OT: GPS "2019" bug

[noah pugsley]

Thought this was interesting. Seemed appropriate as an OT given the
semi-recent 2038 changes...

https://spectracom.com/resources/blog/lisa-perdue/2018/gps-2019-week-rollover-what-you-need-know

EuroBSD Con 2018 1 Free Ticket for Ansible Tutorial and LibTLS Tutorial Thursday

[Tom Smyth]

Hello,

I have paid for Ticekts for the Ansible Tutorial and the Lib TLS
tutorial Thursday in EuroBSD Con2018 Bucharest. I cant attend Thursday
and
I dont want the tickets to go to waste, so if any of the mailing list
subscribers woudl like to go ... please reply directly to me and you
can have the ticket for the
either or both tutorials ... first come first served,

Hope this helps,
Tom Smyth,

Re: PF possibly causing weird SSL issues ?

[Joseph Mayer]

On Wednesday, September 19, 2018 8:26 AM, Tim Jones 
 wrote:

> > Check the time and date.
> > And enable ntpd if you already haven't.
>
> Time and data are fine.
>
> NTP already runs extensively on this network, so setting it up on OpenBSD 
> instances was a subconcious nobrainer. ;-)

Tim,

The malbehavior you are seeing, is it from programs running on your
OpenBSD instance or from programs running on computers located behind
your OpenBSD NAT/PF?

OpenBSD's NAT/PF should be agnostic to system time configuration. SSL
clients depend on system time for cert validation. The SSL error you
reported here does not look like being of that kind however.

Please share your dmesg, pf.conf and any other relevant conf? (Why did
you not already)

Joseph

Re: PF possibly causing weird SSL issues ?

[Richard Toohey]

On 09/19/18 09:02, Tim Jones wrote:

Hi,

I'm wracking my brains here.   I have just replaced  
with one based on OpenBSD 6.3 PF. Nothing else has changed on the network, just the 
firewall.

Lots of "stuff" that used to work (e.g. various nightly pushes of data to "the 
cloud") have suddenly stopped working after the new firewall was put in place.

It seems to be down to some sort of weird handling of SSL by PF ?  I can't see 
why it should be OpenBSD, and yet I also can't see why it cannot be OpenBSD, 
given nothing else has changed.

The reason I say this is because of what I see if I take troubleshooting down 
to its most basic level :

This:
wget -O bp_linux.tar.gz 
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Fails with:
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

And yet this (ironically !) :
wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso
Works fine.

Similarly, this :
openssl s_client -connect 
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername 
github-production-release-asset-2e65be.s3.amazonaws.
com
Returns:
no peer certificate available
No client certificate CA names sent

And yet this :
openssl s_client -connect google.com:443 -servername google.com
Shows SSL certs OK  !

My PF is simple as follows (there is no NAT here, its fully routable) :
match in all scrub (no-df random-id)
block drop
set block-policy drop
set syncookies always
pass from  to any flags S/SA modulate state (pflow)

DNS and everything else is working fine.

(Not an expert, just suggesting some things that might provoke 
inspiration.  Hopefully.  But probably stuff already tried/eliminated.)


Are you sure it's pf?  If you disable pf (if that's an option here) - 
any difference?


If you take the rules out and then introduce them one-by-one - is there 
one that seems to break things?


What do the pf logs show?

Are you trying the commands on the firewall or an (OpenBSD?) machine 
behind the firewall?


[OpenBSD machine]---[OpenBSD firewall]---[the internet]

(Anything to do with LibreSSL versus OpenSSL?)

If you try those commands on another OpenBSD machine at a different 
location, do they work?


They work here (on a snapshot), so that does suggest they should work in 
general so yes, maybe the ruleset or pf.


I've not got wget installed, but can achieve the same request with ftp e.g.

$ ftp 
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz

Trying 192.30.255.112...
Requesting 
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Redirected to 
https://github-production-release-asset-2e65be.s3.amazonaws.com/74929278/e5e4422c-58f2-11e8-9582-3447e8bc9081?X-Amz-Algorithm=AWS4-HMAC-SHA256=AKIAIWNJYAX4CSVEH53A%2F20180919%2Fus-east-1%2Fs3%2Faws4_request=20180919T043531Z=300=d99e4c16a020810445620a2dc532f53e192ea382bff9785059d2f886981defb7=host_id=0=attachment%3B%20filename%3Dbp_linux.tar.gz=application%2Foctet-stream

Trying 54.231.81.40...
Requesting 
https://github-production-release-asset-2e65be.s3.amazonaws.com/74929278/e5e4422c-58f2-11e8-9582-3...


