, before a switch to clang could be made, intimate knowledge of its internals is needed. Over the years, the OpenBSD developers have become very familiar with gcc. They are now working on becoming just as familiar with clang. Search the archives; this has been discussed before.
Intel I211 NIC not working on Shuttle DS57U with latest snapshot
Hi, i've just installed the latest snapshot on this new fanless little machine with 2 NICs (one I218-LM and another with I211 chipset) and the I211 is not detected, dmesg returning: EEPROM Checksum is not valid. I've looked at man em and saw I211 was supported. Any idea ? Thank you. Morgan OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2009530368 (1916MB) avail mem = 1944829952 (1854MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec2f0 (81 entries) bios0: vendor American Megatrends Inc. version 1.05 date 01/16/2015 bios0: Shuttle Inc. DS57U acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF! SLIC SSDT SSDT SSDT DMAR acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) 3205U @ 1.50GHz, 1496.76 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,ERMS,INVPCID,RDSEED cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) 3205U @ 1.50GHz, 1496.54 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,ERMS,INVPCID,RDSEED cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimadt0: bogus nmi for apid 0 acpimadt0: bogus nmi for apid 2 acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus 1 (RP01) acpiprt5 at acpi0: bus -1 (RP02) acpiprt6 at acpi0: bus 2 (RP03) acpiprt7 at acpi0: bus 3 (RP04) acpiprt8 at acpi0: bus -1 (RP05) acpiprt9 at acpi0: bus -1 (RP06) acpiprt10 at acpi0: bus -1 (RP07) acpiprt11 at acpi0: bus -1 (RP08) acpiec0 at acpi0: not present acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpipwrres0 at acpi0: PG00, resource for PEG0 acpipwrres1 at acpi0: PG01, resource for PEG1 acpipwrres2 at acpi0: PG02, resource for PEG2 acpipwrres3 at acpi0: FN00, resource for FAN0 acpipwrres4 at acpi0: FN01, resource for FAN1 acpipwrres5 at acpi0: FN02, resource for FAN2 acpipwrres6 at acpi0: FN03, resource for FAN3 acpipwrres7 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 105 degC acpitz1 at acpi0: critical temperature is 105 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: SLPB acpibtn2 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1501, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 700, 600, 500 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core 5G Host rev 0x08 vga1 at pci0 dev 2 function 0 vendor Intel, unknown product 0x1606 rev 0x08 intagp at vga1 not configured wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 3 function 0 Intel Core 5G HD Audio rev 0x08: msi azalia0: No codecs found xhci0 at pci0 dev 20 function 0 Intel 9 Series xHCI rev 0x03: msi usb0 at xhci0: USB revision 3.0 uhub0 at usb0 Intel xHCI root hub rev 3.00/1.00 addr 1 Intel 9 Series MEI rev 0x03 at pci0 dev 22 function 0 not configured em0 at pci0 dev 25 function 0 Intel I218-LM rev 0x03: msi, address 80:ee:73:ab:41:11 azalia1 at pci0 dev 27 function 0 Intel 9 Series HD Audio rev 0x03: msi azalia1: codecs: Realtek ALC662 audio0 at azalia1 ppb0 at pci0 dev 28 function 0 Intel 9 Series PCIE rev 0xe3: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 2 Intel 9 Series PCIE rev 0xe3: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 Intel I211 rev 0x03: msiem1: The EEPROM Checksum Is Not Valid em1: Unable to initialize the hardware ppb2 at pci0 dev 28 function 3 Intel 9 Series PCIE rev 0xe3: msi pci3 at ppb2 bus 3 vendor Realtek,
Re: Intel I211 NIC not working on Shuttle DS57U with latest snapshot
On Fri, Mar 27, 2015 at 10:19:36AM +, Comète wrote: Hi, i've just installed the latest snapshot on this new fanless little machine with 2 NICs (one I218-LM and another with I211 chipset) and the I211 is not detected, dmesg returning: EEPROM Checksum is not valid. I've looked at man em and saw I211 was supported. Any idea ? Thank you. Can you try the patch from http://marc.info/?l=openbsd-techm=142588283023584q=raw It's possible the machine has this data stored in otp.
