Re: /usr/sbin/httpd and chunked transfer encoding

[johnw]

On 05/08/2017 01:32 PM, Reyk Floeter wrote:
> Hi,
>
> you cannot disable it and this Android client is broken.
>
> "A recipient MUST be able to parse and decode the chunked
> transfer coding."
>
> https://tools.ietf.org/html/rfc7230#section-4.1
>
> Reyk
>
Agreed, this Android client is broken, but is it possible to make the
"chunked transfer coding" optional,
let people choice to compatible broken client like this one?


I tried to manully disable this feature by edit (I'm NOT really know
coding, just try) the code like below,

Index: server_fcgi.c
===
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 server_fcgi.c
--- server_fcgi.c21 Jan 2017 11:32:04 -1.74
+++ server_fcgi.c8 May 2017 05:50:05 -
@@ -385,7 +385,8 @@ server_fcgi(struct httpd *env, struct cl
 fcgi_add_stdin(clt, NULL);
 }
 
-if (strcmp(desc->http_version, "HTTP/1.1") == 0) {
+if (strcmp(desc->http_version, "HTTP/1.1") == 0 && \
+strcmp("my-cloud.domain.com", srv_conf->name) != 0) {
 clt->clt_fcgi.chunked = 1;
 } else {
 /* HTTP/1.0 does not support chunked encoding */

And then this broken Android client work normally.

Please help, thanks.


signature.asc
Description: OpenPGP digital signature

Re: IPv6, sshd, and latest patches?

[Florian Ermisch]

Am 8. Mai 2017 04:18:30 MESZ schrieb Eric Johnson :
>
>
>On Mon, 8 May 2017, Sterling Archer wrote:
>
>> On Mon, May 8, 2017 at 1:58 AM, Eric Johnson
> wrote:
>>
>>
>>   Has anyone else had problems with sshd and IPv6 after applying
>the latest
>>   patches?  It seems to me that the patches disabled the use of
>IPv6 for
>>   ssh.
>>
>>   When I try to set the IPv6 address I want it to listen to in
>sshd_config,
>>   sshd fails with the following message:
>>
>>   bad addr or host: 2001:1890:1263:a14:: (no address associated
>with name)
>>
>>   Using the default sshd_config, ssh is only listening on IPv4
>addresses.
>>
>>   Eric Johnson
>>
>>
>> It's working here, fully patched 6.1 system.
>> To make sure it's not because of the :: inet6 address, I tested this,
>where
>> 2001:: is the /48 my ISP delegates to me:
>>
>> # doas ifconfig em1 inet6 2001::::
>> # doas rcctl restart sshd
>> sshd (ok)
>> sshd (ok)
>> # telnet 2001::::
>> Trying 2001::::...
>> Connected to 2001::::.
>> Escape character is '^]'.
>> SSH-2.0-OpenSSH_7.5
>
>After playing around with it some more, if I use "AddressFamily inet6"
>in
>sshd_config, then it will do IPv6 okay, but not IPv4.  The problem
>occurs
>when I don't specify an address family (and so "AddressFamily any" is
>the
>default) or I use "AddressFamily any".
>
>Eric Johnson

Have you tried putting the IPv6 address
in brackets, i.e. [2001::::]?
Seems to me you manage to confuse
the parser, maybe by trying to specify an
IPv6 address with a port but omitting the
then necessary brackets.

And when setting an explicit IPv6 address
to listen on you have to have an IPv4  ListenAdress, too, if you want your 
"AddressFamily any" to matter.

HTH, Florian

Re: /usr/sbin/httpd and chunked transfer encoding

[Reyk Floeter]

Hi,

you cannot disable it and this Android client is broken.

"A recipient MUST be able to parse and decode the chunked transfer coding."

https://tools.ietf.org/html/rfc7230#section-4.1

Reyk

> Am 08.05.2017 um 03:06 schrieb johnw :
> 
> Hi, After installed owncloud/nextcloud on my openbsd,
> 
> I noticed android client do not support "chunked transfer encoding"
> 
> (https://github.com/owncloud/android/issues/1128";
> 
> Is it possible to disable this feature with "/usr/sbin/httpd"?
> 
> Any idea how to solve it?
> 
> Thanks.
> 
> 

Re: IPv6, sshd, and latest patches?

