Re: Fund raising

[Theo de Raadt]

I'm actually wearing an openbsd shirt now with an openssh poster
behind me on the wall.

What's the URL to the legacy store? I want to see what remains in
their inventory.

Note:

Recent difficulties have resulted in zero (Z E R O) of the proceeds
from Austin's shop going towards OpenBSD.  And it may have been
happening for a while before that.

(history repeats itself)

Re: httpd tls - what am i missing?

[Theodore Wynnychenko]

 On Thu, 26 Mar 2015 08:30:23 +0100
 mxb wrote:

 
  Thank you for the suggestion.  I was not aware of pound.

 I?d rather go for relayd. Which is out of the box. No need to install ?yet
 another port and make sure it is up2date?.

 httpd is based on relayd code which would reduce the scope of the test
 (a cluestick).

 When I try https://10.0.128.67/index.html; - I get a nice message from
 firefox asking me to accept a problem certificate (this was expected,
 the certificate is the correct one), and when I do accept the
 certificate, I get the index page.

 So, I am not sure what is wrong, but it appears httpd is not responding
 to https requests, even with the listen on tls line in the
 configuration file.

 Is there anything for me to look at/consider in trying to correct this?

 I don't understand what you are saying by 'correct one' but to me this
 suggests you have issues even with pound and perhaps I would try
 another browser or firefox on another client and try another
 certificate perhaps from another CA or install a newer snapshot or
 re-install a release before wondering if there is an issue with httpd
 or libressl whilst monitoring the list to see if anyone else has an
 issue?

 Thankfully re-install on OpenBSD is super quick but you do have to
 follow www.openbsd.org/current.html for snapshots and I think
 www.openbsd.org/plus.html for release upgrades (4.5 - 4.6 etc.)



Hello:

I started httpd as:  httpd -d -v -v -v -v -v -v -v
And I see:

startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/ssl/server.crt
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
server_launch: running server default
server_launch: running server default
server_launch: running server default

but, if I try to connect using https, there is no output on the terminal 
indicating that httpd is doing anything at all.
Ctrl-c to kill the server gives:

^C
logger exiting, pid 28447
server exiting, pid 23445
server exiting, pid 20653
server exiting, pid 12690
parent terminating, pid 29581


So, it seems that httpd does, in fact, see the cert and key, but does nothing 
with them.
(the cert is PEM encoded)

So, I also tried:

openssl s_server -accept 443 -www -cert /etc/ssl/server.crt -key 
/etc/ssl/private/server.key

and then connected to the machine with a browser.

This connection works without an issue.

The output to the browser from openssl s_server is:


s_server -accept 443 -www -cert /etc/ssl/server.crt -key 
/etc/ssl/private/server.key 
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1/SSLv3:ECDHE-ECDSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-CHACHA20-POLY1305
TLSv1/SSLv3:DHE-RSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDHE-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA384  
TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA 
TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA   TLSv1/SSLv3:DHE-DSS-AES256-GCM-SHA384
TLSv1/SSLv3:DHE-RSA-AES256-GCM-SHA384TLSv1/SSLv3:DHE-RSA-AES256-SHA256
TLSv1/SSLv3:DHE-DSS-AES256-SHA256TLSv1/SSLv3:DHE-RSA-AES256-SHA   
TLSv1/SSLv3:DHE-DSS-AES256-SHA   TLSv1/SSLv3:GOST2012256-GOST89-GOST89
TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA256
TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA  TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA  
TLSv1/SSLv3:GOST2001-GOST89-GOST89   TLSv1/SSLv3:ECDH-RSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDH-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDH-RSA-AES256-SHA384   
TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA384 TLSv1/SSLv3:ECDH-RSA-AES256-SHA  
TLSv1/SSLv3:ECDH-ECDSA-AES256-SHATLSv1/SSLv3:AES256-GCM-SHA384
TLSv1/SSLv3:AES256-SHA256TLSv1/SSLv3:AES256-SHA   
TLSv1/SSLv3:CAMELLIA256-SHA256   TLSv1/SSLv3:CAMELLIA256-SHA  
TLSv1/SSLv3:ECDHE-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDHE-RSA-AES128-SHA256  TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA256
TLSv1/SSLv3:ECDHE-RSA-AES128-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA   
TLSv1/SSLv3:DHE-DSS-AES128-GCM-SHA256TLSv1/SSLv3:DHE-RSA-AES128-GCM-SHA256
TLSv1/SSLv3:DHE-RSA-AES128-SHA256TLSv1/SSLv3:DHE-DSS-AES128-SHA256
TLSv1/SSLv3:DHE-RSA-AES128-SHA   TLSv1/SSLv3:DHE-DSS-AES128-SHA   
TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA256
TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA  TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA  
TLSv1/SSLv3:ECDH-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDH-ECDSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDH-RSA-AES128-SHA256   TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA256 
TLSv1/SSLv3:ECDH-RSA-AES128-SHA  TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA
TLSv1/SSLv3:AES128-GCM-SHA256TLSv1/SSLv3:AES128-SHA256
TLSv1/SSLv3:AES128-SHA   TLSv1/SSLv3:CAMELLIA128-SHA256   
TLSv1/SSLv3:CAMELLIA128-SHA  

Re: Set PKG_PATH using Time Zone?

[Stuart Henderson]

On 2015-03-26, L.R. D.S. arrowscr...@mail.com wrote:
 Is really boring write the package repository everytime we install. 
 Why not set the repository using the Time Zone as a reference?

If you do a network install, the installer already writes an
/etc/pkg.conf pointing at the download mirror (and the mirror selection
offers nearby mirrors first, and proposes a timezone).

 For example, if you set Japan as your zone, then run
 export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/

That should be arch -s (it matters for powerpc, arm, loongson etc),
and doesn't take snapshots into account.

Re: SNMP and PID file

[Stuart Henderson]

On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote:
 # /etc/rc.d/snmpd restart
 httpd2 (pid 29518) already running

Weird. What are the contents of /etc/rc.d/snmpd?

Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?

[Tim van der Molen]

Dmitrij D. Czarkoff (2015-03-27 09:29 +0100):
 Some Developer said:
  So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it
  missing some extra security features that the OpenBSD team have added to
  their version of GCC?
 
 First and foremost it is missing platform support.

Also, as miod@ once explained, before a switch to clang could be made,
intimate knowledge of its internals is needed. Over the years, the
OpenBSD developers have become very familiar with gcc. They are now
working on becoming just as familiar with clang.

