Re: Relayd TLS client mode CA verification

[trondd]

On Fri, March 25, 2016 10:59 am, trondd wrote:
> On Fri, March 25, 2016 7:15 am, Lampshade wrote:
>>
>> #tls ca file "/etc/ssl/cert.pem"
>>
>> ca_engine_init: using RSA privsep engine
>> relay_launch: running relay connect_to_mail_wp
>> relay_launch: running relay connect_to_mail_wp
>> relay_launch: running relay connect_to_mail_wp
>> relay connect_to_mail_wp, tls session 1 connected (1 active)
>> relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 ->
>> 212.77.101.140:993, done
>>
>> ***
>>
>> tls ca file "/etc/ssl/cert.pem"
>>
>> relay_load_certfiles: using ca /etc/ssl/cert.pem
>>
>> ca_engine_init: using RSA privsep engine
>>
>
> I can confirm that 'ca file' doesn't seem to be working correctly.  I have
> a TLS server and client relay for web traffic.  Without 'ca file' defined,
> I can connect and get relayed through to the backend service.  With 'ca
> file' defined. I can't even complete a connection to relayd.  The initial
> TCP  connection happens then it hangs there.  Confirmed via s_client and
> tcpdump.
>
> I'll need to replicate this at home to be able to get more info.
>
> Tim.
>

Started digging into the code.  Definitely a bug somewhere.  When "ca
file" is defined, the relay is never added to the rlay TAILQ and so never
gets started up.  Not sure why, yet.  I'm working backwords throught code.
 I'll send a report to bugs if you don't.  Someone who knows the code can
probably find this much more quickly than I can (if I can at all).

Tim.

Re: RS232 Mini PCI Express Serial Card

[Nick Holland]

On 03/25/16 12:17, w...@wootsie.com wrote:
...
> Would utilize it for the main console.
...
THAT's a problem.  Work as a serial port, probably.  Console?  Probably NOT.

man 4 puc says:
   BUGS
 The current design of this driver keeps any com ports on these
 cards from easily being used as console.  Of course, because
 boards with those are PCI boards, they also suffer from dynamic
 address assignment, which also means that they can't easily be
 used as console.

Console ports are generally preferred to be something that doesn't move
around, and really nice if you can know what it is before booting.

And almost certainly, your system BIOS would not redirect to it, either.

Nick.

Octeon - Rhino Labs SDNA

[Chris Jones]

Good evening,

Just wondering if any of the OpenBSD devs on the list could provide any 
feedback about these network appliances based on the Octeon III 7xxx 
processors. Are these devices something that may be supported with the 
current Octeon port?


http://www.rhinolabsinc.com/category/network-appliances/

Cheers,
-Chris

Re: httpd slowcgi permission advice

[Alexander Hall]

On March 25, 2016 9:00:51 PM GMT+01:00, Byron Klippert  
wrote:
>That's it, thanks Tim.
>
>For the record I've got `permit nopass www as root cmd /sbin/pfctl' in

Unless you want the web server to have full control over pf, you really should 
add the args directive too the doas rule too.

>doas.conf and the script calls `printf "`doas /sbin/pfctl -sr`"'.

Using printf like that without a format string is very bad practice. Rather, 

  printf '%s' "$(doas pfctl -sr)"

With ksh however, I'd use builtins:

  print -r -- "$(doas pfctl -sr)"

, both of which by the way is a totally pointless way of just doing

  doas pfctl -sr

>
>Seems to work.

That's a good start, but maybe shouldn't be the sole basis for considering the 
task done.