Re: SNMP and PID file
On Fri, Mar 27, 2015 at 9:51 AM, Stuart Henderson s...@spacehopper.org wrote: On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running Weird. What are the contents of /etc/rc.d/snmpd? #!/bin/sh # # $OpenBSD: snmpd,v 1.1 2011/07/06 18:55:36 robert Exp $ daemon=/usr/sbin/snmpd . /etc/rc.d/rc.subr pexp=snmpd: parent.* rc_cmd $1
Re: SNMP and PID file
On 2015/03/27 12:00, Alex Naumov wrote: On Fri, Mar 27, 2015 at 9:51 AM, Stuart Henderson s...@spacehopper.org wrote: On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running Weird. What are the contents of /etc/rc.d/snmpd? #!/bin/sh # # $OpenBSD: snmpd,v 1.1 2011/07/06 18:55:36 robert Exp $ daemon=/usr/sbin/snmpd . /etc/rc.d/rc.subr pexp=snmpd: parent.* rc_cmd $1 That's correct...hmm, do you have anything non-standard relating to httpd2 in /etc/rc.conf.local or /etc/rc.conf?
Re: httpd tls - what am i missing?
On Fri, 27 Mar 2015 00:56:31 -0500 Theodore Wynnychenko wrote: If there is anything else to try, please let me know. Running current: OpenBSD 5.7-current (RAMDISK_CD) #818: Wed Mar 18 18:59:52 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD A snapshot has just been released that could rule out a broken install/unlucky sync at the wrong time. I could be wrong but believe the relevant snapshot was put on the mirrors on the 19th and not the 18th? Also this line is from a RAMDISK_CD and not the full kernel, is that just because it is from the CD you used to install from??
Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?
On 2015-03-27 08.03.25 +, Some Developer wrote: So what are the reasons why OpenBSD has so far shunned Clang and LLDB? http://marc.info/?l=openbsd-miscm=137530560232232
C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?
I'm not entirely aware of the changes that the OpenBSD developers have made to the version of GCC that ships with OpenBSD but is there any work being done on including Clang in OpenBSD base? It has a BSD compatible license unlike GCC. It has its own debugger with the same license unlike GDB. So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it missing some extra security features that the OpenBSD team have added to their version of GCC? Any info is appreciated.
Re: Leap seconds
You don't need to do anything. OpenBSD doesn't specifically handle leap-seconds, but openntpd will see the change in time from its upstream peers, and will adjust the clock for you. On 2015 Mar 26 (Thu) at 22:15:17 +0200 (+0200), jinhitmanBarracuda wrote: :As you know, the leap second issue will occour on 29th. June. I saw :articles on some Linux distro's web page. It looks like there is a bug on :the Linux kernel and it was effected on 2012. : :I would like to ask, is there anything which i should do on my OpenBSD 5.6 ? : :Sorry for my English : -- Equal bytes for women.
Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?
Some Developer said: So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it missing some extra security features that the OpenBSD team have added to their version of GCC? First and foremost it is missing platform support. -- Dmitrij D. Czarkoff
Intel 5th gen NUC graphics support
Hi - I just aquired an Intel NUC (NUC5i5RYK) to use as my main OpenBSD desktop system. After getting kernel panics when booting 5.6, using a SNAPSHOT seems to work well (panic was: lapic_set_lvt: bad pin value 228). The next hurdle I have to overcome is getting accelerated X to work. There is also no support for a framebuffer console (which is probably related). I think the critical part of the X11 output (full dump below) is: [30.163] (II) AIGLX: Screen 0 is not DRI2 capable [30.163] (EE) AIGLX: reverting to software rendering Is the new graphics chipset already supported in OpenBSD, and I just have the configuration wrong? Or will I have to wait for support? Anything I can do to help development? Thanks, Bernd PS: Two other observations: the kernel takes rather long to load (15 seconds) and I get this line of strange symbols in the dmesg below. DMESG: OpenBSD 5.7-current (GENERIC.MP) #895: Wed Mar 18 18:55:03 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8453918720 (8062MB) avail mem = 8193765376 (7814MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec7b0 (86 entries) bios0: vendor Intel Corporation version RYBDWi35.86A.0137.2015.0107.1700 date 01/07/2015 bios0: \M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^? \M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^? acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF! SSDT SSDT SSDT DMAR acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PS2K(S3) PS2M(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.60 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimadt0: bogus nmi for apid 0 acpimadt0: bogus nmi for apid 2 acpimadt0: bogus nmi for apid 1 acpimadt0: bogus nmi for apid 3 acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus 1 (RP01) acpiprt5 at acpi0: bus -1 (RP02) acpiprt6 at acpi0: bus -1 (RP03) acpiprt7 at acpi0: bus 2 (RP04) acpiprt8 at acpi0: bus -1 (RP05) acpiprt9 at acpi0: bus -1 (RP06) acpiprt10 at acpi0: bus -1 (RP07) acpiprt11 at acpi0: bus -1 (RP08)