Search the archives; this has been discussed before.

Intel I211 NIC not working on Shuttle DS57U with latest snapshot

[Comète]

Hi,

i've just installed the latest snapshot on this new fanless little
machine with 2 NICs (one I218-LM and another with I211 chipset) and the I211
is not detected, dmesg returning: EEPROM Checksum is not valid. I've looked
at man em and saw I211 was supported.

Any idea ?

Thank you.

Morgan
OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2009530368 (1916MB)
avail mem = 1944829952 (1854MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec2f0 (81 entries)
bios0: vendor American Megatrends Inc. version 1.05 date 01/16/2015
bios0: Shuttle Inc. DS57U
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF! SLIC SSDT 
SSDT SSDT DMAR
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) 
PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) 3205U @ 1.50GHz, 1496.76 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,ERMS,INVPCID,RDSEED
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) 3205U @ 1.50GHz, 1496.54 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,ERMS,INVPCID,RDSEED
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 1 (RP01)
acpiprt5 at acpi0: bus -1 (RP02)
acpiprt6 at acpi0: bus 2 (RP03)
acpiprt7 at acpi0: bus 3 (RP04)
acpiprt8 at acpi0: bus -1 (RP05)
acpiprt9 at acpi0: bus -1 (RP06)
acpiprt10 at acpi0: bus -1 (RP07)
acpiprt11 at acpi0: bus -1 (RP08)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2, C1, PSS
acpicpu1 at acpi0: C2, C1, PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: FN00, resource for FAN0
acpipwrres4 at acpi0: FN01, resource for FAN1
acpipwrres5 at acpi0: FN02, resource for FAN2
acpipwrres6 at acpi0: FN03, resource for FAN3
acpipwrres7 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: SLPB
acpibtn2 at acpi0: PWRB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1501, 1500, 1400, 1300, 1200, 1100, 
1000, 900, 800, 700, 600, 500 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel Core 5G Host rev 0x08
vga1 at pci0 dev 2 function 0 vendor Intel, unknown product 0x1606 rev 0x08
intagp at vga1 not configured
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 3 function 0 Intel Core 5G HD Audio rev 0x08: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 Intel 9 Series xHCI rev 0x03: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 Intel xHCI root hub rev 3.00/1.00 addr 1
Intel 9 Series MEI rev 0x03 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 Intel I218-LM rev 0x03: msi, address 
80:ee:73:ab:41:11
azalia1 at pci0 dev 27 function 0 Intel 9 Series HD Audio rev 0x03: msi
azalia1: codecs: Realtek ALC662
audio0 at azalia1
ppb0 at pci0 dev 28 function 0 Intel 9 Series PCIE rev 0xe3: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 2 Intel 9 Series PCIE rev 0xe3: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 Intel I211 rev 0x03: msiem1: The EEPROM Checksum 
Is Not Valid
em1: Unable to initialize the hardware
ppb2 at pci0 dev 28 function 3 Intel 9 Series PCIE rev 0xe3: msi
pci3 at ppb2 bus 3
vendor Realtek, 

Re: Intel I211 NIC not working on Shuttle DS57U with latest snapshot

[Jonathan Gray]

On Fri, Mar 27, 2015 at 10:19:36AM +, Comète wrote:
 Hi,
 
 i've just installed the latest snapshot on this new fanless little
 machine with 2 NICs (one I218-LM and another with I211 chipset) and the I211
 is not detected, dmesg returning: EEPROM Checksum is not valid. I've looked
 at man em and saw I211 was supported.
 
 Any idea ?
 
 Thank you.

Can you try the patch from
http://marc.info/?l=openbsd-techm=142588283023584q=raw
It's possible the machine has this data stored in otp.

Re: SNMP and PID file

[Alex Naumov]

On Fri, Mar 27, 2015 at 9:51 AM, Stuart Henderson s...@spacehopper.org wrote:
 On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote:
 # /etc/rc.d/snmpd restart
 httpd2 (pid 29518) already running

 Weird. What are the contents of /etc/rc.d/snmpd?


#!/bin/sh
#
# $OpenBSD: snmpd,v 1.1 2011/07/06 18:55:36 robert Exp $

daemon=/usr/sbin/snmpd

. /etc/rc.d/rc.subr

pexp=snmpd: parent.*

rc_cmd $1

Re: SNMP and PID file

[Stuart Henderson]

On 2015/03/27 12:00, Alex Naumov wrote:
 On Fri, Mar 27, 2015 at 9:51 AM, Stuart Henderson s...@spacehopper.org 
 wrote:
  On 2015-03-26, Alex Naumov alexander_nau...@opensuse.org wrote:
  # /etc/rc.d/snmpd restart
  httpd2 (pid 29518) already running
 
  Weird. What are the contents of /etc/rc.d/snmpd?
 
 
 #!/bin/sh
 #
 # $OpenBSD: snmpd,v 1.1 2011/07/06 18:55:36 robert Exp $
 
 daemon=/usr/sbin/snmpd
 
 . /etc/rc.d/rc.subr
 
 pexp=snmpd: parent.*
 
 rc_cmd $1

That's correct...hmm, do you have anything non-standard relating to
httpd2 in /etc/rc.conf.local or /etc/rc.conf?

Re: httpd tls - what am i missing?

[Kevin Chadwick]

On Fri, 27 Mar 2015 00:56:31 -0500
Theodore Wynnychenko wrote:

 If there is anything else to try, please let me know.

 Running current:
 OpenBSD 5.7-current (RAMDISK_CD) #818: Wed Mar 18 18:59:52 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD

A snapshot has just been released that could rule out a broken
install/unlucky sync at the wrong time. I could be wrong but believe the
relevant snapshot was put on the mirrors on the 19th and not the 18th?
Also this line is from a RAMDISK_CD and not the full kernel, is that
just because it is from the CD you used to install from??

Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?

[Mike Burns]

On 2015-03-27 08.03.25 +, Some Developer wrote:
 So what are the reasons why OpenBSD has so far shunned Clang and LLDB?

http://marc.info/?l=openbsd-miscm=137530560232232

C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?

[Some Developer]

I'm not entirely aware of the changes that the OpenBSD developers have 
made to the version of GCC that ships with OpenBSD but is there any work 
being done on including Clang in OpenBSD base?


It has a BSD compatible license unlike GCC. It has its own debugger with 
the same license unlike GDB.