What do you get if you try ftp instead of wget?

$ openssl s_client -connect 
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername 
github-production-release-asset-2e65be.s3.amazonaws.com

CONNECTED(0003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore 
CyberTrust Root

...

Re: Keyboard repeats characters way to often

[Chris Bennett]

I has the same problem on a release version
achihpet0
fixed the keyboard problem

I am now running an earlier current and not specifying that.
My time clock is way off. I'm going to need to re-add to my sysctl.conf

So this is a common problem.

Chris Bennett

Re: Keyboard repeats characters way to often

[Leo Unglaub]

On 09/19/18 03:29, Jonathan Gray wrote:

On Wed, Sep 19, 2018 at 03:03:12AM +0200, Leo Unglaub wrote:

The only big problem I have is that as soon as I start X I cannot use the
keyboard correctly. Every time I type a character on the keyboard it gets
repeated multiple times. Most often it gets repeated between 3 and 7 times.
Do you have any idea what I could to in order to fix/debug this?

Could be tsc desync.

Try a non-mp kernel or sysctl kern.timecounter.hardware=acpihpet0



thank you very much! The sysctl kern.timecounter.hardware=acpih option fixed
the issue for me!

Thank you very much!
Greetings
Leo



I had hoped it was gone with zen/17h.  As it is very inconsistent as to
which systems have this problem (ie 16h apu laptop has the problem,
16h pcengines apu2 doesn't) we need to test if tsc is desynchronised
on boot.

Here is the old big hammer diff I had extended for 17h but I don't want
to force hpet in cases where tsc is not desynchronised between cores.


I am going to try the patch below and report back to you as soon as I 
fixed my laptop. Because since I tryed the sysctl 
kern.timecounter.hardware=acpihpet option I cannot start my laptop anymore.


During boot it now always fails with the error message "cpu2: failed to 
become ready" and then the laptop just starts booting without a panic or 
a debug prompt.


I managed to take a picture with my Phone before the Laptop rebootet 
again: https://img3.picload.org/image/dlwdwodi/img_20180919_034116.jpg


As soon as i have it fixed i try the patch and report back to you.

Thanks and greetings
Leo




Index: tsc.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/tsc.c,v
retrieving revision 1.10
diff -u -p -r1.10 tsc.c
--- tsc.c   27 Jul 2018 21:11:31 -  1.10
+++ tsc.c   19 Sep 2018 01:16:24 -
@@ -32,6 +32,7 @@ int   tsc_recalibrate;
  
  uint64_t	tsc_frequency;

  int   tsc_is_invariant;
+inttsc_desync;
  
  uint		tsc_get_timecount(struct timecounter *tc);
  
@@ -172,7 +173,7 @@ calibrate_tsc_freq(void)

return;
tsc_frequency = freq;
tsc_timecounter.tc_frequency = freq;
-   if (tsc_is_invariant)
+   if (tsc_is_invariant && tsc_desync == 0)
tsc_timecounter.tc_quality = 2000;
  }
  
@@ -206,10 +207,25 @@ tsc_timecounter_init(struct cpu_info *ci

tsc_frequency = tsc_freq_cpuid(ci);
tsc_is_invariant = 1;
  
+#ifdef MULTIPROCESSOR

+   /*
+* TSC often desynchronised between cores on
+* 15h (Bulldozer, Piledriver, Steamroller, Excavator)
+* 16h (Jaguar, Puma)
+* 17h (Zen)
+*/
+   if ((strcmp(cpu_vendor, "AuthenticAMD") == 0) &&
+   ((ci->ci_family == 0x15 && ci->ci_model <= 0x6f) ||
+(ci->ci_family == 0x16 && ci->ci_model <= 0x3f) ||
+(ci->ci_family == 0x17 && ci->ci_model <= 0x1f)))
+   tsc_desync = 1;
+#endif
+
/* Newer CPUs don't require recalibration */
if (tsc_frequency > 0) {
tsc_timecounter.tc_frequency = tsc_frequency;
-   tsc_timecounter.tc_quality = 2000;
+   if (tsc_desync == 0)
+   tsc_timecounter.tc_quality = 2000;
} else {
tsc_recalibrate = 1;
tsc_frequency = cpufreq;