/Alexander

>
>
>On Fri, Mar 25, 2016, at 12:31, Tim van der Molen wrote:
>> Byron Klippert (2016-03-25 18:37 +0100):
>> > CGI script:
>> > #!/bin/ksh
>> > printf "Content-type: text/html\n\n"
>> > printf "Hello!\n"
>> > printf "\n"
>> > printf "`doas pfctl -sr`"
>> >  
>> > 
>> > doas.conf:
>> > permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
>> > permit nopass www as root cmd /sbin/pfctl
>> > ^
>> > 
>> > httpd debug output:
>> > doas:
>> > Operation not permitted
>> 
>> You have "/sbin/pfctl" in doas.conf, so you should do "doas
>/sbin/pfctl"
>> rather than "doas pfctl".

Re: Post pkg_delete messages, change message format?

[dan mclaughlin]

On Fri, 25 Mar 2016 12:47:01 -0500 Chris Bennett 
 wrote:
> After I delete packages, especially pkg_delete -X, I get a long list of
> instructions like:
> 
> 
> -2.1.3 ---
> You should also run rm -rf /etc/cups/*.conf.O /var/log/cups
> You should also run rm -rf /var/cache/cups
> You should also run rm -rf /var/spool/cups
> --- -cups-pdf-2.6.1p0 ---
> You should also run rm -rf /var/spool/cups-pdf/
> --- -dbus-1.10.8v0 ---
> Remember to update /var/db/dbus/machine-id
> Remember to update /etc/machine-id
> --- -dconf-0.24.0p1 ---
> You should also run rm -rf /etc/dconf/db/*
> You should also run rm -rf /etc/dconf/profile/*
> --- -foo2zjs-20140627p1 ---
> You should also run rm -f /usr/local/share/foo2hbpl/icm/*
> You should also run rm -f /usr/local/share/foo2hiperc/icm/*
> You should also run rm -f /usr/local/share/foo2hp/icm/*
> You should also run rm -f /usr/local/share/foo2lava/icm/*
> You should also run rm -f /usr/local/share/foo2oak/icm/*
> You should also run rm -f /usr/local/share/foo2qpdl/icm/*
> You should also run rm -f /usr/local/share/foo2slx/icm/*
> You should also run rm -f /usr/local/share/foo2xqx/firmware/*
> You should also run rm -f /usr/local/share/foo2zjs/firmware/*
> You should also run rm -f /usr/local/share/foo2zjs/icm/*
> --- -hplip-3.16.2 ---
> You should also run rm -rf /usr/local/share/hplip/data/firmware
> You should also run rm -rf /usr/local/share/hplip/data/plugins
> You should also run rm -rf /usr/local/share/hplip/fax/plugins
> You should also run rm -rf /usr/local/share/hplip/prnt/plugins
> You should also run rm -rf /usr/local/share/hplip/scan/plugins
> You should also run rm -f /usr/local/share/hplip/plugin.spec
> --- -hplip-common-3.16.2 ---
> You should also run rm -rf /var/log/hp/tmp/*
> You should also run rm -f /var/log/hp/* 2>/dev/null || true
> --- -net-snmp-5.7.3p6 ---
> You should also run rm -rf /var/net-snmp/*
> --- -sane-backends-1.0.25p2 ---
> You should also run rm -rf /var/spool/lock/sane/*
> 
> With this format, I have to copy/paste each rm -rf, groupdel, etc by hand.
> Could these messages be changed to something easier to use like:
> 
> 
> --- -hplip-3.16.2 ---
> You should also run
> rm -rf /usr/local/share/hplip/data/firmware
> rm -rf /usr/local/share/hplip/data/plugins
> rm -rf /usr/local/share/hplip/fax/plugins
> rm -rf /usr/local/share/hplip/prnt/plugins
> rm -rf /usr/local/share/hplip/scan/plugins
> rm -f /usr/local/share/hplip/plugin.spec
> 
> This would make these commands very simple to run.
> 
> Chris Bennett
> 

the magic of unix; you can work around this with some sed.