So what are the reasons why OpenBSD has so far shunned Clang and LLDB? 
Is it missing some extra security features that the OpenBSD team have 
added to their version of GCC?


Any info is appreciated.

Re: Leap seconds

[Peter Hessler]

You don't need to do anything.

OpenBSD doesn't specifically handle leap-seconds, but openntpd will see
the change in time from its upstream peers, and will adjust the clock
for you.


On 2015 Mar 26 (Thu) at 22:15:17 +0200 (+0200), jinhitmanBarracuda wrote:
:As you know, the leap second issue will occour on 29th. June. I saw
:articles on some Linux distro's web page. It looks like there is a bug on
:the Linux kernel and it was effected on 2012.
:
:I would like to ask, is there anything which i should do on my OpenBSD 5.6 ?
:
:Sorry for my English
:

-- 
Equal bytes for women.

Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?

[Dmitrij D. Czarkoff]

Some Developer said:
 So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it
 missing some extra security features that the OpenBSD team have added to
 their version of GCC?

First and foremost it is missing platform support.

-- 
Dmitrij D. Czarkoff

Intel 5th gen NUC graphics support

[Bernd Schoeller]

Hi -

I just aquired an Intel NUC (NUC5i5RYK) to use as my main OpenBSD 
desktop system.


After getting kernel panics when booting 5.6, using a SNAPSHOT seems to 
work well (panic was: lapic_set_lvt: bad pin value 228). The next hurdle 
I have to overcome is getting accelerated X to work. There is also no 
support for a framebuffer console (which is probably related).


I think the critical part of the X11 output (full dump below) is:

[30.163] (II) AIGLX: Screen 0 is not DRI2 capable
[30.163] (EE) AIGLX: reverting to software rendering

Is the new graphics chipset already supported in OpenBSD, and I just 
have the configuration wrong? Or will I have to wait for support? 
Anything I can do to help development?


Thanks,
Bernd

PS: Two other observations: the kernel takes rather long to load (15 
seconds) and I get this line of strange symbols in the dmesg below.


DMESG:

OpenBSD 5.7-current (GENERIC.MP) #895: Wed Mar 18 18:55:03 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8453918720 (8062MB)
avail mem = 8193765376 (7814MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec7b0 (86 entries)
bios0: vendor Intel Corporation version 
RYBDWi35.86A.0137.2015.0107.1700 date 01/07/2015
bios0: 
\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^? 
\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?

acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF! 
SSDT SSDT SSDT DMAR
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) 
PEG2(S4) PS2K(S3) PS2M(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) 
RP03(S4) PXSX(S4) RP04(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.60 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP

cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimadt0: bogus nmi for apid 1
acpimadt0: bogus nmi for apid 3
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 1 (RP01)
acpiprt5 at acpi0: bus -1 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus 2 (RP04)
acpiprt8 at acpi0: bus -1 (RP05)
acpiprt9 at acpi0: bus -1 (RP06)
acpiprt10 at acpi0: bus -1 (RP07)
acpiprt11 at acpi0: bus -1 (RP08)

Re: Getting errors during security(8) maintenance

[sven falempin]

On Fri, Mar 27, 2015 at 8:41 AM, Ingo Schwarze schwa...@usta.de wrote:

 Hi Denis,

 Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300:

  Some time ago start getting errors after nightly Secutiry running:
 
  Use of uninitialized value $home in concatenation (.)
  or string at /usr/libexec/security line 356.

 Fixed in -current, thanks for reporting.

 Regarding the corrupted file /etc/passwd on your machine,
 use vipw(8) in the way i explained before.

 Note that 5.4 is old and no longer supported.

 Yours,
   Ingo


good morning


my $homes = find_homes;
check_rhosts_owner @$_ foreach @$homes;

I am not sure about perl internal but aren 't you playing too much from @
to \@ lol


why not check_homes(sub {
  check_rhosts_content @_;
  check whaterver you want on passwd;
});

Just leaving that here:

#!/usr/bin/perl


use strict;
use v5.10;
use Data::Dumper;



sub whatever {
  open my $fh, '', $ARGV[0] or die 'oops'.$!;
  my @passwd = map [ @{[split /:/]}[0,2,5] ], $fh;

  my @homes = grep {
$_[0]($_);
  } @passwd;

  return \@homes;
}

my $check_home = sub {
  say Dumper($_) ;
  unless ( -d $_-[ 2 ] ) {
warn $_-[ 2 ].' is not existing, so what ? ';
return;
  }
  return 1;
};

say Dumper(whatever($check_home));


-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Getting errors during security(8) maintenance

[Ingo Schwarze]

Hi Denis,

Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300:

 Some time ago start getting errors after nightly Secutiry running:

 Use of uninitialized value $home in concatenation (.)
 or string at /usr/libexec/security line 356.

Fixed in -current, thanks for reporting.

Regarding the corrupted file /etc/passwd on your machine,
use vipw(8) in the way i explained before.

Note that 5.4 is old and no longer supported.

Yours,
  Ingo

Re: Fund raising

[Jason Hunt]

 Recent difficulties have resulted in zero (Z E R O) of the proceeds
 from Austin's shop going towards OpenBSD. And it may have been
 happening for a while before that.
‎
This might explain why they ignored my repeated requests for a receipt back 
when I bought the 5.5 discs. They eventually sent one,  shortly after the new 
store was announced. ‎

Re: Fund raising

[sven falempin]

On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org
wrote:

 I'm actually wearing an openbsd shirt now with an openssh poster
 behind me on the wall.
 
 What's the URL to the legacy store? I want to see what remains in
 their inventory.

 Note:

 Recent difficulties have resulted in zero (Z E R O) of the proceeds
 from Austin's shop going towards OpenBSD.  And it may have been
 happening for a while before that.

 (history repeats itself)


But the new shop is alright ?

-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Getting errors during security(8) maintenance

[Ingo Schwarze]

Hi Sven,

sven falempin wrote on Fri, Mar 27, 2015 at 09:02:09AM -0400:

 I am not sure about perl internal but aren 't you playing
 too much from @ to \@ lol

Your patch doesn't apply, and from the code snippets you are
throwing at me, i neither understand what you consider defective
nor what you want to improve.

Note: One of the worst weaknesses of Perl is that there is
more than one way to do it.

Yours,
  Ingo

icmp6 get dropped on gif tunnel

[Bastien Durel]

Hello.
I have an openbsd router with 2 upstreams (one pppoe (pppoe0 on sis1),
one ipoe (sis0)).