--
Leo Unglaub

Website: https://leo.unglaub.at
XMPP: leo-ungl...@jabber.ccc.de

:wq

Re: Keyboard repeats characters way to often

[Jonathan Gray]

On Wed, Sep 19, 2018 at 03:03:12AM +0200, Leo Unglaub wrote:
> > > The only big problem I have is that as soon as I start X I cannot use the
> > > keyboard correctly. Every time I type a character on the keyboard it gets
> > > repeated multiple times. Most often it gets repeated between 3 and 7 
> > > times.
> > > Do you have any idea what I could to in order to fix/debug this?
> > Could be tsc desync.
> > 
> > Try a non-mp kernel or sysctl kern.timecounter.hardware=acpihpet0
> > 
> 
> thank you very much! The sysctl kern.timecounter.hardware=acpih option fixed
> the issue for me!
> 
> Thank you very much!
> Greetings
> Leo
> 

I had hoped it was gone with zen/17h.  As it is very inconsistent as to
which systems have this problem (ie 16h apu laptop has the problem,
16h pcengines apu2 doesn't) we need to test if tsc is desynchronised
on boot.

Here is the old big hammer diff I had extended for 17h but I don't want
to force hpet in cases where tsc is not desynchronised between cores.

Index: tsc.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/tsc.c,v
retrieving revision 1.10
diff -u -p -r1.10 tsc.c
--- tsc.c   27 Jul 2018 21:11:31 -  1.10
+++ tsc.c   19 Sep 2018 01:16:24 -
@@ -32,6 +32,7 @@ int   tsc_recalibrate;
 
 uint64_t   tsc_frequency;
 inttsc_is_invariant;
+inttsc_desync;
 
 uint   tsc_get_timecount(struct timecounter *tc);
 
@@ -172,7 +173,7 @@ calibrate_tsc_freq(void)
return;
tsc_frequency = freq;
tsc_timecounter.tc_frequency = freq;
-   if (tsc_is_invariant)
+   if (tsc_is_invariant && tsc_desync == 0)
tsc_timecounter.tc_quality = 2000;
 }
 
@@ -206,10 +207,25 @@ tsc_timecounter_init(struct cpu_info *ci
tsc_frequency = tsc_freq_cpuid(ci);
tsc_is_invariant = 1;
 
+#ifdef MULTIPROCESSOR
+   /*
+* TSC often desynchronised between cores on
+* 15h (Bulldozer, Piledriver, Steamroller, Excavator)
+* 16h (Jaguar, Puma)
+* 17h (Zen)
+*/
+   if ((strcmp(cpu_vendor, "AuthenticAMD") == 0) &&
+   ((ci->ci_family == 0x15 && ci->ci_model <= 0x6f) ||
+(ci->ci_family == 0x16 && ci->ci_model <= 0x3f) ||
+(ci->ci_family == 0x17 && ci->ci_model <= 0x1f)))
+   tsc_desync = 1;
+#endif
+
/* Newer CPUs don't require recalibration */
if (tsc_frequency > 0) {
tsc_timecounter.tc_frequency = tsc_frequency;
-   tsc_timecounter.tc_quality = 2000;
+   if (tsc_desync == 0)
+   tsc_timecounter.tc_quality = 2000;
} else {
tsc_recalibrate = 1;
tsc_frequency = cpufreq;

Re: Keyboard repeats characters way to often

[Leo Unglaub]

The only big problem I have is that as soon as I start X I cannot use the
keyboard correctly. Every time I type a character on the keyboard it gets
repeated multiple times. Most often it gets repeated between 3 and 7 times.
Do you have any idea what I could to in order to fix/debug this?

Could be tsc desync.

Try a non-mp kernel or sysctl kern.timecounter.hardware=acpihpet0



thank you very much! The sysctl kern.timecounter.hardware=acpih option 
fixed the issue for me!


Thank you very much!
Greetings
Leo

Re: Keyboard repeats characters way to often

[Carlos Cardenas]

On Wed, Sep 19, 2018 at 12:27:29AM +0200, Leo Unglaub wrote:
> Hi,
> today I got my new Laptop. A Lenovo ThinkPad E485 with an AMD Ryzen CPU. I
> installed the latest OpenBSD -current on the device and a lot of stuff work
> very well. I used the traditional installation method without EFI. Only Wifi
> and Hybernate/Suspend don't work, but that was expected and is okay.
> 
> The only big problem I have is that as soon as I start X I cannot use the
> keyboard correctly. Every time I type a character on the keyboard it gets
> repeated multiple times. Most often it gets repeated between 3 and 7 times.
> Do you have any idea what I could to in order to fix/debug this?
> 

Leo,

Change your clock source:

sysctl kern.timecounter.hardware=acpihpet0

I've had to do this on later AMD gear (kaveri, carrizo, etc..).