Re: Getting errors during security(8) maintenance
On Fri, Mar 27, 2015 at 8:41 AM, Ingo Schwarze schwa...@usta.de wrote: Hi Denis, Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300: Some time ago start getting errors after nightly Secutiry running: Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Fixed in -current, thanks for reporting. Regarding the corrupted file /etc/passwd on your machine, use vipw(8) in the way i explained before. Note that 5.4 is old and no longer supported. Yours, Ingo good morning my $homes = find_homes; check_rhosts_owner @$_ foreach @$homes; I am not sure about perl internal but aren 't you playing too much from @ to \@ lol why not check_homes(sub { check_rhosts_content @_; check whaterver you want on passwd; }); Just leaving that here: #!/usr/bin/perl use strict; use v5.10; use Data::Dumper; sub whatever { open my $fh, '', $ARGV[0] or die 'oops'.$!; my @passwd = map [ @{[split /:/]}[0,2,5] ], $fh; my @homes = grep { $_[0]($_); } @passwd; return \@homes; } my $check_home = sub { say Dumper($_) ; unless ( -d $_-[ 2 ] ) { warn $_-[ 2 ].' is not existing, so what ? '; return; } return 1; }; say Dumper(whatever($check_home)); -- - () ascii ribbon campaign - against html e-mail /\
Re: Getting errors during security(8) maintenance
Hi Denis, Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300: Some time ago start getting errors after nightly Secutiry running: Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Fixed in -current, thanks for reporting. Regarding the corrupted file /etc/passwd on your machine, use vipw(8) in the way i explained before. Note that 5.4 is old and no longer supported. Yours, Ingo
Re: Fund raising
Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. This might explain why they ignored my repeated requests for a receipt back when I bought the 5.5 discs. They eventually sent one, shortly after the new store was announced.
Re: Fund raising
On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. Note: Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. (history repeats itself) But the new shop is alright ? -- - () ascii ribbon campaign - against html e-mail /\
Re: Getting errors during security(8) maintenance
Hi Sven, sven falempin wrote on Fri, Mar 27, 2015 at 09:02:09AM -0400: I am not sure about perl internal but aren 't you playing too much from @ to \@ lol Your patch doesn't apply, and from the code snippets you are throwing at me, i neither understand what you consider defective nor what you want to improve. Note: One of the worst weaknesses of Perl is that there is more than one way to do it. Yours, Ingo
icmp6 get dropped on gif tunnel
Hello. I have an openbsd router with 2 upstreams (one pppoe (pppoe0 on sis1), one ipoe (sis0)). I have a sixxs(6-in-4) tunnel (gif0). If the gif tunnel is on one of my providers (pppoe0), it works well. gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 description: Sixxs priority: 0 groups: gif egress tunnel: inet 109.190.17.241 - 212.100.184.146 inet6 fe80::200:24ff:fecf:42ac%gif0 - prefixlen 64 scopeid 0xc inet6 2001:6f8:202:19c::2 - 2001:6f8:202:19c::1 prefixlen 128 the 2001:6f8:3c8::/48 subnet which is routed via this tunnel This provider gives me native Ipv6, so the tunnel is pretty useless, and I want to put it on the other provider, which doesn't. But when I move it on the other provider, the tunnel basicly works (I can ping an inside box (2001:6f8:3c8:42:xxx) from the outside), but the router does not answer to ping, on the tunnel endpoint Ipv6 (2001:6f8:202:19c::2) nor on any other interface (in 2001:6f8:3c8::/48). Then sixxs count it as down, and will disable it if nothing is done. I can ping from router to remote tunnel endpoint (2001:6f8:202:19c::1), but remote tunnel endpoint does not get any answer when it ping my router endpoint. nor does can I ping it from outside. If I tcpdump gif0, I can see icmpv6 in and out. Does you have any clue ? Thanks, -- Bastien Durel
Re: Fund raising
On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. Note: Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. (history repeats itself) But the new shop is alright ? Yes, the new shop is fine. Transparency, accountability, honourable behaviour, etc. Excellent relationship. Few bumps at adapting their ordering system to the people ordering from all over the world, but we'll get there step by step I hope.
Re: Change routes with multipath?
