Unable to estable ikev2 vpn with ios after update to current

2017-06-04 Thread Theodore Wynnychenko 
Hello

I have been a bit remiss, and have not updated my system in a couple of months.
I have been following current for a year or two, in general, without incident.

Anyway, after updating last night, I am unable to establish a ikev2 vpn with an
ios 10.3.2 device.  A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine.

I am hoping that someone could shove me in a direction.

I have been using iked with iOS for about a year without a problem.

However, after the update, I noticed that all iOS vpn attempts were failing.

Running # iked -dvvv and trying to connect showed:

...
ca_setauth: auth length 510
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_resp_recv: failed to send auth response
sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:64252 to xxx.yyy.1.20:4500
policy 'ios_vpn'
ikev2_recv: closing SA
sa_free: ispi 0xcd95648ffb47ac65 rspi 0x86e6b00a7646172e
config_free_proposals: free 0x13f816f06500
config_free_proposals: free 0x13f8e4f63580
ca_setauth: auth length 528
ca_validate_pubkey: could not open public key pubkeys/fqdn/ios.ikev2.myfqdn.com
ca_x509_subjectaltname: FQDN/ios.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois... ok
ikev2_getimsgdata: imsg 24 rspi 0x86e6b00a7646172e ispi 0xcd95648ffb47ac65
initiator 0 sa invalid type 14 data length 528
ikev2_dispatch_cert: invalid auth reply


I found a suggestion that placing an RSA public certificate on the local OBSD
machine could help.

So, I used:

# openssl rsa -in private.key -pubout >
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com

Now, running # iked -dvvv shows:

set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local
xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid ios.ikev2.myfqdn.com
ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address xxx.yyy.15.131
config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config name-server
xxx.yyy.1.129 config netbios-server xxx.yyy.2.99
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file local.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois... ok
ca_validate_cert: /C=US/ST=Illinois... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to
xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xd14315b81593285a 0x

Re: bgp-spamd added 192.43.244.163

2017-06-04 Thread Todd C. Miller 
On Sun, 04 Jun 2017 12:09:51 -0500, Edgar Pettijohn wrote:

> Did a little more digging. Looks like the list 192.43.244.163 is on the 
> SORBS Spam list.

I have delisted it.

 - todd

Re: httpd and wordpress

2017-06-04 Thread Ax0n 
A very select few security-focused plugins are worth keeping around, like
WordFence. Every plugin, theme and add-on is additional attack surface, and
some popular plugins and themes have a horrifying track record with regard
to security. WordPress core has gotten a lot better recently, but there are
still some whopper vulnerabilities disclosed on occasion.

For most people, I recommend giving it lenient enough file permissions that
it can automatically apply its own updates. The most severe WP
vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www
write access to the document root isn't going to save you from those, but
allowing write access and enabling automatic updates means critical patches
are applied faster than you'd normally be able to do it yourself.

I have experimented in my development environment with a "split
installation" where two different virtual hosts entries serve WP from two
different document roots but are pointed to the same database: A full-blown
normal install on 127.0.0.1 that you access through something such as an
SSH dynamic proxy, then a copied, locked-down install on the public IP
address. The locked-down install doesn't even have wp-admin, and uses
database credentials that are limited to SELECT queries only. This took a
lot of extra work to keep maintained, and updates applied to, and obviously
things like user-login and comments won't work on the public-facing site.
I'm not convinced this experiment is worth the hassle, because if you're
that paranoid, you're likely already looking at static-site generators and
getting away from WP by any means possible.

On Sun, Jun 4, 2017 at 4:34 PM, flipchan  wrote:

> Delete ALL readme and don't install plugins
>
> On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat 
> wrote:
> >Hi there,
> >
> >
> >well if it would be up to me I would skip wordpress for good but well
> >it's not my decition.
> >
> >So I was wondering if there is some recommendations on what to block in
> >
> >the httpd.conf and what file permissions to use.
> >
> >For now I have:
> >
> >- like wordpress suggest 0755 on dirs and 0644 on files
> >
> >- wp-config.php setting to 0400 is not going to work at all I need at
> >least a 0644 or nothing shows up
> >
> >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php,
> >/wp-includes, /wp-includes/*.php and /wp-admin
> >
> >
> >so if there is something I can do further to harden things just let me
> >know :)
> >
> >
> >advice is most apreciated
> >
> >
> >Regards
> >
> >
> >--
> >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> >
> >G+H Webservice GbR Gorzolla, Herrmann
> >Königsbrücker Str. 70, 01099 Dresden
> >
> >http://www.ghweb.de
> >fon: +49 351 8107220   fax: +49 351 8107227
> >
> >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
> >Before you print it, think about your responsibility and commitment to
> >the ENVIRONMENT
>
> --
> Take Care Sincerely flipchan layerprox dev

Re: Can I bind USB/other interface/device number (e.g. cdceX) to particular MAC, USB serial number or the like?