+--+
Carlos

Re: Keyboard repeats characters way to often

[Jonathan Gray]

On Wed, Sep 19, 2018 at 12:27:29AM +0200, Leo Unglaub wrote:
> Hi,
> today I got my new Laptop. A Lenovo ThinkPad E485 with an AMD Ryzen CPU. I
> installed the latest OpenBSD -current on the device and a lot of stuff work
> very well. I used the traditional installation method without EFI. Only Wifi
> and Hybernate/Suspend don't work, but that was expected and is okay.
> 
> The only big problem I have is that as soon as I start X I cannot use the
> keyboard correctly. Every time I type a character on the keyboard it gets
> repeated multiple times. Most often it gets repeated between 3 and 7 times.
> Do you have any idea what I could to in order to fix/debug this?

Could be tsc desync.

Try a non-mp kernel or sysctl kern.timecounter.hardware=acpihpet0

> 
> I attach you a dmesg of the machine. Also here is some additional
> information that might help.
> 
> > # wsconsctl
> > keyboard.type=pc-xt
> > keyboard.bell.pitch=400
> > keyboard.bell.period=100
> > keyboard.bell.volume=50
> > keyboard.bell.pitch.default=400
> > keyboard.bell.period.default=100
> > keyboard.bell.volume.default=50
> > wsconsctl: Use explicit arg to view keyboard.map.
> > keyboard.repeat.del1=400
> > keyboard.repeat.deln=100
> > keyboard.repeat.del1.default=400
> > keyboard.repeat.deln.default=100
> > keyboard.ledstate=0
> > keyboard.encoding=us
> > mouse.type=synaptics
> > mouse.rawmode=0
> > mouse.scale=1266,5676,1162,4690,0,45,54
> > mouse.tp.tapping=0
> > mouse.tp.scaling=0.163
> > mouse.tp.swapsides=0
> > mouse.tp.disable=0
> > mouse.tp.edges=0.0,5.0,10.0,5.0
> > mouse1.type=ps2
> > display.type=vga-pci
> > display.emulations=vt100
> > display.screentypes=80x25,80x25bf,80x40,80x40bf,80x50,80x50bf
> > display.focus=0
> > display.brightness=100.00%
> > display.screen_on=250
> > display.screen_off=0
> > display.vblank=off
> > display.kbdact=on
> > display.msact=on
> > display.outact=on
> 
> I use the latest version of -current that I could find. I am on AMD64.
> 
> Thanks so much for any hints.
> Greetings
> Leo
> 
> > $ dmesg
> > OpenBSD 6.4-beta (GENERIC.MP) #302: Tue Sep 18 10:01:39 MDT 2018
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > real mem = 16622096384 (15852MB)
> > avail mem = 16109076480 (15362MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: SMBIOS rev. 3.1 @ 0x986e9000 (62 entries)
> > bios0: vendor LENOVO version "R0UET52W (1.32 )" date 09/01/2018
> > bios0: LENOVO 20KUCTO1WW
> > acpi0 at bios0: rev 2
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT SSDT CRAT CDIT SSDT TPM2 UEFI MSDM BATB HPET 
> > APIC MCFG SBST IVRS FPDT SSDT SSDT SSDT UEFI SSDT
> > acpi0: wakeup devices GPP0(S3) GPP1(S3) GPP2(S3) GPP3(S3) GPP4(S3) GPP5(S3) 
> > GPP6(S3) GP17(S3) XHC0(S3) XHC1(S3) GP18(S3) LID_(S3) SLPB(S3)
> > acpitimer0 at acpi0: 3579545 Hz, 32 bits
> > acpihpet0 at acpi0: 14318180 Hz
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx, 2196.25 MHz, 17-11-00
> > cpu0: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> > 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache
> > cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully 
> > associative
> > cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully 
> > associative
> > cpu0: smt 0, core 0, package 0
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 24MHz
> > cpu0: mwait min=64, max=64, C-substates=1.1, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx, 2195.85 MHz, 17-11-00
> > cpu1: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> > 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache
> > cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully 
> > associative
> > cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully 
> > associative
> > cpu1: smt 1, core 0, package 0
> > cpu2 at mainbus0: apid 2 (application 

Keyboard repeats characters way to often

[Leo Unglaub]

Hi,
today I got my new Laptop. A Lenovo ThinkPad E485 with an AMD Ryzen CPU. 
I installed the latest OpenBSD -current on the device and a lot of stuff 
work very well. I used the traditional installation method without EFI. 
Only Wifi and Hybernate/Suspend don't work, but that was expected and is 
okay.