I have a sixxs(6-in-4) tunnel (gif0).
If the gif tunnel is on one of my providers (pppoe0), it works well. 

gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280
description: Sixxs
priority: 0
groups: gif egress
tunnel: inet 109.190.17.241 - 212.100.184.146
inet6 fe80::200:24ff:fecf:42ac%gif0 -  prefixlen 64 scopeid 0xc
inet6 2001:6f8:202:19c::2 - 2001:6f8:202:19c::1 prefixlen 128

the 2001:6f8:3c8::/48 subnet which is routed via this tunnel

This provider gives me native Ipv6, so the tunnel is pretty useless, and
I want to put it on the other provider, which doesn't.

But when I move it on the other provider, the tunnel basicly works (I
can ping an inside box (2001:6f8:3c8:42:xxx) from the outside), but the
router does not answer to ping, on the tunnel endpoint Ipv6
(2001:6f8:202:19c::2) nor on any other interface (in 2001:6f8:3c8::/48).

Then sixxs count it as down, and will disable it if nothing is done. I
can ping from router to remote tunnel endpoint (2001:6f8:202:19c::1),
but remote tunnel endpoint does not get any answer when it ping my
router endpoint. nor does can I ping it from outside. 

If I tcpdump gif0, I can see icmpv6 in and out. 

Does you have any clue ?

Thanks,

-- 
Bastien Durel

Re: Fund raising

[Theo de Raadt]

On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org
wrote:

 I'm actually wearing an openbsd shirt now with an openssh poster
 behind me on the wall.
 
 What's the URL to the legacy store? I want to see what remains in
 their inventory.

 Note:

 Recent difficulties have resulted in zero (Z E R O) of the proceeds
 from Austin's shop going towards OpenBSD.  And it may have been
 happening for a while before that.

 (history repeats itself)


But the new shop is alright ?

Yes, the new shop is fine.  Transparency, accountability, honourable
behaviour, etc.  Excellent relationship.  Few bumps at adapting their
ordering system to the people ordering from all over the world, but
we'll get there step by step I hope.

Re: Change routes with multipath?

[rizz2pro .]

Hey, thanks for replying.

It doesn't seem to work with any number at all actually.

If I didn't have multipathing enabled, these work:

$ route change default -priority 1
$ route change default -priority 15
$ route change default -priority 6

But having multipath setup, it seems like it doesn't know which route to
change or how to handle it:

$ route change -mpath default 64.4.4.4 -priority 1
$ route change -mpath default 64.4.4.4 -priority 6
$ route change -mpath default 64.4.4.4 -priority 15

# route: writing to routing socket: No such process
# change net default: gateway 64.4.4.4: not in table

I guess normally you don't need to specify the gateway in the command
without multipath because there is only one gateway. But I need to be
specific.

If I try

$ sudo route change -mpath default -priority 7

Then it lets the system choose which route to change and I get very mixed
results (sometimes one interface gets the priority..and sometimes the other
one!)

I might be wrong, but if you might know of a way to do it, I would
appreciate any hints. Hope it's not a bug?

Thanks for the help,

RZ


On Thu, Mar 26, 2015 at 6:24 PM, Martin Pieuchot m...@openbsd.org wrote:

 On 26/03/15(Thu) 14:07, rizz2pro . wrote:
  Hello everyone,
 
  I hope I posted this in the right area, I don't usually join mailing
 lists
  so I am still a bit of a noob.
 
  Anyways, hoping someone could help me out. I am coming up empty on my
  searches figuring this out.
 
  If I have 2 default gateways configured with priorities, how would I
 modify
  the priorities using route change? I would prefer not to have to delete
  the route and re-add them.
 
  $ sudo route add -mpath default 64.4.4.4 -priority 1
  $ sudo route add -mpath default 129.2.2.2 -priority 15
  $ sudo netstat -rn | grep default
  ~
  # default   64.4.4.4   UGS3 3308 - 1 em0
  # default129.2.2.2   UGS00 -15
 em1
 
  If I try to change priorities:
 
  $ sudo route change -mpath default 129.2.2.2 -priority 1
  ~
  # route: writing to routing socket: No such process
  # change net default: gateway 129.2.2.2: not in table
 
  Any hints as to how I can change priority on a default multipath route? I
  would appreciate it greatly.

 Does it work with -priority 2?  The number 1 is special and reserved
 for routes representing local (your own) addresses.  I just realized
 that this is not (and should) be documented.

Re: Fund raising

[Dave Anderson]

On Fri, 27 Mar 2015, Theo de Raadt wrote:

On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org
wrote:

 I'm actually wearing an openbsd shirt now with an openssh poster
 behind me on the wall.
 
 What's the URL to the legacy store? I want to see what remains in
 their inventory.

 Note:

 Recent difficulties have resulted in zero (Z E R O) of the proceeds
 from Austin's shop going towards OpenBSD.  And it may have been
 happening for a while before that.

 (history repeats itself)


But the new shop is alright ?

Yes, the new shop is fine.  Transparency, accountability, honourable
behaviour, etc.  Excellent relationship.  Few bumps at adapting their
ordering system to the people ordering from all over the world, but
we'll get there step by step I hope.

I hit a couple of those bumps on my first order from them, and they were
_very_ good about analyzing and fixing them.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: httpd tls - what am i missing?

[Theodore Wynnychenko]

 And, finally:
 
 4. they DO NOT work when loaded by httpd
 
 I will be the first to admit that I don't really know much about
 public key cryptography and how openssl implements things.  But, being
 simple, it seems to me that there are really only two possibilities.
 
 Either apache, pound, and openssl s_server are all flawed and are
 incorrectly using an invalid certificate/key pair for encryption; or
 there is a problem in httpd and how it deals with certificates and
 https.
 
 I will try things again tomorrow (later today) and see if I can get
 any info with tcpdump.
 
 If there is anything else to try, please let me know.

Please try 's_client' as I had suggested in an earlier email - it's not
the certificates themselves you should be testing (i.e. with 's_server'
and a web browser) but certificates/keys *with* httpd and a client which
will give you meaningful output ('s_client').

Like I had also mentioned earlier - I had generated a new certificate
and a key and tested it on one of my machines and it all works just
fine.

Last, but not least - if you hadn't done so already,please make sure you
are running the latest snapshot.