[Eric Johnson]

On Mon, 8 May 2017, Sterling Archer wrote:

> On Mon, May 8, 2017 at 1:58 AM, Eric Johnson  
> wrote:
>
>
>   Has anyone else had problems with sshd and IPv6 after applying the 
> latest
>   patches?  It seems to me that the patches disabled the use of IPv6 for
>   ssh.
>
>   When I try to set the IPv6 address I want it to listen to in 
> sshd_config,
>   sshd fails with the following message:
>
>   bad addr or host: 2001:1890:1263:a14:: (no address associated with name)
>
>   Using the default sshd_config, ssh is only listening on IPv4 addresses.
>
>   Eric Johnson
>
>
> It's working here, fully patched 6.1 system.
> To make sure it's not because of the :: inet6 address, I tested this, where
> 2001:: is the /48 my ISP delegates to me:
>
> # doas ifconfig em1 inet6 2001::::
> # doas rcctl restart sshd
> sshd (ok)
> sshd (ok)
> # telnet 2001::::
> Trying 2001::::...
> Connected to 2001::::.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_7.5

After playing around with it some more, if I use "AddressFamily inet6" in
sshd_config, then it will do IPv6 okay, but not IPv4.  The problem occurs
when I don't specify an address family (and so "AddressFamily any" is the
default) or I use "AddressFamily any".

Eric Johnson

/usr/sbin/httpd and chunked transfer encoding

[johnw]

Hi, After installed owncloud/nextcloud on my openbsd,

I noticed android client do not support "chunked transfer encoding"

(https://github.com/owncloud/android/issues/1128";

Is it possible to disable this feature with "/usr/sbin/httpd"?

Any idea how to solve it?

Thanks.




signature.asc
Description: OpenPGP digital signature

Re: IPv6, sshd, and latest patches?

[Sterling Archer]

On Mon, May 8, 2017 at 2:48 AM, Sterling Archer  wrote:

> On Mon, May 8, 2017 at 1:58 AM, Eric Johnson 
> wrote:
>
>>
>>
>> Has anyone else had problems with sshd and IPv6 after applying the latest
>> patches?  It seems to me that the patches disabled the use of IPv6 for
>> ssh.
>>
>> When I try to set the IPv6 address I want it to listen to in sshd_config,
>> sshd fails with the following message:
>>
>> bad addr or host: 2001:1890:1263:a14:: (no address associated with name)
>>
>> Using the default sshd_config, ssh is only listening on IPv4 addresses.
>>
>> Eric Johnson
>>
>>
> It's working here, fully patched 6.1 system.
> To make sure it's not because of the :: inet6 address, I tested this, where
> 2001:: is the /48 my ISP delegates to me:
>
> # doas ifconfig em1 inet6 2001::::
> # doas rcctl restart sshd
> sshd (ok)
> sshd (ok)
> # telnet 2001::::
>

That's telnet 2001:::: 22, of course.


> Trying 2001::::...
> Connected to 2001::::.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_7.5
>
>
>

Re: IPv6, sshd, and latest patches?

[Sterling Archer]

On Mon, May 8, 2017 at 1:58 AM, Eric Johnson 
wrote:

>
>
> Has anyone else had problems with sshd and IPv6 after applying the latest
> patches?  It seems to me that the patches disabled the use of IPv6 for
> ssh.
>
> When I try to set the IPv6 address I want it to listen to in sshd_config,
> sshd fails with the following message:
>
> bad addr or host: 2001:1890:1263:a14:: (no address associated with name)
>
> Using the default sshd_config, ssh is only listening on IPv4 addresses.
>
> Eric Johnson
>
>
It's working here, fully patched 6.1 system.
To make sure it's not because of the :: inet6 address, I tested this, where
2001:: is the /48 my ISP delegates to me:

# doas ifconfig em1 inet6 2001::::
# doas rcctl restart sshd
sshd (ok)
sshd (ok)
# telnet 2001::::
Trying 2001::::...
Connected to 2001::::.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.5

Re: OT: Recommendations for a CMS?

[lists]

Sun, 7 May 2017 12:24:32 -0400 Paul Suh 
> Folks,
> 
> Completely off topic, but I'd value input from this community in
> particular. I need to recommend a (replacement) CMS for the
> public-facing web site for my day job.
> [...]
> Suggestions? 

Hi Paul,

There is, actually nothing OpenBSD specific in your mission statement.
Yet, asking the question here means you want to pursue setting up your
company (at least site hosting) work flow around OpenBSD system setup.

You are indeed going to be setting up multiple stacks to try adjust on
the go, from exported plain text and portable documents directories to
static web site generators and complete content or document management
systems, each iteration addressing management complexity.  These could
be brought to reliably reproducible results from the client users, (in
your organisation) front ends desktop / laptops, to the networking and
back end serving systems, to the publicly exposed web interfaces,  and
your system integration management systems as well,  all with OpenBSD.