# pkg_delete -X 2>&1 | tee you_should
# sed -n 's/^You should also run //p' you_should >also_run
# cat also_run #to verify
# ksh ./also_run

alternately, as non-root

$ doas pkg_delete -X 2>&1 | tee you_should
$ sed -n 's/^You should also run /doas /p' you_should >also_run
$ cat also_run
$ ksh ./also_run

the above would allow doas to log each command.

you could also make this into a script

pkg_scrub:
#!/bin/ksh
raw=$TMPDIR/$$.you_should
cooked=$TMPDIR/$$.also_run

if [[ "$1" = all ]];then
  doas pkg_delete -X 2>&1 | tee $raw
else
  doas pkg_delete $* 2>&1 | tee $raw
fi
sed -n 's/^You should also run /doas /p' $raw >$cooked
rm -f $raw
if [ ! -s $cooked ];then
  rm -f $cooked
  return 0
fi
cat $cooked
prompt run?"run these commands? [type 'Yes' to confirm] "
if [[ "$run" = Yes ]];then
  ksh $cooked
  rm -f $cooked
else
  echo "not running commands, saved in $cooked"
fi


i didn't properly test this, but you would use this like
$ pkg_scrub all
or
$ pkg_scrub pkg1 pkg2 ...

Re: httpd slowcgi permission advice

[Byron Klippert]

That's it, thanks Tim.

For the record I've got `permit nopass www as root cmd /sbin/pfctl' in
doas.conf and the script calls `printf "`doas /sbin/pfctl -sr`"'.

Seems to work.


On Fri, Mar 25, 2016, at 12:31, Tim van der Molen wrote:
> Byron Klippert (2016-03-25 18:37 +0100):
> > CGI script:
> > #!/bin/ksh
> > printf "Content-type: text/html\n\n"
> > printf "Hello!\n"
> > printf "\n"
> > printf "`doas pfctl -sr`"
> >  
> > 
> > doas.conf:
> > permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
> > permit nopass www as root cmd /sbin/pfctl
> > ^
> > 
> > httpd debug output:
> > doas:
> > Operation not permitted
> 
> You have "/sbin/pfctl" in doas.conf, so you should do "doas /sbin/pfctl"
> rather than "doas pfctl".


-- 
Byron Klippert  
  byronklipp...@ml1.net
  c. 867-336-1306

Re: httpd slowcgi permission advice

[Tim van der Molen]

Byron Klippert (2016-03-25 18:37 +0100):
> CGI script:
> #!/bin/ksh
> printf "Content-type: text/html\n\n"
> printf "Hello!\n"
> printf "\n"
> printf "`doas pfctl -sr`"
>  
> 
> doas.conf:
> permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
> permit nopass www as root cmd /sbin/pfctl
> ^
> 
> httpd debug output:
> doas:
> Operation not permitted

You have "/sbin/pfctl" in doas.conf, so you should do "doas /sbin/pfctl"
rather than "doas pfctl".

Re: RS232 Mini PCI Express Serial Card

[Brandon Vincent]

On Fri, Mar 25, 2016 at 9:17 AM,   wrote:
> I do not have one to test, so before purchasing I thought I would ask about
> it or experience with something like it.

Don't own one, but it is supported by puc(4) in 5.8.

Brandon Vincent

httpd slowcgi permission advice

[Byron Klippert]

Hello,

Running March 10 snapshot, I've got httpd setup with slowcgi happily
churning out scripts. However, I've run into a permissions issue trying
to run /sbin/pfctl from within a script.


Default permissions on /dev/pf...
alix:/home/admin $ ls -lh /dev/pf
crw---  1 root  wheel   73,   0 Mar 11 15:03 /dev/pf


CGI script:
#!/bin/ksh
printf "Content-type: text/html\n\n"
printf "Hello!\n"
printf "\n"
printf "`pfctl -sr`"

doas.conf:
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel

httpd debug output:
pfctl:
/dev/pf: Permission denied

captive_user 10.0.0.56 - - [25/Mar/2016:09:56:22 -0700] "GET
/cgi-bin/test.cgi HTTP/1.1" 200 0



When script and doas.conf are setup as below, the httpd output is
slightly different.