Regards,

Raf

--

First, I installed the most recent snapshot:

OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

(sorry about the other dmesg snip - I pulled the snip off the top, and I was 
not aware that on this system the message buffer
survives a reboot)

First, I started httpd as httpd -d -v -v -v -v -v -v -v:
The terminal spits back:
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/ssl/server.crt
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
server_launch: running server default
server_launch: running server default
server_launch: running server default

then, on an second terminal, I tried connecting with:  openssl s_client 
-connect 127.0.0.1:443

on the second (s_client) terminal, I get:
CONNECTED(0003)

And that's it.

On the first (httpd) terminal, there is no output of any kind.
So, I waited about 10 seconds, nothing happened, and I shut down httpd.  The 
terminal says:
^C
logger exiting, pid 14644
server exiting, pid 21849
server exiting, pid 18400
server exiting, pid 10463
parent terminating, pid 9974

Then, I opened a s_server instance:  openssl s_server -accept 443 -www -cert 
/etc/ssl/server.crt -key /etc/ssl/private/server.key
It gives me:
Using auto DH parameters
Using default temp ECDH parameters
ACCEPT

And on the second terminal I try s_client again:  openssl s_client -connect 
127.0.0.1:443
And it connects.  Here is the output (I XXX'ed some of the certificate info):

openssl s_client -connect 127.0.0.1:443
CONNECTED(0003)
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX
   i:/C=US/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
---
Server certificate
-BEGIN CERTIFICATE-
MIIH6zCCBdOgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCVVMx
ETAPBgNVBAgMCElsbGlub2lzMREwDwYDVQQHDAhXaW5uZXRrYTEUMBIGA1UECgwL

... more certificate block ...

6RUcfqhZ211+IvAnJVYAsz+1hzLGL57Ppct6HHf41xl36WakU+J3jlpVpIaA8jHh
5ThHy8QM1jeo90XENClcYD2W1OHD75Hchn5pEbA8BfpKJpvTwsosIFdZazWvHHO8
CU8P6Syj53sEw0MeooEt
-END CERTIFICATE-
subject=/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX
issuer=/C=US/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
---
No client certificate CA names sent
---
SSL handshake has read 2933 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-CHACHA20-POLY1305
Session-ID: FC424D25B814891FD0F881B1E20C6367547803E189FF2EB1D337201491CB078A
Session-ID-ctx:
Master-Key: 
ADB4316898847559BAF6EE1188F1FCFAB0D741D36A73226D023458247CE26523F74EABE327755A7A12CFB9242AAA9413
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 8c 5f 29 1e 1e a2 9f e3-f8 3e 62 1f 9f 10 ad 5c   ._)..b\
0010 - be 8c 47 51 98 4c 93 66-bb a9 51 70 93 37 b3 4e   ..GQ.L.f..Qp.7.N
0020 - 16 fc 38 fa f6 ea 37 73-9c d4 82 e9 1a 30 f9 44   ..8...7s.0.D
0030 - eb 5e 4b 4f b2 c5 9e 00-f1 65 5e d5 

Re: Change routes with multipath?

[Renato Westphal]

2015-03-27 13:40 GMT-03:00 rizz2pro . rizzz2...@gmail.com:
 Hey, thanks for replying.

 It doesn't seem to work with any number at all actually.

 If I didn't have multipathing enabled, these work:

 $ route change default -priority 1
 $ route change default -priority 15
 $ route change default -priority 6

 But having multipath setup, it seems like it doesn't know which route to
 change or how to handle it:

 $ route change -mpath default 64.4.4.4 -priority 1
 $ route change -mpath default 64.4.4.4 -priority 6
 $ route change -mpath default 64.4.4.4 -priority 15

 # route: writing to routing socket: No such process
 # change net default: gateway 64.4.4.4: not in table

 I guess normally you don't need to specify the gateway in the command
 without multipath because there is only one gateway. But I need to be
 specific.

 If I try

 $ sudo route change -mpath default -priority 7

 Then it lets the system choose which route to change and I get very mixed
 results (sometimes one interface gets the priority..and sometimes the other
 one!)

 I might be wrong, but if you might know of a way to do it, I would
 appreciate any hints. Hope it's not a bug?

 Thanks for the help,

 RZ


 On Thu, Mar 26, 2015 at 6:24 PM, Martin Pieuchot m...@openbsd.org wrote:

 On 26/03/15(Thu) 14:07, rizz2pro . wrote:
  Hello everyone,
 
  I hope I posted this in the right area, I don't usually join mailing
 lists
  so I am still a bit of a noob.
 
  Anyways, hoping someone could help me out. I am coming up empty on my
  searches figuring this out.
 
  If I have 2 default gateways configured with priorities, how would I
 modify
  the priorities using route change? I would prefer not to have to delete
  the route and re-add them.
 
  $ sudo route add -mpath default 64.4.4.4 -priority 1
  $ sudo route add -mpath default 129.2.2.2 -priority 15
  $ sudo netstat -rn | grep default
  ~
  # default   64.4.4.4   UGS3 3308 - 1 em0
  # default129.2.2.2   UGS00 -15
 em1
 
  If I try to change priorities:
 
  $ sudo route change -mpath default 129.2.2.2 -priority 1
  ~
  # route: writing to routing socket: No such process
  # change net default: gateway 129.2.2.2: not in table
 
  Any hints as to how I can change priority on a default multipath route? I
  would appreciate it greatly.

 Does it work with -priority 2?  The number 1 is special and reserved
 for routes representing local (your own) addresses.  I just realized
 that this is not (and should) be documented.

You got it right, you can't change a multipath route. It's a
limitation of the kernel API and there's nothing you can do about it.

I came across this problem too when I was working on ldpd(8):
https://github.com/rwestphal/openbsd-ldpd/blob/renato-2015/kroute.c#L1344

If removing a route and re-adding it with a new nexthop poses a
problem to you please let us know so we can think about a solution.

PS: please don't top post on @misc.

-- 
Renato Westphal

Re: L2TP using Npppd and IPsec

[Brian S. Vangsgaard]

Hi,


for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a
local authentication database. It is in the base and it seems very 
easy

to configure.


It is.


Is anybody running similar setup in production? Any caveats? Any other
advises before I take a plunge.


Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting.

Very easy to configure (linux being the exception :p).

You only need to change npppd.conf, npppd-users and ipsec.conf and you 
are in business.


I wrote an up-to-date guide on how to do it, let me know if you want a 
copy.


Caveats... yes.
I'm currently seeing issues with some clients (might be a client 
software issue) sending multiple connect requests.
The ip-address reserved for the client is being assigned to the first 
request, but it seems like the last request wins, but alas! no 
ip-address available (since it was assigned to the first request).