Now on to the specifics, as Marc advises go give Drupal a spin, though
mentioning marketing people means you either want to propose there the
idea of running (at least part of) the web stack on OpenBSD, or you're
looking for an OpenBSD oriented best current practical solution.  Both
are not your immediate concern as your specified user group is at best
OS agnostic, and your application stack is at best OS independent too.

So, the best practical advice is to just start setting up some OpenBSD
systems to host some OpenBSD virtual machines with different basic set
of self hosting web stacks from generic to more advanced, either local
premise or in an inexpensive dedicated hosting service of your choice.

There is no silver bullet for web sites setup and the OpenBSD specific
parts are, try to adhere to web services in base and then go to ports.
Beware, all PHP land is largely full of self inflicted countless hours
loss and there is much more to lose in less popular web app languages.

So, the suggestion is.. to just start setting up an OpenBSD web stack.
You are going to make good progress, just better compared to other OS.

Kind regards,
Anton Lazarov

IPv6, sshd, and latest patches?

[Eric Johnson]

Has anyone else had problems with sshd and IPv6 after applying the latest
patches?  It seems to me that the patches disabled the use of IPv6 for
ssh.

When I try to set the IPv6 address I want it to listen to in sshd_config,
sshd fails with the following message:

bad addr or host: 2001:1890:1263:a14:: (no address associated with name)

Using the default sshd_config, ssh is only listening on IPv4 addresses.

Eric Johnson

Re: OT: Recommendations for a CMS?

[Wiremu Demchick]

On 5/8/17, Marc Espie  wrote:
> Actually, I used to need a CMS for my former job, ended up going with
> Drupal.
>

I've also used Drupal (both major releases 7 and 8), for many of the
same reasons mentioned by Marc Espie.

> Now for the drawbacks:

I should mention that Drupal has a not-very-nice security track
record.  A particularly good example:
https://www.drupal.org/SA-CORE-2014-005

Re: OT: Recommendations for a CMS?

[Marc Espie]

Actually, I used to need a CMS for my former job, ended up going with
Drupal.

Not incredibly awful, especially since it's php. The design makes sense,
it's actually reasonably clean, maintained, with lots of modules.

And it *is* a CMS, as in you can have a full database of documents
organized, and some interesting publishing tracks.
(I went with drupal because I really needed to have custom roles, and
neither wordpress nor joomla nor zope did what I needed, and the drupal 
code WAS actually cleaner).

One major advantage over "do it yourself" html is that you don't have
to deal with all the gooey stuff, like helping non technical people
handle their jobs, since everything has a web interface.

Now for the drawbacks:
- there's a shitload of contributed modules. Sometimes it's hard to find
the one you want. And they're not all the same quality.
- every major version of drupal is a pain. They generally don't have any
kind of same migration plan from version to version.  Especially the user
interface, which changed a lot, so you're often better off reimporting
your data and starting the menu design from scratch.

Re: Libreoffice Calc (sometimes) kills X when attempting to import a CSV file?

[Peter N. M. Hansteen]

On 05/07/17 23:48, Stuart Henderson wrote:
> On 2017-05-06, Peter N. M. Hansteen  wrote:
>> And it happened again -
>> https://home.nuug.no/~peter/soffice_vs_x_csv/fehfeh.csv triggered
>> another kaboom, producing the log file
>> https://home.nuug.no/~peter/soffice_vs_x_csv/Xorg.0.log and the core
>> file https://home.nuug.no/~peter/soffice_vs_x_csv/Xorg.core
>>
>> I'll have to read up on usefully dissecting the core file, in the
>> meantime this is evidence preserved.
> 
> This would be a good start:
> 
> gdb /usr/X11R6/bin/Xorg /path/to/Xorg.core
> bt
>
> Trying it with your file on my system it looks like it's crashing
> in sna_poly_fill_rect_stippled_n_box in intel_drv.so, but my binaries
> may not match yours, so this may not be correct.