CGI script:
#!/bin/ksh
printf "Content-type: text/html\n\n"
printf "Hello!\n"
printf "\n"
printf "`doas pfctl -sr`"
 

doas.conf:
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
permit nopass www as root cmd /sbin/pfctl
^

httpd debug output:
doas:
Operation not permitted

captive_user 10.0.0.56 - - [25/Mar/2016:10:06:59 -0700] "GET
/cgi-bin/test.cgi HTTP/1.1" 200 0



Short of changing permissions on /dev/pf am I missing something with
doas?


dmesg output:
OpenBSD 5.9-current (GENERIC) #1584: Thu Mar 10 21:02:23 MST 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 267931648 (255MB)
avail mem = 250359808 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
...snip


Any help is appreciated.


Regards,

-- 
Byron Klippert  
  byronklipp...@ml1.net
  c. 867-336-1306

OT:Re: www.openbsd.org/cgi-bin/man.cgi

[noah pugsley]

I gotta go with Gilles here. Can't expect people to figure out how to load
a container! Gotta be a service.

The recent left pad debacle in Node.js offers sage lessons:

http://left-pad.io/

"8 d'b o 8 o

8 8 8   8
8 .oPYo. o8P   o8P   .oPYo. .oPYo. .oPYo8o8 .oPYo.
8 88  8 8  o 88 .8 88 8 88
8 8.  8 888 88 88 8 88
8 `Yooo'  8 88YooP' `YooP8 `YooP' 88  8 `YooP'
..:.::....:::8 ::.::.:..::..:.:
:8 
:..

Welcome to left-pad.io!

## History

On March 22nd 2016, a terrible tragedy befell the Node.JS community. A
popular
microframework for robust string expansion, `left-pad`, was removed from
npmjs.com .

This resulted in broken deploys worldwide, a sudden and complete inability to
appropriately zero-pad the fractional real cent value of many stock options,
and untold billions of dollars in economic damage to the still nascent
startup
ecosystem of String Manipulation as a Service.

## A microservice saviour appears

In order to prevent such a terrible tragedy from occurring ever again during
our lifetimes, `left-pad.io` has been created to provide all the
functionality
of `left-pad` AND the overhead of a TLS handshake and an HTTP request.

Less code is better code, leave the heavy lifting to `left-pad.io`, The
String
Experts™.

## How do I make use of left-pad.io?

Simple! Just make a request to `https://api.left-pad.io`:

```
$ curl 'https://api.left-pad.io/?str=paddin%27%20oswalt=68=@'
{"str":"@@paddin'
oswalt"}
```

The query parameter names `str`, `len`, and `ch` match the argument names of
our fallen comrade in left-stringist thought, `leftpad()`. May the Developer
Happiness achieved forever commemorate its sacrifice.

`left-pad.io` is 100% REST-compliant as defined by some guy on Hacker News
with
maximal opinions and minimal evidence.

## Are there any limits?

Padding and the input string are limited to 1024 characters in the free
version, because we have to monetize to have enough runway to launch
`right-pad.io` in Q3 2017.

## Can I buy an enterprise license?

Yes. Email r...@left-pad.io with your account and ABA routing numbers.

## Who?

2016 JavaScript Hero candidate @gabrielgironda
."


On Fri, Mar 25, 2016 at 8:24 AM, Bob Beck  wrote:

> Now now, we can be more hipster than that.. a docker image that runs
> the man command for you after downloading
> all the openbsd man pages as a dependency - you can just deploy it
> automatically with vagrant and run it in AWS.. etc.
>
> After all, isn't there no simple command that can't be made better by
> installing an os image someone else built to run?
>
>
>
>
> On Fri, Mar 25, 2016 at 8:45 AM, Ingo Schwarze  wrote:
> > Hi Gilles,
> >
> > Gilles Chehade wrote on Fri, Mar 25, 2016 at 03:34:02PM +0100:
> >
> >> maybe we could provide MaaS (man as a service, copyright eric@)
> >>
> >> if user issues `man` and the man page is not found locally, man
> >> would transparently ssh to gu...@man.openbsd.org ?
> >
> > Hilarious on so many levels...  :-D
> >   Ingo