Hey, thanks for replying. It doesn't seem to work with any number at all actually. If I didn't have multipathing enabled, these work: $ route change default -priority 1 $ route change default -priority 15 $ route change default -priority 6 But having multipath setup, it seems like it doesn't know which route to change or how to handle it: $ route change -mpath default 64.4.4.4 -priority 1 $ route change -mpath default 64.4.4.4 -priority 6 $ route change -mpath default 64.4.4.4 -priority 15 # route: writing to routing socket: No such process # change net default: gateway 64.4.4.4: not in table I guess normally you don't need to specify the gateway in the command without multipath because there is only one gateway. But I need to be specific. If I try $ sudo route change -mpath default -priority 7 Then it lets the system choose which route to change and I get very mixed results (sometimes one interface gets the priority..and sometimes the other one!) I might be wrong, but if you might know of a way to do it, I would appreciate any hints. Hope it's not a bug? Thanks for the help, RZ On Thu, Mar 26, 2015 at 6:24 PM, Martin Pieuchot m...@openbsd.org wrote: On 26/03/15(Thu) 14:07, rizz2pro . wrote: Hello everyone, I hope I posted this in the right area, I don't usually join mailing lists so I am still a bit of a noob. Anyways, hoping someone could help me out. I am coming up empty on my searches figuring this out. If I have 2 default gateways configured with priorities, how would I modify the priorities using route change? I would prefer not to have to delete the route and re-add them. $ sudo route add -mpath default 64.4.4.4 -priority 1 $ sudo route add -mpath default 129.2.2.2 -priority 15 $ sudo netstat -rn | grep default ~ # default 64.4.4.4 UGS3 3308 - 1 em0 # default129.2.2.2 UGS00 -15 em1 If I try to change priorities: $ sudo route change -mpath default 129.2.2.2 -priority 1 ~ # route: writing to routing socket: No such process # change net default: gateway 129.2.2.2: not in table Any hints as to how I can change priority on a default multipath route? I would appreciate it greatly. Does it work with -priority 2? The number 1 is special and reserved for routes representing local (your own) addresses. I just realized that this is not (and should) be documented.
Re: Fund raising
On Fri, 27 Mar 2015, Theo de Raadt wrote: On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. Note: Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. (history repeats itself) But the new shop is alright ? Yes, the new shop is fine. Transparency, accountability, honourable behaviour, etc. Excellent relationship. Few bumps at adapting their ordering system to the people ordering from all over the world, but we'll get there step by step I hope. I hit a couple of those bumps on my first order from them, and they were _very_ good about analyzing and fixing them. Dave -- Dave Anderson d...@daveanderson.com
Re: httpd tls - what am i missing?
And, finally: 4. they DO NOT work when loaded by httpd I will be the first to admit that I don't really know much about public key cryptography and how openssl implements things. But, being simple, it seems to me that there are really only two possibilities. Either apache, pound, and openssl s_server are all flawed and are incorrectly using an invalid certificate/key pair for encryption; or there is a problem in httpd and how it deals with certificates and https. I will try things again tomorrow (later today) and see if I can get any info with tcpdump. If there is anything else to try, please let me know. Please try 's_client' as I had suggested in an earlier email - it's not the certificates themselves you should be testing (i.e. with 's_server' and a web browser) but certificates/keys *with* httpd and a client which will give you meaningful output ('s_client'). Like I had also mentioned earlier - I had generated a new certificate and a key and tested it on one of my machines and it all works just fine. Last, but not least - if you hadn't done so already,please make sure you are running the latest snapshot. Regards, Raf -- First, I installed the most recent snapshot: OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP (sorry about the other dmesg snip - I pulled the snip off the top, and I was not aware that on this system the message buffer survives a reboot) First, I started httpd as httpd -d -v -v -v -v -v -v -v: The terminal spits back: startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_tls_load_keypair: using certificate /etc/ssl/server.crt server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default server_launch: running server default server_launch: running server default server_launch: running server default then, on an second terminal, I tried connecting with: openssl s_client -connect 127.0.0.1:443 on the second (s_client) terminal, I get: CONNECTED(0003) And that's it. On the first (httpd) terminal, there is no output of any kind. So, I waited about 10 seconds, nothing happened, and I shut down httpd. The terminal says: ^C logger exiting, pid 14644 server exiting, pid 21849 server exiting, pid 18400 server exiting, pid 10463 parent terminating, pid 9974 Then, I opened a s_server instance: openssl s_server -accept 443 -www -cert /etc/ssl/server.crt -key /etc/ssl/private/server.key It gives me: Using auto DH parameters Using default temp ECDH parameters ACCEPT And on the second terminal I try s_client again: openssl s_client -connect 127.0.0.1:443 And it connects. Here is the output (I XXX'ed some of the certificate info): openssl s_client -connect 127.0.0.1:443 CONNECTED(0003) depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIH6zCCBdOgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCVVMx ETAPBgNVBAgMCElsbGlub2lzMREwDwYDVQQHDAhXaW5uZXRrYTEUMBIGA1UECgwL ... more certificate block ... 