Here's mine:

#0  0x1be95bca766a in sna_poly_fill_rect_stippled_n_box () from
/usr/X11R6/lib/modules/drivers/intel_drv.so
(gdb) bt
#0  0x1be95bca766a in sna_poly_fill_rect_stippled_n_box () from
/usr/X11R6/lib/modules/drivers/intel_drv.so
#1  0x1be95bcc0cf6 in sna_poly_fill_rect_stippled_blt () from
/usr/X11R6/lib/modules/drivers/intel_drv.so
#2  0x1be95bcc491e in sna_poly_fill_rect () from
/usr/X11R6/lib/modules/drivers/intel_drv.so
#3  0x1be705c0215c in damagePolyFillRect () from /usr/X11R6/bin/Xorg
#4  0x1be705b0f91f in ProcPolyFillRectangle () from /usr/X11R6/bin/Xorg
#5  0x1be705b14b86 in Dispatch () from /usr/X11R6/bin/Xorg
#6  0x1be705b1860a in dix_main () from /usr/X11R6/bin/Xorg
#7  0x1be705b0190e in _start () from /usr/X11R6/bin/Xorg
#8  0x in ?? ()

But chasing other things I upgraded to a more recent snapshot in the
meantime, so this may be off too.

I suppose it's now just collect something similar when this occurs again.

> I would recommend removing the core file from the webserver, it's a dump
> of the whole memory of the failed Xorg server process so it might include
> something you don't want kept around.

:D
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: IPsec and certificates

[Paul Suh]

> On May 7, 2017, at 2:10 PM, Steve Shockley  
> wrote:
> 
> I'm trying to get IPsec set up in transport mode using isakmpd, between 
> OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1.  I've already gotten everything 
> working using PSK, but I'd like to use certificates.
> 
> I've created a certificate from our CA for each machine.  I've put the CA 
> root chain in /etc/isakmpd/ca, the local machine's private key in 
> private/local.key, the local machine's cert in certs/[ip addr].crt, and the 
> remote machine's cert in certs/[ip addr].crt.  The certificates have a 
> subject of CN=hostname.domain.com, and a SAN with DNS=hostname.domain.com, 
> DNS=[ip addr], IP=[ip addr].
> 
> I'm thinking that I'm just putting the certs in the wrong place.  I've run 
> isakmpd with -D A=99, which is confusing because it appears to still be 
> looking in /etc/isakmpd/keynote despite using -K.
> 
> Has anyone else used isakmpd with certificates signed by a non-dedicated CA, 
> or see anything I'm likely doing wrong here?  Thanks.
> 


> Current uncommented lines in ipsec.conf:
> ike esp transport from a.b.c.d to d.b.c.a \
>mainauth hmac-sha1  enc 3desgroup modp1024 \
>quick   auth hmac-sha1  enc 3desgroup none

> ike esp transport from d.b.c.a to a.b.c.d \
>mainauth hmac-sha1  enc 3desgroup modp1024 \
>quick   auth hmac-sha1  enc 3desgroup none


Steve, 

Have you tried using the DNS names in your ipsec.conf, and in the filenames in 
the /etc/isakmpd/certs directory? Generally, certificates are applied against 
the DNS name for servers, rather than the IP address. Maybe a bug in isakmpd or 
one of the other hosts that doesn't handle IP addresses in the SAN field 
correctly since it's such a rare usage? 


--Paul




smime.p7s
Description: S/MIME cryptographic signature

Re: Libreoffice Calc (sometimes) kills X when attempting to import a CSV file?

[Stuart Henderson]

On 2017-05-06, Peter N. M. Hansteen  wrote:
> And it happened again -
> https://home.nuug.no/~peter/soffice_vs_x_csv/fehfeh.csv triggered
> another kaboom, producing the log file
> https://home.nuug.no/~peter/soffice_vs_x_csv/Xorg.0.log and the core
> file https://home.nuug.no/~peter/soffice_vs_x_csv/Xorg.core
>
> I'll have to read up on usefully dissecting the core file, in the
> meantime this is evidence preserved.

This would be a good start:

gdb /usr/X11R6/bin/Xorg /path/to/Xorg.core
bt

Trying it with your file on my system it looks like it's crashing
in sna_poly_fill_rect_stippled_n_box in intel_drv.so, but my binaries
may not match yours, so this may not be correct.

The Xorg.0.log looks clean so it might be from after a restart - there
might be something in Xorg.0.log.old.

I would recommend removing the core file from the webserver, it's a dump
of the whole memory of the failed Xorg server process so it might include
something you don't want kept around.

Re: OT: Recommendations for a CMS?

[Stuart Henderson]

Chris, this is not the right place to advertise your linux-based hosting.

Re: Openbsd on raspberry pi 1

[Stuart Henderson]

On 2017-05-07, flipchan  wrote:
>
> Hey does anyone know about the porting of openbsd on raspberry pi 1/if
> anyone got it working on raspberry pi 1 ? All I can find info on is that
> can be runned on a raspberry pi 3

It hasn't been ported to pi 1, and is not likely to be. Pi 1 uses BCM2835,
which is an ARMv6 architecture design, this has significant weaknesses
compared to ARMv7 that OpenBSD is targetting.