2017-06-04 Thread Kevin Chadwick 
On Fri, 2 Jun 2017 08:25:57 -0400


> Linux's (and Windows and Solaris and ...) attempts to "fix" this
> problem is one of the reasons I'd consider Linux (and Windows
> and ...) crappy. A complicated solution that creates far more
> problems than it ever solves, and usually at the worst times possible
> (i.e., disaster recovery, where you are trying to rebuild a failed
> system).
> 
> The tools to deal with this are already in OpenBSD as I and Peter
> indicated.  We don't need an "automatic" solution that penalizes
> everyone for an edge-case problem (and yes, I'd consider this an edge
> case.  I can't imagine a serious, industrial firewall with USB
> interfaces).

Yeah, definitely, there are more than a few mailing list requests on
switching the linux solution back to eth0...1 etc to fix new issues. The
linux code before (eth0,1,2) did have issues OpenBSD does not too.

My experience that has always been better than Linux is that the e.g.
fxp0,1,2 are in order of pci slot. I assume usbs are the same after
boot so anyone who unplugs and plugs devices and doesn't check the
outcome on critical hardware deserves what they get. Also having
critical hardware that can be physically damaged is also asking for
trouble, so I cannot see an issue at all?? 

p.s. I love the ethernet card driver specific man pages!!

Re: httpd and wordpress

2017-06-04 Thread flipchan 
Delete ALL readme and don't install plugins

On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat  wrote:
>Hi there,
>
>
>well if it would be up to me I would skip wordpress for good but well 
>it's not my decition.
>
>So I was wondering if there is some recommendations on what to block in
>
>the httpd.conf and what file permissions to use.
>
>For now I have:
>
>- like wordpress suggest 0755 on dirs and 0644 on files
>
>- wp-config.php setting to 0400 is not going to work at all I need at 
>least a 0644 or nothing shows up
>
>- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, 
>/wp-includes, /wp-includes/*.php and /wp-admin
>
>
>so if there is something I can do further to harden things just let me 
>know :)
>
>
>advice is most apreciated
>
>
>Regards
>
>
>-- 
>Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
>G+H Webservice GbR Gorzolla, Herrmann
>Königsbrücker Str. 70, 01099 Dresden
>
>http://www.ghweb.de
>fon: +49 351 8107220   fax: +49 351 8107227
>
>Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
>Before you print it, think about your responsibility and commitment to
>the ENVIRONMENT

-- 
Take Care Sincerely flipchan layerprox dev

HPLIP HP Laserjet Pro MFP M130fn PPD Plugin installation fails

2017-06-04 Thread Reheis Claus 
Hi all,

Recently I acquired an HP Laserjet Pro MFP M130fn and I would like to
use it with my OpenBSD Deskop...
As it is supported since hplip 3.17 I have to use OpenBSD Current.
I managed to get until the plugin installation, but now I am stuck at
the point:

/usr/local/bin/python2.7 plugin_install.py

License blablabla

Do you accept the license terms for the plug-in (y=yes*, n=no, q=quit) ? y
sh: lsb_release: not found
Plugin installation failed
error: Plugin installation failed

Any advice? thx

Greetings

Claus

Re: bgp-spamd added 192.43.244.163

2017-06-04 Thread Edgar Pettijohn 



On 06/04/17 11:56, Edgar Pettijohn wrote:



On 06/04/17 06:09, Peter Hessler wrote:

Please double check your setup.  That IP is for 'lists.openbsd.org', and
should be listed in the *whitelist*.  I do distrubute the whitelist next
to the blacklist, so you MUST NOT blindly block every IP that I
distribute to you.


On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote:
:hi there,
:
:just had some strange encounter, I was wondering why I don't get 
mail from

:this list for a while.
:
:So I did some digging and found that even 192.43.244.163 was 
whitelisted with

:like 32k mails delivered there are also GREY entries for this ip. so I
:checked my blacklists, nothing to find and then I thought okay check 
the list
:from the bgp-spamd project and to my surprise I found 192.43.244.163 
in the
:table. I deleted it and my mails from this list coming in again. 
since I

:didnt do anything lately on my setup I wonder if someone else had this
:encounter.
:
:
:regards
:
:--
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:Königsbrücker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! 
Before you print it, think about your responsibility and commitment 
to the ENVIRONMENT

:

Just had a chance to check and I didn't see it in my blacklists. 
However, I already had it in my nospamd so it probably wouldn't have 
affected me even if it were.
Did a little more digging. Looks like the list 192.43.244.163 is on the 
SORBS Spam list.

Re: bgp-spamd added 192.43.244.163

2017-06-04 Thread Edgar Pettijohn 



On 06/04/17 06:09, Peter Hessler wrote:

Please double check your setup.  That IP is for 'lists.openbsd.org', and
should be listed in the *whitelist*.  I do distrubute the whitelist next
to the blacklist, so you MUST NOT blindly block every IP that I
distribute to you.