But then again, I have some Windows clients connected for more than 2 
weeks non-stop, before they disconnect (prob. a Windows update wanting 
to reboot ;) ).



--
bsv

Re: Fund raising

[Todd Zimmermann]

On Fri, Mar 27, 2015 at 2:18 PM, Dave Anderson d...@daveanderson.com wrote:
 On Fri, 27 Mar 2015, Theo de Raadt wrote:

On Fri, Mar 27, 2015 at 2:25 AM, Theo de Raadt dera...@cvs.openbsd.org
wrote:

 I'm actually wearing an openbsd shirt now with an openssh poster
 behind me on the wall.
 
 What's the URL to the legacy store? I want to see what remains in
 their inventory.

 Note:

 Recent difficulties have resulted in zero (Z E R O) of the proceeds
 from Austin's shop going towards OpenBSD.  And it may have been
 happening for a while before that.

 (history repeats itself)


But the new shop is alright ?

Yes, the new shop is fine.  Transparency, accountability, honourable
behaviour, etc.  Excellent relationship.  Few bumps at adapting their
ordering system to the people ordering from all over the world, but
we'll get there step by step I hope.

 I hit a couple of those bumps on my first order from them, and they were
 _very_ good about analyzing and fixing them.

 Dave

 --
 Dave Anderson
 d...@daveanderson.com


I placed a pre-order for the 5.7 CD set and poster this afternoon with
the new store without problem. Spotted the Blues Brothers theme and
couldn't resist ;) For my Visa debit card had to enter type as 'Visa'
as it wouldn't go through with type as 'Visa Debit'. No big deal, run
into that occasionally on other sites.

Re: icmp6 get dropped on gif tunnel

[Geoff Steckel]

On 03/27/2015 01:31 PM, Bastien Durel wrote:

Hello.
I have an openbsd router with 2 upstreams (one pppoe (pppoe0 on sis1),
one ipoe (sis0)).

I have a sixxs(6-in-4) tunnel (gif0).
If the gif tunnel is on one of my providers (pppoe0), it works well.

gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280
 description: Sixxs
 priority: 0
 groups: gif egress
 tunnel: inet 109.190.17.241 - 212.100.184.146
 inet6 fe80::200:24ff:fecf:42ac%gif0 -  prefixlen 64 scopeid 0xc
 inet6 2001:6f8:202:19c::2 - 2001:6f8:202:19c::1 prefixlen 128

the 2001:6f8:3c8::/48 subnet which is routed via this tunnel

This provider gives me native Ipv6, so the tunnel is pretty useless, and
I want to put it on the other provider, which doesn't.

But when I move it on the other provider, the tunnel basicly works (I
can ping an inside box (2001:6f8:3c8:42:xxx) from the outside), but the
router does not answer to ping, on the tunnel endpoint Ipv6
(2001:6f8:202:19c::2) nor on any other interface (in 2001:6f8:3c8::/48).

Then sixxs count it as down, and will disable it if nothing is done. I
can ping from router to remote tunnel endpoint (2001:6f8:202:19c::1),
but remote tunnel endpoint does not get any answer when it ping my
router endpoint. nor does can I ping it from outside.

If I tcpdump gif0, I can see icmpv6 in and out.

Does you have any clue ?

Thanks,


I've seen a similar problem with traceroute: ping from inside to outside
IPv6 host works. Traceroute packets leaving gif0 are visible leaving via
ipv4 interface. Traceroute ICMP6 packets returned are visible entering 
gif0 but

aren't visible in pf (at least what I've tried)
pass in log on gif0 any
doesn't give me anything. I may misunderstand log vs rule matching.
Is there a rule which will guarantee that a packet will be logged
no matter what happens to it later in pf processing?
The IPv6 packets cross routing domains to get to/from gif0.

I could set up a test net (4 machines) to debug this if I had
better knowledge (a) about logging as above
(b) where to look in the code to put information gathering code.
I suspect some sort of mismatch in the state matching code but
that's because I can't think of anywhere else.

If anyone has a little time to suggest places to look I'd appreciate it.
If sending to tech@ be helpful I'll do that.

thanks
Geoff Steckel

Re: L2TP using Npppd and IPsec

[Predrag Punosevac]

Dain Bentley wrote:

 I'd love a copy!  Thanks
 

+1

 On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote:
 
  Hi,
 
   for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just
 a
  local authentication database. It is in the base and it seems very
 easy
  to configure.
 
 
  It is.
 
   Is anybody running similar setup in production? Any caveats? Any
 other
  advises before I take a plunge.
 
 
  Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting.
 
  Very easy to configure (linux being the exception :p).
 
  You only need to change npppd.conf, npppd-users and ipsec.conf and you
 are
  in business.
 
  I wrote an up-to-date guide on how to do it, let me know if you want a
  copy.
 
  Caveats... yes.
  I'm currently seeing issues with some clients (might be a client
 software
  issue) sending multiple connect requests.

I also got a very useful answer off the list. I am just going to quote a
snipet 

[quote]
You???ll have problems with NAT-T and clients coming from the same
NAT-address. This problem is worked out currently.
[/quote]

I will post my configuration once when I am done but this topic seems to
beg for an updated undeadly article.

Thanks to everyone who responded to this thread!

PredraG

  The ip-address reserved for the client is being assigned to the first
  request, but it seems like the last request wins, but alas! no
 ip-address
  available (since it was assigned to the first request).
 
  But then again, I have some Windows clients connected for more than 2
  weeks non-stop, before they disconnect (prob. a Windows update wanting
 to
  reboot ;) ).
 
 
  --
  bsv

Re: httpd tls - what am i missing?

[Theodore Wynnychenko]

 And, finally:
 
 4. they DO NOT work when loaded by httpd
 
 I will be the first to admit that I don't really know much about
 public key cryptography and how openssl implements things.  But, being
 simple, it seems to me that there are really only two possibilities.
 
 Either apache, pound, and openssl s_server are all flawed and are
 incorrectly using an invalid certificate/key pair for encryption; or
 there is a problem in httpd and how it deals with certificates and
 https.
 
 I will try things again tomorrow (later today) and see if I can get
 any info with tcpdump.
 
 If there is anything else to try, please let me know.

Please try 's_client' as I had suggested in an earlier email - it's not
the certificates themselves you should be testing (i.e. with 's_server'
and a web browser) but certificates/keys *with* httpd and a client which
will give you meaningful output ('s_client').