Pi 2 uses BCM2836 which is an ARMv7 architecture cpu. OpenBSD is targetting
ARMv7 but not the BCM2836 System-on-Chip (SoC).
The current 32-bit arm port of OpenBSD targets ARMv7 systems using the
following SoCs : Allwinner A10/A20, Freescale i.MX6, TI OMAP3/4.

Pi 3 uses BCM2837 (ARMv8). The 64-bit arm port targets ARMv8 including
this SoC amongst others. (currently: Allwinner A64, AMD Opteron A1100,
Broadcom BCM2837, Rockchip RK3399).

Re: OT: Recommendations for a CMS?

[flipchan]

Try to find a good offline CMS AKA a static HTML generator like Jekyll. Don't 
use Drupal, joomla or WordPress

On May 7, 2017 6:24:32 PM GMT+02:00, Paul Suh  wrote:
>Folks,
>
>Completely off topic, but I'd value input from this community in
>particular. I need to recommend a (replacement) CMS for the
>public-facing web site for my day job. My wants: 
>
>1) NOT Wordpress -- I don't need the security headaches. 
>2) Allows updates by users who don't know HTML and for whom Markdown is
>a stretch. (Marketing people.)
>3) Has commercial support and hosting available -- if it was just me I
>could run almost anything on my own. For my day job, however, I need to
>make sure that the rest of the IT department can still handle things if
>I get hit by a bus. 
>4) Minimal customization -- certainly no custom code or scripting.
>Again, if it was just me..., but it needs to be maintainable down the
>road. 
>
>The site has very little necessary in the way of server-side
>processing; in fact, a CMS is borderline overkill. A good templating
>system would almost do the trick. A really good templating system that
>can automatically post selected news item links to Twitter, Instagram,
>Facebook, etc. would be great. The only problem is that the marketing
>types can't be trusted even with Markdown. :-P
>
>The site needs to be really flashy and eye-catching for marketing
>purposes, so whatever solution needs to support (or at least not get in
>the way of) the latest & greatest HTML5/CSS/JS. (I know that the crowd
>here is generally going to pooh-pooh that, but it's actually
>appropriate for selling to the target audience. I'm mostly the same
>way, and have to check my first instincts when dealing with this site.)
>
>
>I've used Plone in the past, but support seems a little thin these days
>and it's pretty heavyweight for this project. 
>
>I saw the thread about "Creating a blog..." a year ago, but time has
>passed and his use case is significantly different from mine. 
>
>I'm looking for actual, recent experience with a CMS, not "I know a guy
>who used to run..." kinds of things. 
>
>Suggestions? 
>
>
>--Paul 

-- 
Take Care Sincerely flipchan layerprox dev

Openbsd on raspberry pi 1

[flipchan]

Hey does anyone know about the porting of openbsd on raspberry pi 1/if anyone 
got it working on raspberry pi 1 ? All I can find info on is that can be runned 
on a raspberry pi 3

undeadly.org/cgi?action=article&sid=20170409123528
-- 
Take Care Sincerely flipchan layerprox dev

Re: OT: Recommendations for a CMS?

[Michael Hekeler]

If you don´t mind to put PHP on your box

I like to use Redaxo (www.redaxo.org) because it just "serves what goes
in" (template+content) and adds no magic like many "super intelligent"
scripts does.
It is so simple to configure and you are very(!) flexible in
creating every kind of input module you need.

But I think for URLs like www.domain.com/about you need another
webserver from packages because the httpd in base has no URL
rewriting (but I am not 100% sure...) and redaxo produces URLs like
index.php?page=1


-- 
Michael

Re: OT: Recommendations for a CMS?

[BergenBergen BergenBergen]

https://www.locomotivecms.com/ is great, _AND_ it's Ruby on Rails :)
Win-win. Good luck!

