Re: httpd and Server Side Includes

[Chris Cappuccio]

worik [r...@worik.org] wrote:
> > 
> > I wouldn't hold my breath. I'm fairly certain that we won't implement
> > it.
> 
> Why is that?
> 

Because Server Side Includes are basically a custom Apache scripting
language. Most people use a different scripting language, even with Apache,
not SSI. httpd can already talk to other language launchers through fcgi,
such as php with php-fpm. 

I think SSI is a textbook example of features that won't ever be included
in httpd. It's the broken, rusty area underneath the faucet of your kitchen
sink.

> What are the sorts of jobs that httpd is the right tool for?  Is it only
> serving static HTML?
> 

Actually many people use it for dynamic content. Reyk Floeter, the author,
even wrote up a guide for running owncloud under httpd. Search google for it.

> I have seen some reference to "slow CGI" but my needs and research have
> not gone there.  Does httpd support CGI?
> 

httpd supports the "Fast CGI" interface to talk to external launchers.
Programs that use Fast CGI or fcgi are typically designed to serve demanding
environments which may require hundreds of pre-launched scripts, ready to
start running as soon as a connection comes in. Or, a hundred.

One such program that supports the httpd fcgi interface is "slowcgi". This
is a simple fcgi interface that launches a regular CGI upon each request,
without the capability to pre-launch anything. It's fine for CGI programs
which worked under Apache.

Re: iked ikev2 x509 authentication problem - no valid local certificate found

[Rob]

Sorry about the delay in replying.

I’ve finally managed to get things to work.  The patch, or rather upgrading to 
the latest iked in head helped.  Removing the 
‘ServerCertificateIssuerCommonName’ option from the Apple profile was the key 
bit that was causing problems.  According to the official docs [1], adding 
ServerCertificateIssuerCommonName should cause the VPN client to send a 
certificate request to the server based on the CA, but was actually stopping 
the ‘cert’ part of the server side validation from completing.

As a side point it seems that IOS 9.0.2 works as expected, but El Capitan 
10.11.1 (beta2) has a segmentation fault after connecting that causes the 
connection, after successful validation, to drop.  

So, for the record, using certs on IOS 9.0.2 work correctly without having to 
do any password validation. However, the latest El Capitan 10.11.1 beta fails 
due to an Apple side issue.

Thanks for all of you help.

Rob


[1] 
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html



> On 1 Oct 2015, at 20:37, m...@alumni.chalmers.se wrote:
> 
> http://marc.info/?l=openbsd-tech=144362542514318=2
> 
> 
>> On 1 okt. 2015, at 21:25, Rob  wrote:
>> 
>> Hi,
>> 
>> I’m a little stuck getting two different clients connected to my OpenBSD
>> 5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
>> get past the error when connecting one OpenBSDs iked to another iked.
>> 
>> FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
>> laptop, so I’m a little stuck with the VPN client I can use.
>> 
>> I have the following configuration:
>> 
>> ikev2 "road_warrior" passive esp \
>>   from 192.168.20.0/24 to 192.168.40.0/24 \
>>   local 192.168.20.4 peer any \
>>   ikesa enc aes-128 prf hmac-sha2-256 \
>>   auth hmac-sha2-256 group modp2048 \
>>   childsa enc aes-128 auth hmac-sha2-256 \
>>   srcid "local.example.net \
>>   dstid "peer.example.net" \
>>   config address 192.168.40.10/29 \
>>   config netmask 255.255.255.0 \
>>   config name-server 192.168.20.53 \
>>   config protected-subnet 192.168.40.0/24
>> 
>> (IPs and names have been changed to protect the innocent)
>> 
>> I have keys installed as follows:
>> 
>> /etc/iked/ca/example.net.crt
>> /etc/iked/certs/local.example.net.crt
>> /etc/iked/private/local.key
>> /etc/iked/pubkeys/fqdn/peer.example.net
>> /etc/iked/local.pub
>> 
>> 
>> I believe the client isn’t sending the certificate request, but I
>> could be completely wrong, the error appears to be:
>> 
>> ikev2_sa_negotiate: score 4
>> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x77286c80
>> ca_getreq: no valid local certificate found
>> 
>> The client is sending peer.example.net.crt to the server, which gets
>> validated correctly:
>> 
>> ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
>> ikev2_dispatch_cert: peer certificate is valid
>> sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> 
>> I’ve been at this for a number of days and am completely stuck, so if
>> anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
>> need any further log information please let me know.
>> 
>> 
>> thanks
>> 
>> Rob