6RUcfqhZ211+IvAnJVYAsz+1hzLGL57Ppct6HHf41xl36WakU+J3jlpVpIaA8jHh 5ThHy8QM1jeo90XENClcYD2W1OHD75Hchn5pEbA8BfpKJpvTwsosIFdZazWvHHO8 CU8P6Syj53sEw0MeooEt -END CERTIFICATE- subject=/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 2933 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-CHACHA20-POLY1305 Session-ID: FC424D25B814891FD0F881B1E20C6367547803E189FF2EB1D337201491CB078A Session-ID-ctx: Master-Key: ADB4316898847559BAF6EE1188F1FCFAB0D741D36A73226D023458247CE26523F74EABE327755A7A12CFB9242AAA9413 TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 8c 5f 29 1e 1e a2 9f e3-f8 3e 62 1f 9f 10 ad 5c ._)..b\ 0010 - be 8c 47 51 98 4c 93 66-bb a9 51 70 93 37 b3 4e ..GQ.L.f..Qp.7.N 0020 - 16 fc 38 fa f6 ea 37 73-9c d4 82 e9 1a 30 f9 44 ..8...7s.0.D 0030 - eb 5e 4b 4f b2 c5 9e 00-f1 65 5e d5
Re: Change routes with multipath?
2015-03-27 13:40 GMT-03:00 rizz2pro . rizzz2...@gmail.com: Hey, thanks for replying. It doesn't seem to work with any number at all actually. If I didn't have multipathing enabled, these work: $ route change default -priority 1 $ route change default -priority 15 $ route change default -priority 6 But having multipath setup, it seems like it doesn't know which route to change or how to handle it: $ route change -mpath default 64.4.4.4 -priority 1 $ route change -mpath default 64.4.4.4 -priority 6 $ route change -mpath default 64.4.4.4 -priority 15 # route: writing to routing socket: No such process # change net default: gateway 64.4.4.4: not in table I guess normally you don't need to specify the gateway in the command without multipath because there is only one gateway. But I need to be specific. If I try $ sudo route change -mpath default -priority 7 Then it lets the system choose which route to change and I get very mixed results (sometimes one interface gets the priority..and sometimes the other one!) I might be wrong, but if you might know of a way to do it, I would appreciate any hints. Hope it's not a bug? Thanks for the help, RZ On Thu, Mar 26, 2015 at 6:24 PM, Martin Pieuchot m...@openbsd.org wrote: On 26/03/15(Thu) 14:07, rizz2pro . wrote: Hello everyone, I hope I posted this in the right area, I don't usually join mailing lists so I am still a bit of a noob. Anyways, hoping someone could help me out. I am coming up empty on my searches figuring this out. If I have 2 default gateways configured with priorities, how would I modify the priorities using route change? I would prefer not to have to delete the route and re-add them. $ sudo route add -mpath default 64.4.4.4 -priority 1 $ sudo route add -mpath default 129.2.2.2 -priority 15 $ sudo netstat -rn | grep default ~ # default 64.4.4.4 UGS3 3308 - 1 em0 # default129.2.2.2 UGS00 -15 em1 If I try to change priorities: $ sudo route change -mpath default 129.2.2.2 -priority 1 ~ # route: writing to routing socket: No such process # change net default: gateway 129.2.2.2: not in table Any hints as to how I can change priority on a default multipath route? I would appreciate it greatly. Does it work with -priority 2? The number 1 is special and reserved for routes representing local (your own) addresses. I just realized that this is not (and should) be documented. You got it right, you can't change a multipath route. It's a limitation of the kernel API and there's nothing you can do about it. I came across this problem too when I was working on ldpd(8): https://github.com/rwestphal/openbsd-ldpd/blob/renato-2015/kroute.c#L1344 If removing a route and re-adding it with a new nexthop poses a problem to you please let us know so we can think about a solution. PS: please don't top post on @misc. -- Renato Westphal
Re: L2TP using Npppd and IPsec
Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
Re: Fund raising
On Fri, Mar 27, 2015 at 2:18 PM, Dave Anderson d...@daveanderson.com wrote: On Fri, 27 Mar 2015, Theo de Raadt wrote: On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. Note: Recent difficulties have resulted in zero (Z E R O) of the proceeds from Austin's shop going towards OpenBSD. And it may have been happening for a while before that. (history repeats itself) But the new shop is alright ? Yes, the new shop is fine. Transparency, accountability, honourable behaviour, etc. Excellent relationship. Few bumps at adapting their ordering system to the people ordering from all over the world, but we'll get there step by step I hope. I hit a couple of those bumps on my first order from them, and they were _very_ good about analyzing and fixing them. Dave -- Dave Anderson d...@daveanderson.com I placed a pre-order for the 5.7 CD set and poster this afternoon with the new store without problem. Spotted the Blues Brothers theme and couldn't resist ;) For my Visa debit card had to enter type as 'Visa' as it wouldn't go through with type as 'Visa Debit'. No big deal, run into that occasionally on other sites.