--Murk

On Sun, May 7, 2017 at 6:24 PM, Paul Suh  wrote:

> Folks,
>
> Completely off topic, but I'd value input from this community in
> particular. I need to recommend a (replacement) CMS for the public-facing
> web site for my day job. My wants:
>
> 1) NOT Wordpress -- I don't need the security headaches.
> 2) Allows updates by users who don't know HTML and for whom Markdown is a
> stretch. (Marketing people.)
> 3) Has commercial support and hosting available -- if it was just me I
> could run almost anything on my own. For my day job, however, I need to
> make sure that the rest of the IT department can still handle things if I
> get hit by a bus.
> 4) Minimal customization -- certainly no custom code or scripting. Again,
> if it was just me..., but it needs to be maintainable down the road.
>
> The site has very little necessary in the way of server-side processing;
> in fact, a CMS is borderline overkill. A good templating system would
> almost do the trick. A really good templating system that can automatically
> post selected news item links to Twitter, Instagram, Facebook, etc. would
> be great. The only problem is that the marketing types can't be trusted
> even with Markdown. :-P
>
> The site needs to be really flashy and eye-catching for marketing
> purposes, so whatever solution needs to support (or at least not get in the
> way of) the latest & greatest HTML5/CSS/JS. (I know that the crowd here is
> generally going to pooh-pooh that, but it's actually appropriate for
> selling to the target audience. I'm mostly the same way, and have to check
> my first instincts when dealing with this site.)
>
> I've used Plone in the past, but support seems a little thin these days
> and it's pretty heavyweight for this project.
>
> I saw the thread about "Creating a blog..." a year ago, but time has
> passed and his use case is significantly different from mine.
>
> I'm looking for actual, recent experience with a CMS, not "I know a guy
> who used to run..." kinds of things.
>
> Suggestions?
>
>
> --Paul

Re: OT: Recommendations for a CMS?

[Chris M]

Re-reading your question, maybe you weren't asking for hosting services,
but rather something you can throw on your own hardware, so if so my
apologies. But if you do need the hosting space, ZeroLag is a good choice
for business.

On Sun, May 7, 2017 at 1:39 PM Chris M  wrote:

> I would recommend something like Magento, depending on your needs. At
> ZeroLag (the company I work for, www.zerolag.com) - and yeah I'm plugging
> for them since I work there, but this is also based on direct experience -
> you can get dedicated or shared hosting with 24/hour monitoring. I don't
> have any prices for you since I am not in sales. These are Linux servers,
> not OpenBSD, not sure if that matters as much to you. But maybe what you
> are looking for.
>
> You also don't necessarily have to have Wordpress or Magento if you don't
> want, I believe we just provide those on request but sales would be able to
> answer more questions about that.
>
> On Sun, May 7, 2017 at 1:02 PM Paul Suh  wrote:
>
>> Folks,
>>
>> Completely off topic, but I'd value input from this community in
>> particular. I need to recommend a (replacement) CMS for the public-facing
>> web site for my day job. My wants:
>>
>> 1) NOT Wordpress -- I don't need the security headaches.
>> 2) Allows updates by users who don't know HTML and for whom Markdown is a
>> stretch. (Marketing people.)
>> 3) Has commercial support and hosting available -- if it was just me I
>> could run almost anything on my own. For my day job, however, I need to
>> make sure that the rest of the IT department can still handle things if I
>> get hit by a bus.
>> 4) Minimal customization -- certainly no custom code or scripting. Again,
>> if it was just me..., but it needs to be maintainable down the road.
>>
>> The site has very little necessary in the way of server-side processing;
>> in fact, a CMS is borderline overkill. A good templating system would
>> almost do the trick. A really good templating system that can automatically
>> post selected news item links to Twitter, Instagram, Facebook, etc. would
>> be great. The only problem is that the marketing types can't be trusted
>> even with Markdown. :-P
>>
>> The site needs to be really flashy and eye-catching for marketing
>> purposes, so whatever solution needs to support (or at least not get in the
>> way of) the latest & greatest HTML5/CSS/JS. (I know that the crowd here is
>> generally going to pooh-pooh that, but it's actually appropriate for
>> selling to the target audience. I'm mostly the same way, and have to check
>> my first instincts when dealing with this site.)
>>
>> I've used Plone in the past, but support seems a little thin these days
>> and it's pretty heavyweight for this project.
>>
>> I saw the thread about "Creating a blog..." a year ago, but time has
>> passed and his use case is significantly different from mine.
>>
>> I'm looking for actual, recent experience with a CMS, not "I know a guy
>> who used to run..." kinds of things.
>>
>> Suggestions?
>>
>>
>> --Paul
>
> --
> There's no place like 127.0.0.1
>
-- 
There's no place like 127.0.0.1

Re: OT: Recommendations for a CMS?

[Chris M]

I would recommend something like Magento, depending on your needs. At
ZeroLag (the company I work for, www.zerolag.com) - and yeah I'm plugging
for them since I work there, but this is also based on direct experience -
you can get dedicated or shared hosting with 24/hour monitoring. I don't
have any prices for you since I am not in sales. These are Linux servers,
not OpenBSD, not sure if that matters as much to you. But maybe what you
are looking for.