Re: IKED and encapsulated peers

[Jason Tubnor]

On 3 October 2015 at 14:40, Jason Tubnor  wrote:

> Hi,
>
>
> Here is the ipsecctl flows:
>
>
>
Sorry, I copied in the flows from the wrong server (testing all different
ways trying to get things to work).  Here is the ipsecctl to match the
iked.conf listed:

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x1d3ef308 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x22b8b189 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xb8b060e1 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0xbda3e596 auth
hmac-sha2-256 enc aes-256

Cheers,

Jason

Strange network issue during startup

[Alessandro DE LAURENZIS]

Dear misc@ readers,

my network configuration is pretty simple:

[snip]
┌──[just22@poseidon]-[0]-[✓]-[~]
└─› ifconfig
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff00
em0: flags=8b43 mtu 
1500
lladdr 00:21:86:94:34:8e
priority: 0
trunk: trunkdev trunk0
media: Ethernet autoselect (none)
status: no carrier
iwn0: flags=8943 mtu 1500
lladdr 00:21:86:94:34:8e
priority: 4
trunk: trunkdev trunk0
groups: wlan
media: IEEE802.11 autoselect (OFDM54 mode 11g)
status: active
ieee80211: nwid  chan 11 bssid * -36dBm wpakey  wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher 
tkip
enc0: flags=0<>
priority: 0
groups: enc
status: active
trunk0: flags=8843 mtu 1500
lladdr 00:21:86:94:34:8e
priority: 0
trunk: trunkproto failover
trunkport iwn0 active
trunkport em0 master
groups: trunk egress
media: Ethernet autoselect
status: active
inet 192.168.1.13 netmask 0xff00 broadcast 192.168.1.255
pflog0: flags=141 mtu 33144
priority: 0
groups: pflog
[snip]

[snip]
┌──[just22@poseidon]-[0]-[✓]-[~]
└─› cat /etc/hostname.iwn0 
nwid ** wpakey **
up
[snip]

[snip]
┌──[just22@poseidon]-[0]-[✓]-[~]
└─› cat /etc/hostname.trunk0 
trunkproto failover
trunkport  em0
trunkport  iwn0
dhcp
[snip]

For dmesg, see [0]

Starting from "some" snapshots ago (I don't remember which one was the
last fully functional, but for sure the problem begun last week of Sep)
dhclient(8) is unable to find any valid lease offers during startup
when iwn0 i/f is active (no problem when I connect my Ethernet card
instead).

Mind that after a few minutes the problem disappears:

[snip]
┌──[just22@poseidon]-[0]-[✓]-[~]
└─› sudo sh /etc/netstart
ifconfig: SIOCSTRUNKPORT: Device busy
ifconfig: SIOCSTRUNKPORT: Device busy
DHCPREQUEST on trunk0 to 255.255.255.255
DHCPACK from 192.168.1.10 (00:14:22:e1:0b:05)
bound to 192.168.1.13 -- renewal in 21600 seconds.
[snip]

so it seems that the wifi adapter needs a bunch of time to become
functional...

Does it make any sense? Please point me in the right direction for
starting the debug: I'm really out of idea, even because I didn't find
anything suspect in log files.