The only big problem I have is that as soon as I start X I cannot use 
the keyboard correctly. Every time I type a character on the keyboard it 
gets repeated multiple times. Most often it gets repeated between 3 and 
7 times. Do you have any idea what I could to in order to fix/debug this?


I attach you a dmesg of the machine. Also here is some additional 
information that might help.


# wsconsctl
keyboard.type=pc-xt

keyboard.bell.pitch=400
keyboard.bell.period=100
keyboard.bell.volume=50
keyboard.bell.pitch.default=400
keyboard.bell.period.default=100
keyboard.bell.volume.default=50
wsconsctl: Use explicit arg to view keyboard.map.
keyboard.repeat.del1=400
keyboard.repeat.deln=100
keyboard.repeat.del1.default=400
keyboard.repeat.deln.default=100
keyboard.ledstate=0
keyboard.encoding=us
mouse.type=synaptics
mouse.rawmode=0
mouse.scale=1266,5676,1162,4690,0,45,54
mouse.tp.tapping=0
mouse.tp.scaling=0.163
mouse.tp.swapsides=0
mouse.tp.disable=0
mouse.tp.edges=0.0,5.0,10.0,5.0
mouse1.type=ps2
display.type=vga-pci
display.emulations=vt100
display.screentypes=80x25,80x25bf,80x40,80x40bf,80x50,80x50bf
display.focus=0
display.brightness=100.00%
display.screen_on=250
display.screen_off=0
display.vblank=off
display.kbdact=on
display.msact=on
display.outact=on


I use the latest version of -current that I could find. I am on AMD64.

Thanks so much for any hints.
Greetings
Leo

$ dmesg  
OpenBSD 6.4-beta (GENERIC.MP) #302: Tue Sep 18 10:01:39 MDT 2018

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16622096384 (15852MB)
avail mem = 16109076480 (15362MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.1 @ 0x986e9000 (62 entries)
bios0: vendor LENOVO version "R0UET52W (1.32 )" date 09/01/2018
bios0: LENOVO 20KUCTO1WW
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT SSDT CRAT CDIT SSDT TPM2 UEFI MSDM BATB HPET APIC 
MCFG SBST IVRS FPDT SSDT SSDT SSDT UEFI SSDT
acpi0: wakeup devices GPP0(S3) GPP1(S3) GPP2(S3) GPP3(S3) GPP4(S3) GPP5(S3) 
GPP6(S3) GP17(S3) XHC0(S3) XHC1(S3) GP18(S3) LID_(S3) SLPB(S3)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx, 2196.25 MHz, 17-11-00
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache, 4MB 64b/line 16-way L3 cache
cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx, 2195.85 MHz, 17-11-00
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache, 4MB 64b/line 16-way L3 cache
cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx, 2195.84 MHz, 17-11-00
cpu2: 

Re: PF possibly causing weird SSL issues ?

[Tim Jones]

> Check the time and date.
> And enable ntpd if you already haven't.

Time and data are fine.

NTP already runs extensively on this network, so setting it up on OpenBSD 
instances was a subconcious nobrainer. ;-)

Re: Running your own mail server

[Duncan Guthrie]

Hi,

Please do not recommend SquirrelMail. It is unmaintained. Its last
release was 5 years ago.

User interfaces like Roundcube and Rainloop work well enough and still
are actively maintained. I do not know how well those other ones you
listed work.

Alternatively, direct your users to some clear and well-written
instructions that would allow them to configure a mail client of their
choice.