You also don't necessarily have to have Wordpress or Magento if you don't
want, I believe we just provide those on request but sales would be able to
answer more questions about that.

On Sun, May 7, 2017 at 1:02 PM Paul Suh  wrote:

> Folks,
>
> Completely off topic, but I'd value input from this community in
> particular. I need to recommend a (replacement) CMS for the public-facing
> web site for my day job. My wants:
>
> 1) NOT Wordpress -- I don't need the security headaches.
> 2) Allows updates by users who don't know HTML and for whom Markdown is a
> stretch. (Marketing people.)
> 3) Has commercial support and hosting available -- if it was just me I
> could run almost anything on my own. For my day job, however, I need to
> make sure that the rest of the IT department can still handle things if I
> get hit by a bus.
> 4) Minimal customization -- certainly no custom code or scripting. Again,
> if it was just me..., but it needs to be maintainable down the road.
>
> The site has very little necessary in the way of server-side processing;
> in fact, a CMS is borderline overkill. A good templating system would
> almost do the trick. A really good templating system that can automatically
> post selected news item links to Twitter, Instagram, Facebook, etc. would
> be great. The only problem is that the marketing types can't be trusted
> even with Markdown. :-P
>
> The site needs to be really flashy and eye-catching for marketing
> purposes, so whatever solution needs to support (or at least not get in the
> way of) the latest & greatest HTML5/CSS/JS. (I know that the crowd here is
> generally going to pooh-pooh that, but it's actually appropriate for
> selling to the target audience. I'm mostly the same way, and have to check
> my first instincts when dealing with this site.)
>
> I've used Plone in the past, but support seems a little thin these days
> and it's pretty heavyweight for this project.
>
> I saw the thread about "Creating a blog..." a year ago, but time has
> passed and his use case is significantly different from mine.
>
> I'm looking for actual, recent experience with a CMS, not "I know a guy
> who used to run..." kinds of things.
>
> Suggestions?
>
>
> --Paul

-- 
There's no place like 127.0.0.1

IPsec and certificates

[Steve Shockley]

I'm trying to get IPsec set up in transport mode using isakmpd, between 
OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1.  I've already gotten 
everything working using PSK, but I'd like to use certificates.


I've created a certificate from our CA for each machine.  I've put the 
CA root chain in /etc/isakmpd/ca, the local machine's private key in 
private/local.key, the local machine's cert in certs/[ip addr].crt, and 
the remote machine's cert in certs/[ip addr].crt.  The certificates have 
a subject of CN=hostname.domain.com, and a SAN with 
DNS=hostname.domain.com, DNS=[ip addr], IP=[ip addr].


I'm thinking that I'm just putting the certs in the wrong place.  I've 
run isakmpd with -D A=99, which is confusing because it appears to still 
be looking in /etc/isakmpd/keynote despite using -K.


Has anyone else used isakmpd with certificates signed by a non-dedicated 
CA, or see anything I'm likely doing wrong here?  Thanks.


Current uncommented lines in ipsec.conf:
ike esp transport from a.b.c.d to d.b.c.a \
mainauth hmac-sha1  enc 3desgroup modp1024 \
quick   auth hmac-sha1  enc 3desgroup none

ike esp transport from d.b.c.a to a.b.c.d \
mainauth hmac-sha1  enc 3desgroup modp1024 \
quick   auth hmac-sha1  enc 3desgroup none

Re: Arch and vmd

[R0me0 ***]

Thanks Karl

Your instructions saved a lot of research.

Running funtoo linux  -current with minimal kernel ( compiled by hand )
adjusted root  partition to vda disk.

Tests performed with OpenBSD 6.0 with binary patches applied .

Cheers,










2017-04-26 13:47 GMT-03:00 Karl Pettersson :

> Arch Linux works well as a vmd guest. Some notes about my experiences
> installing the system:
>
> * The Arch installation can be started from the serial console, see:
>   https://wiki.archlinux.org/index.php/Working_with_the_serial_console
>   #Installing_Arch_Linux_using_the_serial_console
>   However, the installation still tends to be unstable, due to unreliable
>   downloads (which has been discussed earlier). Until this is fixed, the
>   installation can be run in QEMU, or in a guest under Linux/KVM (as is
>   currently required by distributions with graphical install).
>
> * Syslinux has to be used as bootloader, and serial console should be
>   enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
>   Moreover, the generated config has to be edited to point to the
>   correct root device, and if Ext4 is used as root file system, it must
>   not be 64bit (which is enabled by default when the file system is
>   created): http://www.syslinux.org/wiki/index.php?title=Filesystem
>
>

OT: Recommendations for a CMS?