Thanks in advance for your time

All the best

[0]
OpenBSD 5.8-current (GENERIC.MP) #1417: Sat Oct  3 23:33:39 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3177906176 (3030MB)
avail mem = 3077533696 (2934MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (73 entries)
bios0: vendor LENOVO version "7LETD0WW (2.30 )" date 02/27/2012
bios0: LENOVO 7735WX2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET BOOT ASF! SSDT SSDT SSDT 
SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) IGBE(S4) EXP0(S4) 
EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) 
USB3(S3) USB4(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU T8100 @ 2.10GHz, 798.20 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 3MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU T8100 @ 2.10GHz, 798.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 3MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf000, bus 0-63

Re: /bsd: em0: watchdog timeout -- resetting

[Stuart Henderson]

On 2015-10-02, Gregor Best  wrote:
> Looks similar for my machine, em0 works for a short time and then
> timeouts. `ifconfig em0 up` seems to hang though.

I'm hoping it isn't this, but please try backing out the last commits to
if_em.c and if_em.h ("cd /sys/dev/pci; cvs up -D 2015/09/29 if_em*") to
see if it makes a difference.

Re: /bsd: em0: watchdog timeout -- resetting

[Josh Grosse]

On Fri, Oct 02, 2015 at 09:09:37PM -0700, Scott Vanderbilt wrote:
> On 10/2/2015 8:32 AM, Gregor Best wrote:
> >Looks similar for my machine, em0 works for a short time and then
> >timeouts. `ifconfig em0 up` seems to hang though.

I had the same issue after updating from a September 22 snapshot.  

This appears to possibly be related to the September 30 em(4) updates
for MP support.  I reverted src/sys/dev/pci/{if_em.c,if_em.h} to 1.305
and 1.57, respectively, and I can no longer reproduce the problem.

Re: Openbsd 5.7 and usb hubs daisy chained inquiry

[Stefan Sperling]

On Sun, Oct 04, 2015 at 08:41:23PM +0200, ludovic coues wrote:
> 2015-10-04 4:49 GMT+02:00 Danny Nguyen :
> > Hi,
> >
> > I'm running Openbsd 5.7 on several servers and would like to create an
> > array of usb sticks by daisy chaining sabrent usb hubs together (model:
> > HB-U14P). Is this compatible ( I'd be happy to mail in samples if someone
> > was interested in adding this functionality to Openbsd for additional
> > privacy). Also, how would a newcomer to OpenBSD ( installed 5.7 via cd and
> > still working on dmesg and subnet and gateway configurations) go about
> > learning how to configure such a setup? Any recommendations on which man
> > pages or resources to read and experiment with?
> >
> > Cheers,
> >
> > Danny
> >
> >
> > --
> > danny nguyen
> > linkedIn 
> >
> 
> It should works fine.
> Simply plugs your usb hub in and device should show up.

Many hubs can draw power only from their USB host. Do not chain those.
Make sure every chained hub is self-powered. Else you might see very
strange behaviour from some devices plugged into hubs behind hubs.
Our USB stack seems to have issues managing power across cascaded buses.

I have a long USB cable (a single-port hub) and plug a 4-port hub in there,
which in turn is used to connect USB input devices. If the 4-port hub's
own power supply is not plugged then the keyboard will sometimes repeat
key presses forever and the mouse will randomly stop working.
And game pads will ruin perfect runs of super mario by dropping out
at the most inconvenient of moments.
Save yourself from frustration and use actively powered hubs.

Re: Openbsd 5.7 and usb hubs daisy chained inquiry

[ludovic coues]

2015-10-04 4:49 GMT+02:00 Danny Nguyen :
> Hi,
>
> I'm running Openbsd 5.7 on several servers and would like to create an
> array of usb sticks by daisy chaining sabrent usb hubs together (model:
> HB-U14P). Is this compatible ( I'd be happy to mail in samples if someone
> was interested in adding this functionality to Openbsd for additional
> privacy). Also, how would a newcomer to OpenBSD ( installed 5.7 via cd and
> still working on dmesg and subnet and gateway configurations) go about
> learning how to configure such a setup? Any recommendations on which man
> pages or resources to read and experiment with?
>
> Cheers,
>
> Danny
>
>
> --
> danny nguyen
> linkedIn 
>

It should works fine.
Simply plugs your usb hub in and device should show up.