RS232 Mini PCI Express Serial Card

[wrh]

Hello,

Can anyone confirm this device works with OpenBSD 5.8 or higher:

https://www.startech.com/Cards-Adapters/Serial-Cards-Adapters/2-Port-RS232-Mini-PCI-Express-Serial-Card-16950-UART~MPEX2S952

I do not have one to test, so before purchasing I thought I would ask about
it or experience with something like it.

Would utilize it for the main console.


thank you.
-Bill

Re: L2TP/IPSec via npppd won't work with Android 5.x

[Sly Midnight]

Hello,

I don't mean to bring up an old thread, but I was wondering if anyone
else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
(preferably the version on the Nexus line of devices) connecting to
ipsec/l2tp.

I had this working late last year some time and hadn't used it in a few
months.  When I went to use it again a few days ago it didn't work at
all.  After rebooting my phone and even trying it on my tablet that
coincidentally runs the exact same version of stock Android 6.0.1, it
too didn't work there.

I have confirmed some interesting behavior.

First if I tweak the ipsec.conf stanza to something like:

> ike passive esp transport \
> proto udp from X.X.X.X to any port 1701 \
> main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \
> quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \
> psk "redacted"
It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd
never sees a connection attempt and tcpdumping enc0 shows no traffic and
ultimately the connection fails.

If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with
latest updates to connect successfully.
If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone
with iOS 9.3 to connect successfully.
If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to
connect successfully.

If I restore it to hmac-sha1, aes, modp1024 I can get an older Android
tablet (one of my kid's) to connect successfully.

What else can I do to troubleshoot this?  Because I signed up to a free
1 day trial of some Internet based VPN provider and successfully was
able to connect to their IPSEC/L2TP VPN using my Android phone so I know
it works.  It must just be a recent change in Android (or during the
OpenBSD 5.7->5.8) update that is causing this incompatibility that makes
it almost work.  Any help would be greatly appreciated.

Sly

On 02/22/2016 07:48 AM, Stefan Krueger wrote:
> In mailing.openbsd.misc, you wrote:
>> Hi, everyone:
>>
>> [...]
>>
>> But the android devices I had won't work by all means. I found out that
>> Android 5.x
>> L2TP/IPSec VPN client works in:
>> hash algorithm: hmac-sha2-256
>> encrypt method: aes_cbc
>> life time: 28800
>>
>> The ipsec.conf with:
>> ``
>> ike passive esp tunnel \
>>  from "IP_ADDRESS" to any \
>>  main auth "hmac-sha2-256" enc "aes" group "modp1024" lifetime 2880\
>>  quick group "modp1024" \
>>  psk "SECRET_KEY"
>> '' didn't make a chage.(after `ipsecctl -f /etc/ipsec.conf`)
> Hi,
>
> the following config worked for me when I was using it (with npppd)
> last year (dumped it since I couldn't find a way to use it with iOS
> and Android at the same time):
>
> /etc/ipsec.conf
> public_ip = "x.y.z.a"
>
> ike passive esp transport \
> proto udp from $public_ip to any port l2tp \
> aggressive auth "hmac-sha1" enc "aes" group modp1024 \
> psk "XXX"
>
> IIRC Android required the use of "aggressive auth" where iOS only worked
> with the default "main auth"...