On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote:
:hi there,
:
:just had some strange encounter, I was wondering why I don't get mail from
:this list for a while.
:
:So I did some digging and found that even 192.43.244.163 was whitelisted with
:like 32k mails delivered there are also GREY entries for this ip. so I
:checked my blacklists, nothing to find and then I thought okay check the list
:from the bgp-spamd project and to my surprise I found 192.43.244.163 in the
:table. I deleted it and my mails from this list coming in again. since I
:didnt do anything lately on my setup I wonder if someone else had this
:encounter.
:
:
:regards
:
:--
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:Königsbrücker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT
:

Just had a chance to check and I didn't see it in my blacklists. 
However, I already had it in my nospamd so it probably wouldn't have 
affected me even if it were.

Fwd: Re: RTL8153 stopped-communicating("crashed")-bug. I think because it was USB3 & OBSD doesn't support 5gbit/superspeed mode yet.

2017-06-04 Thread Tinker 

(fw very clarifying answer from mpi@)

 Original Message 
Subject: Re: RTL8153 stopped-communicating("crashed")-bug. I think 
because it was USB3 & OBSD doesn't support 5gbit/superspeed mode yet.

Date: 2017-06-04 07:49
From: Martin Pieuchot 
To: Tinker 

On 04/06/17(Sun) 00:46, Tinker wrote:

On 2017-06-02 13:53, Martin Pieuchot wrote:
..
> So it's an xhci(4) problem?  Could you submit a bug report with a dmesg
> of a kernel compiled with XHCI_DEBUG and exposing the problems above
> motioned?

Will do!

Meanwhile to understand how USB3 is expected to work currently, save 
for due

to any unexpected bugs:

 * Should USB devices always come up when you boot?


Yes they should.  If they don't that's 1 bug.  Possibly related to
uhub(4).  In that case you could install the "usbutils" packages and
compare the output of 'lsusb -v' when:

 - you booted without device connected
 - you booted with a device connected
 - after you connected a device

What's interesting us are the Port Status of the parent hub to the
device.  They look like:

   Hub Port Status:
   Port 1: .0100 power
   Port 2: .0100 power
   Port 3: .0100 power
   Port 4: .0100 power
   Port 5: .0100 power
   Port 6: .0100 power
   Port 7: .0100 power
   Port 8: .0100 power

Of course this could also be an xhci(4) bug.  So booting a kernel with
 XHCI_DEBUG and/or UHUB_DEBUG can give us more informations


 * Total bandwidth per controller will be 1gbps currently?


I don't remember, you can look at xhci.c.  But honestly what's your 
problem?

I doubt this matters.

 * At how many / how bandwidth-demanding devices plugged in to a 
controller,

should failure to attach more devices start happening?


I don't know, but once again I doubt it matters.  What's your problem?


 * All of this is supposed to work without any config tweaking by user
right?


Of course, that's one of OpenBSD goal ;)

 * ..And then per-USB device ioerror, timeout, watchdog timeout etc. 
errors
should be handled transparently by the respective device driver, i.e., 
there

are expected situations where USB will fail to push data through for a
moment, so a good driver should have the logics to restore device 
function
transparently by whatever means necessary. (E.g. even device reset 
should be

fine for a USB NIC as the device not has any substantial state.)


Yes, but driver authors aren't perfect and they don't write perfect
drivers ;)

However anybody is welcome to improve them :)

Re: bgp-spamd added 192.43.244.163

2017-06-04 Thread Peter Hessler 
Please double check your setup.  That IP is for 'lists.openbsd.org', and
should be listed in the *whitelist*.  I do distrubute the whitelist next
to the blacklist, so you MUST NOT blindly block every IP that I
distribute to you.


On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote:
:hi there,
:
:just had some strange encounter, I was wondering why I don't get mail from
:this list for a while.
:
:So I did some digging and found that even 192.43.244.163 was whitelisted with
:like 32k mails delivered there are also GREY entries for this ip. so I
:checked my blacklists, nothing to find and then I thought okay check the list
:from the bgp-spamd project and to my surprise I found 192.43.244.163 in the
:table. I deleted it and my mails from this list coming in again. since I
:didnt do anything lately on my setup I wonder if someone else had this
:encounter.
:
:
:regards
:
:-- 
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:Königsbrücker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT
:

-- 
"Virtual" means never knowing where your next byte is coming from.

SNMP OID for free memory

2017-06-04 Thread mabi 
Hi,

I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system 
resources. I don't seem to find any OID for the free memory and was wondering 
if this information is simply not made available in SNMP. Doing an snmpwalk on 
the HOST-RESOURCES MIB for memory shows the following avaialble OIDs related to 
memory:

HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory
HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory
HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory
HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory
HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory
HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space
HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: /

Any idea where the the free memory info would be hiding?

I found a script called check_snmp_openbsd.py 
(https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py)
 where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free memory 
but when I do an snmpget on my OpenBSD box this OID is not available.

Regards,
Mabi

A