Like I had also mentioned earlier - I had generated a new certificate
and a key and tested it on one of my machines and it all works just
fine.

Last, but not least - if you hadn't done so already,please make sure you
are running the latest snapshot.

Regards,

Raf

--

First, I installed the most recent snapshot:

OpenBSD 5.7-current (GENERIC.MP) #896: Thu Mar 26 14:56:12 MDT 2015
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

(sorry about the other dmesg snip - I pulled the snip off the top, and I was 
not aware that on this system the message buffer
survives a reboot)

First, I started httpd as httpd -d -v -v -v -v -v -v -v:
The terminal spits back:
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/ssl/server.crt
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
server_launch: running server default
server_launch: running server default
server_launch: running server default

then, on an second terminal, I tried connecting with:  openssl s_client 
-connect 127.0.0.1:443

on the second (s_client) terminal, I get:
CONNECTED(0003)

And that's it.

On the first (httpd) terminal, there is no output of any kind.
So, I waited about 10 seconds, nothing happened, and I shut down httpd.  The 
terminal says:
^C
logger exiting, pid 14644
server exiting, pid 21849
server exiting, pid 18400
server exiting, pid 10463
parent terminating, pid 9974

Then, I opened a s_server instance:  openssl s_server -accept 443 -www -cert 
/etc/ssl/server.crt -key /etc/ssl/private/server.key
It gives me:
Using auto DH parameters
Using default temp ECDH parameters
ACCEPT

And on the second terminal I try s_client again:  openssl s_client -connect 
127.0.0.1:443
And it connects.  Here is the output (I XXX'ed some of the certificate info):

openssl s_client -connect 127.0.0.1:443
CONNECTED(0003)
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = XXX, O = XXX, OU = XXX, L = XXX, CN = XXX, emailAddress = 
XXX
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX
   i:/C=US/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
---
Server certificate
-BEGIN CERTIFICATE-
MIIH6zCCBdOgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCVVMx
ETAPBgNVBAgMCElsbGlub2lzMREwDwYDVQQHDAhXaW5uZXRrYTEUMBIGA1UECgwL

... more certificate block ...

6RUcfqhZ211+IvAnJVYAsz+1hzLGL57Ppct6HHf41xl36WakU+J3jlpVpIaA8jHh
5ThHy8QM1jeo90XENClcYD2W1OHD75Hchn5pEbA8BfpKJpvTwsosIFdZazWvHHO8
CU8P6Syj53sEw0MeooEt
-END CERTIFICATE-
subject=/C=US/ST=XXX/O=XXX/OU=XXX/L=XXX/CN=XXX/emailAddress=XXX
issuer=/C=US/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
---
No client certificate CA names sent
---
SSL handshake has read 2933 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-CHACHA20-POLY1305
Session-ID: FC424D25B814891FD0F881B1E20C6367547803E189FF2EB1D337201491CB078A
Session-ID-ctx:
Master-Key: 
ADB4316898847559BAF6EE1188F1FCFAB0D741D36A73226D023458247CE26523F74EABE327755A7A12CFB9242AAA9413
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 8c 5f 29 1e 1e a2 9f e3-f8 3e 62 1f 9f 10 ad 5c   ._)..b\
0010 - be 8c 47 51 98 4c 93 66-bb a9 51 70 93 37 b3 4e   ..GQ.L.f..Qp.7.N
0020 - 16 fc 38 fa f6 ea 37 73-9c d4 82 e9 1a 30 f9 44   ..8...7s.0.D
0030 - eb 5e 4b 4f b2 c5 9e 00-f1 65 5e d5 

can't ping CARP interfaces

[David Newman]

Greetings. In preparation for upgrading two CARP+pfsync boxes to
5.6/i386, I put together a lab network to test new firewall rules.

Topology is pretty simple:

outside box (vic0) - (vic1) two carp boxes (vic0) - inside box

with a third interface on each firewall for pfsync traffic. I'm focused
here on the outside box pinging the carp box's outside CARP interface.

In the lab network everyone can ping everyone else, except for the CARP
interfaces -- these are not pingable. Hosts on either side of the
firewall can ping the underlying interfaces that the CARP interfaces are
bound to.

Also, 'netstat -f inet -nr' shows that CARP interfaces are bound to lo0.
On the production boxes these systems model, carp interfaces are bound
to the underlying physical interfaces.

tcpdump on the physical interface of the master firewall says the
outside box ARPs for the CARP interface, and the firewall sends an ARP
response with the CARP interface's IP and MAC addresses.

Thanks in advance for troubleshooting clues -- this is almost certainly
a misconfiguration but I'm not sure where.

dn

Outside box's hostname.vic0:
inet 12.220.174.101 255.255.255.224 12.220.174.127

FW1 hostname.vic1:
inet 12.220.174.99 255.255.255.224 12.220.174.127

FW1 hostname.carp221:
inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1
pass * carpdev vic1 carppeer 12.220.174.100

FW1 ifconfig vic1:
vic1:
flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6
mtu 1500
lladdr 00:50:56:b2:33:0e
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 12.220.174.99 netmask 0xffe0 broadcast 12.220.174.127

FW1 ifconfig carp221:
net 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass
w00h00 carpdev vic1 carppeer 12.220.174.100
# ifconfig carp221
carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu
1500
lladdr 00:00:5e:00:01:dd
priority: 0
carp: MASTER carpdev vic1 vhid 221 advbase 1 advskew 1 carppeer
12.220.174.100
groups: carp
status: master
inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127

FW1 netstat -f inet -nr:
# netstat -f inet -nr
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default12.220.174.97  UGS0   38 - 8 vic1
12.220.174.96/27   link#2 UC 20 - 4 vic1
12.220.174.98  00:00:5e:00:01:dd  HLl00 - 1
lo0  # -- NOTE lo0 BINDING
12.220.174.99  00:50:56:b2:33:0e  UHLl   00 - 1 lo0
12.220.174.100 00:50:56:b2:32:94  UHLc   0  274 - 4 vic1
12.220.174.101 00:50:56:b2:5e:b5  UHLc   05 - 4 vic1
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UH 14 32768 4 lo0


FW2 hostname.vic1:
inet 12.220.174.100 255.255.255.224 12.220.174.127

FW2 hostname.carp221:
inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 128
pass * carpdev vic1 carppeer 12.220.174.99