Re: icmp6 get dropped on gif tunnel
On 03/27/2015 01:31 PM, Bastien Durel wrote: Hello. I have an openbsd router with 2 upstreams (one pppoe (pppoe0 on sis1), one ipoe (sis0)). I have a sixxs(6-in-4) tunnel (gif0). If the gif tunnel is on one of my providers (pppoe0), it works well. gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 description: Sixxs priority: 0 groups: gif egress tunnel: inet 109.190.17.241 - 212.100.184.146 inet6 fe80::200:24ff:fecf:42ac%gif0 - prefixlen 64 scopeid 0xc inet6 2001:6f8:202:19c::2 - 2001:6f8:202:19c::1 prefixlen 128 the 2001:6f8:3c8::/48 subnet which is routed via this tunnel This provider gives me native Ipv6, so the tunnel is pretty useless, and I want to put it on the other provider, which doesn't. But when I move it on the other provider, the tunnel basicly works (I can ping an inside box (2001:6f8:3c8:42:xxx) from the outside), but the router does not answer to ping, on the tunnel endpoint Ipv6 (2001:6f8:202:19c::2) nor on any other interface (in 2001:6f8:3c8::/48). Then sixxs count it as down, and will disable it if nothing is done. I can ping from router to remote tunnel endpoint (2001:6f8:202:19c::1), but remote tunnel endpoint does not get any answer when it ping my router endpoint. nor does can I ping it from outside. If I tcpdump gif0, I can see icmpv6 in and out. Does you have any clue ? Thanks, I've seen a similar problem with traceroute: ping from inside to outside IPv6 host works. Traceroute packets leaving gif0 are visible leaving via ipv4 interface. Traceroute ICMP6 packets returned are visible entering gif0 but aren't visible in pf (at least what I've tried) pass in log on gif0 any doesn't give me anything. I may misunderstand log vs rule matching. Is there a rule which will guarantee that a packet will be logged no matter what happens to it later in pf processing? The IPv6 packets cross routing domains to get to/from gif0. I could set up a test net (4 machines) to debug this if I had better knowledge (a) about logging as above (b) where to look in the code to put information gathering code. I suspect some sort of mismatch in the state matching code but that's because I can't think of anywhere else. If anyone has a little time to suggest places to look I'd appreciate it. If sending to tech@ be helpful I'll do that. thanks Geoff Steckel
Re: L2TP using Npppd and IPsec
Dain Bentley wrote: I'd love a copy! Thanks +1 On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote: Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. I also got a very useful answer off the list. I am just going to quote a snipet [quote] You???ll have problems with NAT-T and clients coming from the same NAT-address. This problem is worked out currently. [/quote] I will post my configuration once when I am done but this topic seems to beg for an updated undeadly article. Thanks to everyone who responded to this thread! PredraG The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
Re: httpd tls - what am i missing?