Best wishes,
Duncan

On 09/08/18 16:39, Kaya Saman wrote:
> I agree here!
> 
> 
> Basically you would need a few components:
> 
> 
> MTA / MDA / MUA
> 
> 
> https://en.wikipedia.org/wiki/Message_transfer_agent
> 
> 
> One way to do it would be something like: Postfix / Courier IMAP / Then
> bolt something like SquirrelMail on top for web UI client
> 
> 
> There are many ways to achieve the same goal as in you don't have to use
> Postfix you could go for Sendmail or any other
> 
> 
> However for you it might be a better option to go with Linux as @Jay
> suggested and then whack something like Scalix or Zimbra on top..
> 
> 
> http://www.scalix.com/en/
> 
> 
> https://www.zimbra.com/
> 
> 
> That way you have a fully managed mail system right out of the box with
> granular control of what users can and can't do.
> 
> 
> Regards,
> 
> 
> Kaya
> 
> 

Re: PF possibly causing weird SSL issues ?

[Christer Solskogen]

On Tue, Sep 18, 2018, 23:04 Tim Jones <
b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch> wrote:

> Hi,
>
> I'm wracking my brains here.   I have just replaced  firewall> with one based on OpenBSD 6.3 PF. Nothing else has changed on the
> network, just the firewall
>

Check the time and date.
And enable ntpd if you already haven't.

PF possibly causing weird SSL issues ?

[Tim Jones]

Hi,

I'm wracking my brains here.   I have just replaced  
with one based on OpenBSD 6.3 PF. Nothing else has changed on the network, just 
the firewall.

Lots of "stuff" that used to work (e.g. various nightly pushes of data to "the 
cloud") have suddenly stopped working after the new firewall was put in place.

It seems to be down to some sort of weird handling of SSL by PF ?  I can't see 
why it should be OpenBSD, and yet I also can't see why it cannot be OpenBSD, 
given nothing else has changed.

The reason I say this is because of what I see if I take troubleshooting down 
to its most basic level :

This:
wget -O bp_linux.tar.gz 
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Fails with:
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

And yet this (ironically !) :
wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso
Works fine.

Similarly, this :
openssl s_client -connect 
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername 
github-production-release-asset-2e65be.s3.amazonaws.
com
Returns:
no peer certificate available
No client certificate CA names sent

And yet this :
openssl s_client -connect google.com:443 -servername google.com
Shows SSL certs OK  !

My PF is simple as follows (there is no NAT here, its fully routable) :
match in all scrub (no-df random-id)
block drop
set block-policy drop
set syncookies always
pass from  to any flags S/SA modulate state (pflow)

DNS and everything else is working fine.

Re: Deploy Django app - strategy?

[Michael Hekeler]

Am Sun, 16 Sep 2018 16:27:32 -0400
schrieb Ken MacKenzie :

> An example from one of my setups:
> 
> location /api/deploy/core {
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto
> $scheme; proxy_pass http://unix:/applications/deploy/core-api.sock:/;
> }

if you want to stay with base then you can do this with relayd (I
think - never did something with django).


> 
> This example is from a CentOS 7.4 box.
> 
> On Sun, Sep 16, 2018 at 2:43 PM Bogdan Kulbida 
> wrote:
> 
> > Hi Ken,
> >
> > Can you please be more specific on Nginx talking via sockets? Any
> > URLs on that topic will be appreciated. Thank you.
> >
> > On Sun, Sep 16, 2018 at 09:46 Ken M  wrote:
> >  
> >> On Sun, Sep 16, 2018 at 09:05:33AM +0300, ?? 
> >> wrote:  
> >> > I deploy my django app using uwsgi and venv in my home dir
> >> > uWSGi starts on its default port and httpd server uses this port
> >> > to handle my app requests. Everything just like in the official
> >> > manual  
> >> of  
> >> > uwsgi.
> >> >  
> >>
> >> Don't know if this is helpful for Django apps, or if httpd in
> >> openbsd can use
> >> unix sockets. Anyway with a couple of falcon api's I setup with
> >> Gunicorn I actually used unix sockets instead of creating ports.
> >> If my proxy is on the same
> >> server as the api's I found that a little easier to manage.
> >> Granted in this case
> >> it was on centos and I was using nginx. Also in the process of
> >> figuring out how
> >> to do that I found a lot of the documentation on nginx syntax
> >> talking to a unix
> >> socket was wrong. But that is another story.
> >>
> >> Ken
> >>
> >> --  
> > ---
> > Best regards,
> > Bogdan Kulbida
> > Founder and CEO, Konstankino LLC 
> > +1.802.793.8295
> >
> >
> >  

Re: Running your own mail server

[Tim Jones]

> Webmail isn't worth bothering with at all. Too complicated.

Let me rephrase that for you.

Webmail is easy.  Open source webmail is all horrible stuff stuck in the last 
century.