FW2 ifconfig carp221:
carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu
1500
lladdr 00:00:5e:00:01:dd
priority: 0
carp: BACKUP carpdev vic1 vhid 221 advbase 1 advskew 128
carppeer 12.220.174.99
groups: carp
status: backup
inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127

pf.conf on both boxes:

# interfaces
pfsync0_if = vic2
carp_dev = { vic0, vic1 }

set skip on lo

##
# Packet filtering
##

block return# block stateless traffic
#pass   # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# icmp handling -- FIX THIS to specify ICMP types
pass log inet proto icmp all

# carp and pfsync
pass on { $pfsync0_if } proto pfsync
pass on $carp_dev proto carp

FW1 dmesg:

OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug  8 00:10:33 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5649 @ 2.53GHz (GenuineIntel 686-class)
2.54 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,LAHF,PERF,ITSC
real mem  = 536309760 (511MB)
avail mem = 515063808 (491MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/14/14, BIOS32 rev. 0 @ 0xfd780,
SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version 6.00 date 04/14/2014
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3) S4F0(S3) 

Re: L2TP using Npppd and IPsec

[Dain Bentley]

I'd love a copy!  Thanks

On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote:

 Hi,

  for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a
 local authentication database. It is in the base and it seems very easy
 to configure.


 It is.

  Is anybody running similar setup in production? Any caveats? Any other
 advises before I take a plunge.


 Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting.

 Very easy to configure (linux being the exception :p).

 You only need to change npppd.conf, npppd-users and ipsec.conf and you are
 in business.

 I wrote an up-to-date guide on how to do it, let me know if you want a
 copy.

 Caveats... yes.
 I'm currently seeing issues with some clients (might be a client software
 issue) sending multiple connect requests.
 The ip-address reserved for the client is being assigned to the first
 request, but it seems like the last request wins, but alas! no ip-address
 available (since it was assigned to the first request).

 But then again, I have some Windows clients connected for more than 2
 weeks non-stop, before they disconnect (prob. a Windows update wanting to
 reboot ;) ).


 --
 bsv

startx fail on Lenovo G50-70 amd64

[box963]

-- Forwarded message -

 Hi, I'm new to OBSD. I just wiped a certain *nix distro off my laptop and
did a fresh install of OBSD56 on a Lenovo G50-70 with the default X
packages.

 Unfortunately, both xdm  startx each separately fail into a blank
screen and no keyboard response.

 It's interesting that about 10 seconds after closing the lid either: a)
suspend restores text console and keyboard; or b) suspend locks up the
laptop.

 Please see the i915 drm errors in the dmesg. I realize the wireless card
is not yet supported but the intel man page indicates that i915[*] is
supported hardware. Am I wrong about the driver support ??

 I could use some suggestions on how to fix this -- thanks !!

 Drew


 ##
 OpenBSD 5.6 (GENERIC.MP) #333: Fri Aug  8 00:20:21 MDT 2014
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
 RTC BIOS diagnostic error 80clock_battery
 real mem = 8464887808 (8072MB)
 avail mem = 8230768640 (7849MB)
 mpath0 at root
 scsibus0 at mpath0: 256 targets
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6e60 (38 entries)
 bios0: vendor LENOVO version 9ACN28WW date 09/23/2014
 bios0: LENOVO 20351
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S3 S4 S5
 acpi0: tables DSDT FACP SLIC UEFI FPDT MSDM ASF! HPET APIC MCFG WDAT SSDT
BOOT LPIT ASPT DBGP SSDT SSDT SSDT
 acpi0: wakeup devices P0P1(S4) UAR1(S3) EHC1(S3) XHC_(S3) HDEF(S4)
TPD4(S4) TPD7(S0) TPD8(S0) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4)
RP03(S4) PXSX(S4) RP04(S4) [...]
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.94 MHz
 cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A
ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV
X2,SMEP,BMI2,ERMS,INVPCID
 cpu0: 256KB 64b/line 8-way L2 cache
 cpu0: smt 0, core 0, package 0
 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
 cpu0: apic clock running at 99MHz
 cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz
 cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A
ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV
X2,SMEP,BMI2,ERMS,INVPCID
 cpu1: 256KB 64b/line 8-way L2 cache
 cpu1: smt 1, core 0, package 0
 cpu2 at mainbus0: apid 2 (application processor)
 cpu2: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz
 cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A
ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV
X2,SMEP,BMI2,ERMS,INVPCID
 cpu2: 256KB 64b/line 8-way L2 cache
 cpu2: smt 0, core 1, package 0
 cpu3 at mainbus0: apid 3 (application processor)
 cpu3: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 1895.61 MHz
 cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A
ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV
X2,SMEP,BMI2,ERMS,INVPCID
 cpu3: 256KB 64b/line 8-way L2 cache
 cpu3: smt 1, core 1, package 0
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
 acpimcfg0 at acpi0 addr 0xe000, bus 0-255
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus -1 (P0P1)
 acpiprt2 at acpi0: bus 1 (RP03)
 acpiprt3 at acpi0: bus 2 (RP04)
 acpiprt4 at acpi0: bus -1 (RP05)
 acpiprt5 at acpi0: bus -1 (PEG0)
 acpiprt6 at acpi0: bus -1 (PEG1)
 acpiprt7 at acpi0: bus -1 (PEG2)
 acpiec0 at acpi0
 acpicpu0 at acpi0: C3, C1, PSS
 acpicpu1 at acpi0: C3, C1, PSS
 acpicpu2 at acpi0: C3, C1, PSS
 acpicpu3 at acpi0: C3, C1, PSS
 acpibat0 at acpi0: BAT0 serial BAT20101001 oem Lenovo IdeaPad
 acpiac0 at acpi0: AC unit online
 acpibtn0 at acpi0: LID0
 acpibtn1 at acpi0: PWRB
 acpivideo0 at acpi0: GFX0
 acpivout0 at acpivideo0: DD1F
 cpu0: Enhanced SpeedStep 1895 MHz: speeds: 2601, 2600, 2500, 2300, 2200,
2000, 1900, 1800, 1600, 1500, 1400, 1200, 1100, 1000, 800, 754 MHz
 pci0 at mainbus0 bus 0
 pchb0 at pci0 dev 0 function 0 Intel Core 4G Host rev 0x0b
 vga1 at pci0 dev 2 function 0 Intel HD Graphics rev 0x0b
 intagp at vga1 not configured
 inteldrm0 at vga1
 drm0 at inteldrm0
 drm: Memory usable by graphics