[Paul Suh]

Folks,

Completely off topic, but I'd value input from this community in particular. I 
need to recommend a (replacement) CMS for the public-facing web site for my day 
job. My wants: 

1) NOT Wordpress -- I don't need the security headaches. 
2) Allows updates by users who don't know HTML and for whom Markdown is a 
stretch. (Marketing people.)
3) Has commercial support and hosting available -- if it was just me I could 
run almost anything on my own. For my day job, however, I need to make sure 
that the rest of the IT department can still handle things if I get hit by a 
bus. 
4) Minimal customization -- certainly no custom code or scripting. Again, if it 
was just me..., but it needs to be maintainable down the road. 

The site has very little necessary in the way of server-side processing; in 
fact, a CMS is borderline overkill. A good templating system would almost do 
the trick. A really good templating system that can automatically post selected 
news item links to Twitter, Instagram, Facebook, etc. would be great. The only 
problem is that the marketing types can't be trusted even with Markdown. :-P

The site needs to be really flashy and eye-catching for marketing purposes, so 
whatever solution needs to support (or at least not get in the way of) the 
latest & greatest HTML5/CSS/JS. (I know that the crowd here is generally going 
to pooh-pooh that, but it's actually appropriate for selling to the target 
audience. I'm mostly the same way, and have to check my first instincts when 
dealing with this site.) 

I've used Plone in the past, but support seems a little thin these days and 
it's pretty heavyweight for this project. 

I saw the thread about "Creating a blog..." a year ago, but time has passed and 
his use case is significantly different from mine. 

I'm looking for actual, recent experience with a CMS, not "I know a guy who 
used to run..." kinds of things. 

Suggestions? 


--Paul 

smime.p7s
Description: S/MIME cryptographic signature

Re: 6.1 syspatch installed SP kernel on MP system

[Aaron Riekenberg]

Got it.  Sorry for the noise, and thanks for syspatch.

https://github.com/openbsd/src/blob/master/distrib/miniroot/install.sub#L2600-L2604

On Wed, May 3, 2017 at 10:09 AM, Theo de Raadt  wrote:

> > Seems like syspatch should install new /bsd.sp and /bsd.mp and then link
> > /bsd to the correct one based on whether sp or mp kernel is running. This
> > would be consistent with the installer.
>
> You are pretty sure of yourself, but that isn't what the installer does.
> It does not "link".  You can go read the source.
>

Re: Segmentation fault in ncurses

[Otto Moerbeek]

On Sat, May 06, 2017 at 09:45:22PM +0200, Carsten Kunze wrote:

> Hello,
> 
> I am not on this mailing list and I am not able to debug the following issue. 
>  It is just for information since a segmentation fault may be an issue on a 
> OpenBSD base system library.  The system I am using is very old (Oct. 2016) 
> but ncurses likely does not have changed much since then:
> 
> OpenBSD 6.0-current (GENERIC) #2384: Fri Oct 14 00:06:17 MDT 2016
> 
> What I am trying to do is to display UTF-8 chars using wadd_wchnstr().  Then 
> it crashes in lib_addstr.c:186 (I don't have the source).
> 
> If this is not relevant, just ignore the mail and sorry for the noise.
> 
> Program received signal SIGSEGV, Segmentation fault.  
>   
> 
> wadd_wchnstr (win=0x15c8a6049a00, astr=0x15c664e47e28, n=4) at 
> /usr/src/lib/libcurses/base/lib_addstr.c:186  
>
> 186 /usr/src/lib/libcurses/base/lib_addstr.c: No such file or directory.  
>   
> 
> in /usr/src/lib/libcurses/base/lib_addstr.c   
>   
> 
> (gdb) bt  
>   
> 
> #0  wadd_wchnstr (win=0x15c8a6049a00, astr=0x15c664e47e28, n=4) at 
> /usr/src/lib/libcurses/base/lib_addstr.c:186  
>
> #1  0x15c664c20f56 in putmbs (w=0x15c8a6049a00, s=0x15c885e05100 
> "�\207İ", n=4) at ui2.c:1287  
>  
> 
> ... following trace is not relevant.

Too little information. First check if it is still there in current
src, if so then try to come up with a little program that exposes the
bug.

BTW, soources are freely avaialble,

-Otto