-- 

Cordialement, Coues Ludovic
+336 148 743 42

Re: broken bsd.rd build on amd64?

[Theo de Raadt]

> cc -static -L.  -nopie -o instbin instbin.o dd.lo mount_cd9660.lo md5.lo
> df.lo mount.lo mount_ext2fs.lo arch.lo sync.lo restore.lo stty.lo ln.lo
> disklabel.lo pax.lo ping.lo cat.lo ifconfig.lo ls.lo ping6.lo sysctl.lo
> date.lo kbd.lo fdisk.lo mount_msdos.lo grep.lo umount.lo mount_udf.lo
> fsck.lo more.lo signify.lo mknod.lo pwd_mkdb.lo installboot.lo route.lo
> ftp.lo dhclient.lo reboot.lo mount_ffs.lo ed.lo cp.lo gzip.lo chmod.lo
> chroot.lo fsck_ffs.lo init.lo newfs.lo rm.lo mt.lo mkdir.lo sed.lo ksh.lo
> bioctl.lo encrypt.lo sleep.lo mv.lo dmesg.lo hostname.lo -L/usr/lib
> -L/usr/src/distrib/special/libstubs -lstubs -lutil -locurses -lm -lc
> ksh.lo: In function `getspec':
> var.c:(.text+0x1da39): warning: warning: rand() may return deterministic
> values, is that what you want?
> /usr/src/distrib/special/libstubs/libstubs.a(res_send_async.o): In function
> `udp_recv':
> /usr/src/distrib/special/libstubs/../../../lib/libc/asr/res_send_async.c:459:
> undefined reference to `_libc_recv'
> collect2: ld returned 1 exit status
> *** Error 1 in . (instbin.mk:22 'instbin')
> *** Error 1 in /usr/src/distrib/amd64/ramdisk_cd
> (../common/Makefile.inc:129 'instbin')

I believe you compiled an intermediate tree.

OpenBGPd SNMP

[Mike Hammett]

Are there any packages out there that expose OpenBGPd or other OpenBSD 
parameters via SNMP? Would like to check generic health of the system, number 
of routes, number of peers, number of routes per peer, etc. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 

broken bsd.rd build on amd64?

[Amit Kulkarni]

cc -static -L.  -nopie -o instbin instbin.o dd.lo mount_cd9660.lo md5.lo
df.lo mount.lo mount_ext2fs.lo arch.lo sync.lo restore.lo stty.lo ln.lo
disklabel.lo pax.lo ping.lo cat.lo ifconfig.lo ls.lo ping6.lo sysctl.lo
date.lo kbd.lo fdisk.lo mount_msdos.lo grep.lo umount.lo mount_udf.lo
fsck.lo more.lo signify.lo mknod.lo pwd_mkdb.lo installboot.lo route.lo
ftp.lo dhclient.lo reboot.lo mount_ffs.lo ed.lo cp.lo gzip.lo chmod.lo
chroot.lo fsck_ffs.lo init.lo newfs.lo rm.lo mt.lo mkdir.lo sed.lo ksh.lo
bioctl.lo encrypt.lo sleep.lo mv.lo dmesg.lo hostname.lo -L/usr/lib
-L/usr/src/distrib/special/libstubs -lstubs -lutil -locurses -lm -lc
ksh.lo: In function `getspec':
var.c:(.text+0x1da39): warning: warning: rand() may return deterministic
values, is that what you want?
/usr/src/distrib/special/libstubs/libstubs.a(res_send_async.o): In function
`udp_recv':
/usr/src/distrib/special/libstubs/../../../lib/libc/asr/res_send_async.c:459:
undefined reference to `_libc_recv'
collect2: ld returned 1 exit status
*** Error 1 in . (instbin.mk:22 'instbin')
*** Error 1 in /usr/src/distrib/amd64/ramdisk_cd
(../common/Makefile.inc:129 'instbin')


Thanks

Re: broken bsd.rd build on amd64?