And, finally: 4. they DO NOT work when loaded by httpd I will be the first to admit that I don't really know much about public key cryptography and how openssl implements things. But, being simple, it seems to me that there are really only two possibilities. Either apache, pound, and openssl s_server are all flawed and are incorrectly using an invalid certificate/key pair for encryption; or there is a problem in httpd and how it deals with certificates and https. I will try things again tomorrow (later today) and see if I can get any info with tcpdump. If there is anything else to try, please let me know. Please try 's_client' as I had suggested in an earlier email - it's not the certificates themselves you should be testing (i.e. with 's_server' and a web browser) but certificates/keys *with* httpd and a client which will give you meaningful output ('s_client'). Like I had also mentioned earlier - I had generated a new certificate and a key and tested it on one of my machines and it all works just fine. Last, but not least - if you hadn't done so already,please make sure you are running the latest snapshot. Regards, Raf -- First, I installed the most recent snapshot: OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP (sorry about the other dmesg snip - I pulled the snip off the top, and I was not aware that on this system the message buffer survives a reboot) First, I started httpd as httpd -d -v -v -v -v -v -v -v: The terminal spits back: startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_tls_load_keypair: using certificate /etc/ssl/server.crt server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default server_launch: running server default server_launch: running server default server_launch: running server default then, on an second terminal, I tried connecting with: openssl s_client -connect 127.0.0.1:443 on the second (s_client) terminal, I get: CONNECTED(0003) And that's it. On the first (httpd) terminal, there is no output of any kind. So, I waited about 10 seconds, nothing happened, and I shut down httpd. The terminal says: ^C logger exiting, pid 14644 server exiting, pid 21849 server exiting, pid 18400 server exiting, pid 10463 parent terminating, pid 9974 Then, I opened a s_server instance: openssl s_server -accept 443 -www -cert /etc/ssl/server.crt -key /etc/ssl/private/server.key It gives me: Using auto DH parameters Using default temp ECDH parameters ACCEPT And on the second terminal I try s_client again: openssl s_client -connect 127.0.0.1:443 And it connects. Here is the output (I XXX'ed some of the certificate info): openssl s_client -connect 127.0.0.1:443 CONNECTED(0003) depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIH6zCCBdOgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCVVMx ETAPBgNVBAgMCElsbGlub2lzMREwDwYDVQQHDAhXaW5uZXRrYTEUMBIGA1UECgwL ... more certificate block ... 6RUcfqhZ211+IvAnJVYAsz+1hzLGL57Ppct6HHf41xl36WakU+J3jlpVpIaA8jHh 5ThHy8QM1jeo90XENClcYD2W1OHD75Hchn5pEbA8BfpKJpvTwsosIFdZazWvHHO8 CU8P6Syj53sEw0MeooEt -END CERTIFICATE- subject=/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 2933 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-CHACHA20-POLY1305 Session-ID: FC424D25B814891FD0F881B1E20C6367547803E189FF2EB1D337201491CB078A Session-ID-ctx: Master-Key: ADB4316898847559BAF6EE1188F1FCFAB0D741D36A73226D023458247CE26523F74EABE327755A7A12CFB9242AAA9413 TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 8c 5f 29 1e 1e a2 9f e3-f8 3e 62 1f 9f 10 ad 5c ._)..b\ 0010 - be 8c 47 51 98 4c 93 66-bb a9 51 70 93 37 b3 4e ..GQ.L.f..Qp.7.N 0020 - 16 fc 38 fa f6 ea 37 73-9c d4 82 e9 1a 30 f9 44 ..8...7s.0.D 0030 - eb 5e 4b 4f b2 c5 9e 00-f1 65 5e d5
can't ping CARP interfaces
Greetings. In preparation for upgrading two CARP+pfsync boxes to 5.6/i386, I put together a lab network to test new firewall rules. Topology is pretty simple: outside box (vic0) - (vic1) two carp boxes (vic0) - inside box with a third interface on each firewall for pfsync traffic. I'm focused here on the outside box pinging the carp box's outside CARP interface. In the lab network everyone can ping everyone else, except for the CARP interfaces -- these are not pingable. Hosts on either side of the firewall can ping the underlying interfaces that the CARP interfaces are bound to. Also, 'netstat -f inet -nr' shows that CARP interfaces are bound to lo0. On the production boxes these systems model, carp interfaces are bound to the underlying physical interfaces. tcpdump on the physical interface of the master firewall says the outside box ARPs for the CARP interface, and the firewall sends an ARP response with the CARP interface's IP and MAC addresses. Thanks in advance for troubleshooting clues -- this is almost certainly a misconfiguration but I'm not sure where. dn Outside box's hostname.vic0: inet 12.220.174.101 255.255.255.224 12.220.174.127 FW1 hostname.vic1: inet 12.220.174.99 255.255.255.224 12.220.174.127 FW1 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass * carpdev vic1 carppeer 12.220.174.100 FW1 ifconfig vic1: vic1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:50:56:b2:33:0e priority: 0 groups: egress media: Ethernet autoselect status: active inet 12.220.174.99 netmask 0xffe0 broadcast 12.220.174.127 FW1 ifconfig carp221: net 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass w00h00 carpdev vic1 carppeer 12.220.174.100 # ifconfig carp221 carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: MASTER carpdev vic1 vhid 221 advbase 1 advskew 1 carppeer 12.220.174.100 groups: carp status: master inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 FW1 netstat -f inet -nr: # netstat -f inet -nr Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default12.220.174.97 UGS0 38 - 8 vic1 12.220.174.96/27 link#2 UC 20 - 4 vic1 12.220.174.98 00:00:5e:00:01:dd HLl00 - 1 lo0 # -- NOTE lo0 BINDING 12.220.174.99 00:50:56:b2:33:0e UHLl 00 - 1 lo0 12.220.174.100 00:50:56:b2:32:94 UHLc 0 274 - 4 vic1 12.220.174.101 00:50:56:b2:5e:b5 UHLc 05 - 4 vic1 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UH 14 32768 4 lo0 FW2 hostname.vic1: inet 12.220.174.100 255.255.255.224 12.220.174.127 FW2 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 128 pass * carpdev vic1 carppeer 12.220.174.99 FW2 ifconfig carp221: carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: BACKUP carpdev vic1 vhid 221 advbase 1 advskew 128 carppeer 12.220.174.99 groups: carp status: backup inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 pf.conf on both boxes: # interfaces pfsync0_if = vic2 carp_dev = { vic0, vic1 } set skip on lo ## # Packet filtering ## block return# block stateless traffic #pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # icmp handling -- FIX THIS to specify ICMP types pass log inet proto icmp all # carp and pfsync pass on { $pfsync0_if } proto pfsync pass on $carp_dev proto carp FW1 dmesg: OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug 8 00:10:33 MDT 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5649 @ 2.53GHz (GenuineIntel 686-class) 2.54 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,LAHF,PERF,ITSC real mem = 536309760 (511MB) avail mem = 515063808 (491MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/14/14, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (364 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 04/14/2014 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3)
Re: L2TP using Npppd and IPsec
I'd love a copy! Thanks On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote: Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
startx fail on Lenovo G50-70 amd64
-- Forwarded message - Hi, I'm new to OBSD. I just wiped a certain *nix distro off my laptop and did a fresh install of OBSD56 on a Lenovo G50-70 with the default X packages. Unfortunately, both xdm startx each separately fail into a blank screen and no keyboard response. It's interesting that about 10 seconds after closing the lid either: a) suspend restores text console and keyboard; or b) suspend locks up the laptop. Please see the i915 drm errors in the dmesg. I realize the wireless card is not yet supported but the intel man page indicates that i915[*] is supported hardware. Am I wrong about the driver support ?? I could use some suggestions on how to fix this -- thanks !! Drew ## OpenBSD 5.6 (GENERIC.MP) #333: Fri Aug 8 00:20:21 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery real mem = 8464887808 (8072MB) avail mem = 8230768640 (7849MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6e60 (38 entries) bios0: vendor LENOVO version 9ACN28WW date 09/23/2014 bios0: LENOVO 20351 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC UEFI FPDT MSDM ASF! HPET APIC MCFG WDAT SSDT BOOT LPIT ASPT DBGP SSDT SSDT SSDT acpi0: wakeup devices P0P1(S4) UAR1(S3) EHC1(S3) XHC_(S3) HDEF(S4) TPD4(S4) TPD7(S0) TPD8(S0) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.94 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV X2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV X2,SMEP,BMI2,ERMS,INVPCID cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV X2,SMEP,BMI2,ERMS,INVPCID cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV X2,SMEP,BMI2,ERMS,INVPCID cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP03) acpiprt3 at acpi0: bus 2 (RP04) acpiprt4 at acpi0: bus -1 (RP05) acpiprt5 at acpi0: bus -1 (PEG0) acpiprt6 at acpi0: bus -1 (PEG1) acpiprt7 at acpi0: bus -1 (PEG2) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpibat0 at acpi0: BAT0 serial BAT20101001 oem Lenovo IdeaPad acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: Enhanced SpeedStep 1895 MHz: speeds: 2601, 2600, 2500, 2300, 2200, 2000, 1900, 1800, 1600, 1500, 1400, 1200, 1100, 1000, 800, 754 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core 4G Host rev 0x0b vga1 at pci0 dev 2 function 0 Intel HD Graphics rev 0x0b intagp at vga1 not configured inteldrm0 at vga1 drm0 at inteldrm0 drm: Memory usable by graphics