Re: Relayd TLS client mode CA verification

[trondd]

On Fri, March 25, 2016 7:15 am, Lampshade wrote:
> When it works fine, but without certificate verification:
>
> $ cat /etc/relayd.conf
> tcp protocol proto_wp {
> #tls ca file "/etc/ssl/cert.pem"
> tls tlsv1.1
> pass
> }
>
> relay connect_to_mail_wp {
> protocol proto_wp
> listen on 127.0.0.1 port 
> forward with tls to imap.wp.pl port 993
> }
> # relayd -d -vvv -f /etc/relayd.conf
> startup
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> relay_privinit: adding relay connect_to_mail_wp
> protocol 1: name proto_wp
> flags: used, relay flags: tls client
> tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
> client-renegotiation
> type: tcp
> pass request
> ca_engine_init: using RSA privsep engine
> socket_rlimit: max open files 1024
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> relay_launch: running relay connect_to_mail_wp
> relay_launch: running relay connect_to_mail_wp
> relay_launch: running relay connect_to_mail_wp
> relay connect_to_mail_wp, tls session 1 connected (1 active)
> relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 ->
> 212.77.101.140:993, done
>
> ***
>
> When if fails:
>
> $ cat /etc/relayd.conf
> tcp protocol proto_wp {
> tls ca file "/etc/ssl/cert.pem"
> tls tlsv1.1
> pass
> }
>
> relay connect_to_mail_wp {
> protocol proto_wp
> listen on 127.0.0.1 port 
> forward with tls to imap.wp.pl port 993
> }
> # relayd -d -vvv -f /etc/relayd.conf
> startup
> socket_rlimit: max open files 1024
> relay_load_certfiles: using ca /etc/ssl/cert.pem
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> relay_privinit: adding relay connect_to_mail_wp
> protocol 1: name proto_wp
> flags: used, relay flags: tls client
> tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
> client-renegotiation
> type: tcp
> pass request
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
>

I can confirm that 'ca file' doesn't seem to be working correctly.  I have
a TLS server and client relay for web traffic.  Without 'ca file' defined,
I can connect and get relayed through to the backend service.  With 'ca
file' defined. I can't even complete a connection to relayd.  The initial
TCP  connection happens then it hangs there.  Confirmed via s_client and
tcpdump.

I'll need to replicate this at home to be able to get more info.

Tim.

Re: Relayd TLS client mode CA verification

[Lampshade]

When it works fine, but without certificate verification:

$ cat /etc/relayd.conf
tcp protocol proto_wp {
#tls ca file "/etc/ssl/cert.pem"
tls tlsv1.1
pass
}

relay connect_to_mail_wp {
protocol proto_wp
listen on 127.0.0.1 port 
forward with tls to imap.wp.pl port 993
}
# relayd -d -vvv -f /etc/relayd.conf
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_privinit: adding relay connect_to_mail_wp
protocol 1: name proto_wp
flags: used, relay flags: tls client
tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
client-renegotiation
type: tcp
pass request 
ca_engine_init: using RSA privsep engine
socket_rlimit: max open files 1024
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
relay_launch: running relay connect_to_mail_wp
relay_launch: running relay connect_to_mail_wp
relay_launch: running relay connect_to_mail_wp
relay connect_to_mail_wp, tls session 1 connected (1 active)
relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 ->
212.77.101.140:993, done

***

When if fails:

$ cat /etc/relayd.conf
tcp protocol proto_wp {
tls ca file "/etc/ssl/cert.pem"
tls tlsv1.1
pass
}

relay connect_to_mail_wp {
protocol proto_wp
listen on 127.0.0.1 port 
forward with tls to imap.wp.pl port 993
}
# relayd -d -vvv -f /etc/relayd.conf
startup
socket_rlimit: max open files 1024
relay_load_certfiles: using ca /etc/ssl/cert.pem
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_privinit: adding relay connect_to_mail_wp
protocol 1: name proto_wp
flags: used, relay flags: tls client
tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
client-renegotiation
type: tcp
pass request 
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine

Re: Firefox's trouble on snapshot #1960

[Mihai Popescu]

> That's how we get from clip-clop-clip-clop to wroom-wroom.