[Amit Kulkarni]

On Sun, Oct 4, 2015 at 2:26 PM, Theo de Raadt 
wrote:

> > cc -static -L.  -nopie -o instbin instbin.o dd.lo mount_cd9660.lo md5.lo
> > df.lo mount.lo mount_ext2fs.lo arch.lo sync.lo restore.lo stty.lo ln.lo
> > disklabel.lo pax.lo ping.lo cat.lo ifconfig.lo ls.lo ping6.lo sysctl.lo
> > date.lo kbd.lo fdisk.lo mount_msdos.lo grep.lo umount.lo mount_udf.lo
> > fsck.lo more.lo signify.lo mknod.lo pwd_mkdb.lo installboot.lo route.lo
> > ftp.lo dhclient.lo reboot.lo mount_ffs.lo ed.lo cp.lo gzip.lo chmod.lo
> > chroot.lo fsck_ffs.lo init.lo newfs.lo rm.lo mt.lo mkdir.lo sed.lo ksh.lo
> > bioctl.lo encrypt.lo sleep.lo mv.lo dmesg.lo hostname.lo -L/usr/lib
> > -L/usr/src/distrib/special/libstubs -lstubs -lutil -locurses -lm -lc
> > ksh.lo: In function `getspec':
> > var.c:(.text+0x1da39): warning: warning: rand() may return deterministic
> > values, is that what you want?
> > /usr/src/distrib/special/libstubs/libstubs.a(res_send_async.o): In
> function
> > `udp_recv':
> >
> /usr/src/distrib/special/libstubs/../../../lib/libc/asr/res_send_async.c:459:
> > undefined reference to `_libc_recv'
> > collect2: ld returned 1 exit status
> > *** Error 1 in . (instbin.mk:22 'instbin')
> > *** Error 1 in /usr/src/distrib/amd64/ramdisk_cd
> > (../common/Makefile.inc:129 'instbin')
>
> I believe you compiled an intermediate tree.
>

Thanks, I will try again in a few hours. Sorry for the noise.

Re: OpenBGPd SNMP

[Raf Czlonka]

On Sun, Oct 04, 2015 at 09:59:24PM BST, Mike Hammett wrote:

> Are there any packages out there that expose OpenBGPd or other OpenBSD
> parameters via SNMP? Would like to check generic health of the system,
> number of routes, number of peers, number of routes per peer, etc.

ls /usr/share/snmp/mibs

Raf

Re: httpd and Server Side Includes

[worik]

I have been digging a bit to find the correct software to use for a
little website that makes some light use of SSI and I came upon this.  I
have some questions about it

On 07/03/15 08:42, Florian Obser wrote:
> On Fri, Mar 06, 2015 at 07:13:13PM +, Peter Fraser wrote:
>> The web sites that are involved make heavy use of Server Side Includes
>> which the new httpd does not yet have any support. 
> 
> I wouldn't hold my breath. I'm fairly certain that we won't implement
> it.

Why is that?

[snip]

> 
> Seems reasonable. httpd(8) does not try to be the all singing all
> dancing http daemon. Use the right tool for the job. For some jobs
> that might be nginx, for others that might be httpd(8).

What are the sorts of jobs that httpd is the right tool for?  Is it only
serving static HTML?

I have seen some reference to "slow CGI" but my needs and research have
not gone there.  Does httpd support CGI?

cheers
Worik

-- 
Why is the legal status of chardonnay different to that of cannabis?
   worik.stan...@gmail.com 021-1680650, (03) 4821804
  Aotearoa (New Zealand)
 I voted for love

-- 
Why is the legal status of chardonnay different to that of cannabis?
  r...@worik.org 021-1680650, (03) 4821804
  Aotearoa (New Zealand)
 I voted for love

disklabel fs types, where can I find the whole list of supported types?

[Mikael]

Hi,

Where can I see a complete list of disklabel fs types?

It must be documented somewhere, but I can't find it neither in the
"disklabel" tool itself, nor in its man pages.

In disklabel's "a" command, typing "?" is interpreted as invalid input, and
typing "help" is interpreted as choosing the fs type "unknown".

Thanks,
Mikael