To make open source webmail look and behave like the  is the complicated bit.

Re: location of ~/.aucat_cookie

[Theo de Raadt]

Olivier Regnier  wrote:

> Hi,
> 
> Is it possible to disable the '.aucat_cookie' file or change his location?

No.

Libraries know the specific pathname.

Re: Can unveil pledge to only reduce?

[Theo de Raadt]

Luke Small  wrote:

> I'm not sure that I wasn't ambiguous. I want to be able to set up all 
> necessary unveil
> promises then from that point on, be able to only reduce unveil permissions. 
> I don't
> know the mechanism by which is unveil works, but perhaps it could be an 
> unveil command
> similar to unveil(NULL, NULL) instead of a pledge command? It apparently 
> knows if it is
> an increase in permissions, can't it be set to only permit them?
> 
> On Thu, Aug 16, 2018 at 2:00 PM Luke Small  wrote:
> 
>  Ok. Thanks.
>  On Thu, Aug 16, 2018 at 1:59 PM Theo de Raadt  wrote:
> 
>  Luke Small  wrote:
>  > Could you have a promise for unveil reductions only?
> 
>  That won't actually help much, and people will fall into some
>  pretty significant traps.
> 
>  Sorry it would require a really long explanation.

Cannot be done.

Will not work how you expect it to.

Will result in only prividing a subset of the security boundary unveil
users expect, unexpectedly, when they least expect it files or dirs
will be exposed.

symbolic links.

Not going to explain further.  You want something magic which cannot
exist.

Re: Running your own mail server

[Craig Skinner]

Hi postmasters,

On Mon, 17 Sep 2018 18:33:52 Mik J wrote:
> The only drawback I see is that roundcube is less sexy and less good
> than gmail.

Webmail isn't worth bothering with at all. Too complicated.

All desktops & mobile phones/tablets have various IMAP clients.

For computers, there are IMAP clients such as Thunderbird, Claws, mutt,
Mac Mail, MS Outlook, etc.

For mobile gadgets, there are the Andriod Gmail app iOS's Mac Mail,
Blackberry mail thing, etc, etc -> connect to other IMAP/POP servers.

Webmail is dead junk.

IMAP and POP are the mail access protocols - use them and save yourself
the complicated headache of any HTTP proxy to mail on disk junk.

If you keep any user data in SQL or LDAP, have cron scripts to dump the
relevant user data to flat files for your MTA to read. rdist(1) those
flat files out to your mail farm. SQL and LDAP are too slow and unreliable.


A -> B -> C
spamd -> MTA (with loads of DNS knobs) -> Dovecot (via LMTP) which writes mail 
to disk.


With a few scripts, that is enough to keep a postmaster productive & busy.


The DNS knobs enable such a high accuracy of spam rejection,
that no heavy weight spam scanning software is needed at all.


Well, that's my almost 20 years experience of mastering multiple OpenBSD
mail servers on the hostile Internet. Other people have other ideas.


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: How to make the cwm window manager reread new config

[Okan Demirmen]

On Sun 2018.09.16 at 17:10 +, Stuart Henderson wrote:
> On 2018-09-16, ??   wrote:
> > Thank you very much, it works.
> > I always thought this would restart my whole session and I would loose
> > all my open windows.
> 
> It does actually restart the window manager, but information relating to
> the session (group etc) is stored "attached" to the clients in "atoms"
> so that it can be picked up by the new cwm instance, you shouldn't
> notice any difference after it's done restarting and loading that
> information.

Late to the game here; as mentioned by others, cwm does retain state
upon restart/reload; there are a few things that are not retained
however, such as client name history, previous client geometries and
such.

Re: Minimum Holdtime for BGP OpenBGPd in Production

[Stuart Henderson]

On 2018-09-18, Claudio Jeker  wrote:
> On Tue, Sep 18, 2018 at 05:11:24AM +0100, Tom Smyth wrote:
>> Hello all,
>> I was wondering what is the lowest values of BGP holdtime that you
>> recommend running in production ?
>
> I recomend using the default especially against ebgp peers.

MikroTik in particular are known to be bad at keeping up with BGP timers.