I am running this:
OpenBSD 5.9-current (GENERIC.MP) #1958: Wed Mar 23 23:29:16 MDT 2016

I was using chromium, but it has those startup errors followed by core
files. Firefox was slow and I said I can hold slow movements of
firefox rather that startup errors from chromium. I was looking again
on other options, but I installed a snapshot and firefox yesterday.

Firefox is a lot faster, even faster that chromium. I don't know what
you guys did, or maybe the original developers of firefox, but the
thing is much much faster now. I see you are perfecting again, I
wonder and I will test how much speed we will gain on this browser.
Since I'm running an older snapshot that OP, I don't have any issue
other than firefox surprising me at every page load.

Thank you.

Re: Gogs PostgreSQL

[Markus Hennecke]

Am 25.03.2016 um 02:45 schrieb Predrag Punosevac:

Hi Misc,

Is anybody running Gogs

https://gogs.io/

in production on OpenBSD using PostgreSQL as a backend. Any chance to
share the installation/configuration notes with me?

Predrag

Just compile it using the documentation. You don't have to set $GOROOT. 
OpenBSD has the go files in the path already under /usr/local/bin


I mimiced the binary tar balls and copied all the files in there to my 
installation location.
The directories public, scripts and templates and the README and LICENSE 
files plus the gogs binary.


You want to setup up a git user account if that is not already 
available. Set it up with a valid shell so that only public key 
authentication is allowed and let gogs handle all the SSH keys. In that 
way no user will get a login shell when connecting via SSH.


Setup a user and database in postgresql, I did that with user and 
database name gogs.

Make the gogs user the owner of the gogs database and set a password.
Then on the installation page enter the username, password and database 
name and you should be set. Gogs will create all tables in the database 
during install.


Gogs listens on 0.0.0.0 by default, so I added the entry HTTP_ADDR= 
127.0.0.1 in the server section of the app.ini file and setup nginx to 
be a reverse proxy -> location /gogs/ { proxy_pass 
http://127.0.0.1:3000/; }, remember to adjust the ROOT_URL entry to 
match the nginx configuration.


I wrote a litte rc.d script to start it using nohup, it has to be run as 
the git user account:

#! /bin/sh

user="git"
daemon="/home/${user}/gogs/gogs"
daemon_flags="web"

. /etc/rc.d/rc.subr

rc_reload=NO

rc_check() {
pkill -0 -f "${daemon} ${daemon_flags}"
}

rc_stop() {
pkill -f "${daemon} ${daemon_flags}"
}

rc_start() {
nohup su -l -c daemon ${user} -c "${daemon} ${daemon_flags}" 
>/dev/null 2>&1 &

}

rc_cmd $1


HTH
Markus

Re: Firefox's trouble on snapshot #1960

[Raf Czlonka]

On Fri, Mar 25, 2016 at 02:50:26AM GMT, Alex Shupikov wrote:
> Hello misc@
> 
> Firefox doesn't run on snapshot.
> 
> shupikov@balamut:~$ uname -a
> OpenBSD balamut.td.kms 5.9 GENERIC.MP#1960 amd64
> 
> shupikov@balamut:~$
> firefox
> XPCOMGlueLoad error for file /usr/local/lib/firefox-45.0.1/libxul.so.63.0:
> Cannot load specified object
> Couldn't load XPCOM.
> 
> shupikov@balamut:~$ firefox-esr
> XPCOMGlueLoad error for file
> /usr/local/lib/firefox-esr-38.7.1/libxul.so.2.0:
> Cannot load specified object
> Couldn't load XPCOM.
> 
> I need help. Thanks for any ideas.

Hi Alex,

For anything ports-related, you may want to check ports@ archives
or even subscribe to the list.

These[0][1] are from yesterday :^)

Regards,

Raf

[0] http://marc.info/?t=14588324908
[1] http://marc.info/?t=14588336348