>> I would like to set them to a lower value to detect an issue with
>> peers that dont support BFD  quicker,
>> but I dont want to set it to a value that would overly tax the system 
>> resources,
>> 
>> If you are running approx 60 Peers on one and 30 Peers on another router,
>> 
>> Im also running Arista 7050 Switches with BGP sessions  to the OpenBGPd 
>> Routers.
>> 
>> I would really apprecate any one elses real world experience on this
>> matter before I go lowering the default values in our production
>> enviornment
> 
> bgpd should be able to handle the minimal hold time with 30 or 60
> peers just fine but I'm not so sure about any other system. Also flaping
> sessions because of too aggressive holdtime is counterproductive the
> session flap dampening will kick in and will keep session longer down than
> needed.
>
> In the end, like with most tuning, you need to check for yourself with what
> you are comfortable with.

This is mostly down to what your peers can handle (at a particular time),
and other people's real world experience will mostly not reflect that.

You might think to check "bgpctl sh nei" over time and monitor how "Last
read" compares with "keepalive interval" to get a baseline, but if you do
then beware, that will mostly just show things under a normal situation.
If hold times expire because somebody's router is too busy on occasion,
flapping the session is just going to make it *even more* busy, adding
to the problem (which can be especially nasty at an IXP).

Are you seeing actual problems with peers that cause you to want to do
this?

- If so and it's IXP-wide, maybe talk to the IXP? If it happens during
maintenance and they aren't already following BCP214 (session culling),
perhaps they could do that.

- If so and it's individual peers, maybe consider dropping them if
they're unreliable and not that important, or talking to them if they
are important?

Re: Running your own mail server

[Daniel Gracia]

Take a look other here:

https://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html


El mar., 18 sept. 2018 a las 11:02, Marko Cupać ()
escribió:

> On Tue, 18 Sep 2018 10:32:25 +0100
> Kevin Chadwick  wrote:
>
> > I see clamav and other scanning stuff as an insecurity personally.
>
> Can you elaborate, please?
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
>

Re: Running your own mail server

[Marko Cupać]

On Tue, 18 Sep 2018 10:32:25 +0100
Kevin Chadwick  wrote:

> I see clamav and other scanning stuff as an insecurity personally.

Can you elaborate, please?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Running your own mail server

[Kevin Chadwick]

On Mon, 17 Sep 2018 13:20:22 -0700


> I don't mind throwing in PostgreSQL, but where are some good
> table/column examples?

SQL is for centralisation of many servers, it will likely be slower
otherwise.

There is greyscanner in ports. You can use that as a model for your own
scripts to do extra checks. There is also a BGP powered spam list
previously published on this list.

Disposable addresses as supported by OpenSMTPD with automatic folder
creation are neat. So bob-dodgyexhibit...@bob.com would automatically go
in bob-dodgyexhibition folder and bob-johnnybestm...@bob.com would go
in bob-johnnybestmate folder. Very useful to see who can't be trusted
with security/email address keeping though. After all you rarely get
spam as a result of handing addresses out to those you really need to
talk to.

I see clamav and other scanning stuff as an insecurity personally. Big
companies use dedicated hw but I don't get the point.

You shouldn't open untrusted weblinks so why open unexpected email. If
you know the address it has gone to you already know the likelihood of
it being spam and can pick out the odd email or ignore or delete/trap
the folder. People get a shock when you tell them they are almost the
only possible cause of you getting spam too. I've had one guy hangup the
phone almost immediately, lol.

Having said all this, email does not make you money, so consider if it
is worth the time! A mailing list can be useful, less so your own mail
server.

Re: Minimum Holdtime for BGP OpenBGPd in Production

[Claudio Jeker]

On Tue, Sep 18, 2018 at 05:11:24AM +0100, Tom Smyth wrote:
> Hello all,
> I was wondering what is the lowest values of BGP holdtime that you
> recommend running in production ?

I recomend using the default especially against ebgp peers.
 
> I would like to set them to a lower value to detect an issue with
> peers that dont support BFD  quicker,
> but I dont want to set it to a value that would overly tax the system 
> resources,
> 
> If you are running approx 60 Peers on one and 30 Peers on another router,
> 
> Im also running Arista 7050 Switches with BGP sessions  to the OpenBGPd 
> Routers.
> 
> I would really apprecate any one elses real world experience on this
> matter before I go lowering the default values in our production
> enviornment
> 

bgpd should be able to handle the minimal hold time with 30 or 60
peers just fine but I'm not so sure about any other system. Also flaping
sessions because of too aggressive holdtime is counterproductive the
session flap dampening will kick in and will keep session longer down than
needed.

In the end, like with most tuning, you need to check for yourself with what
you are comfortable with.

-- 
:wq Claudio