Re: Libressl verify failure with 3.9.0

[Ted Wynnychenko]

Thanks for the suggestion.
The workaround does work, and creates (essentially) the same certificate,
but one that does not fail verification with the new libressl.
I did notice the option of not have the leading "20" for dates before 2050,
but I did not know enough to try doing that.
 
Ted
 
 
> -Original Message-
> > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
> Behalf
> > Of Theo Buehler
> > Sent: Monday, April 08, 2024 6:45 AM
> > To: Ted Wynnychenko
> > Cc: 'OpenBSD misc'; b...@openbsd.org; js...@openbsd.org
> > Subject: Re: Libressl verify failure with 3.9.0
> >
> > On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote:
> > > Hello,
> > >
> > > I recently updated to -current (about a week ago).
> > >
> > > I see that Libressl is at 3.9.1 just now, but I hope that won't be
> an
> > issue
> > > (I did not see anything in the release notes that would impact my
> > question).
> > > ---
> > > $ openssl version
> > > LibreSSL 3.9.0
> > > ---
> > >
> > > Over the years, I have made certificates for personal
> > servers/resources on
> > > my home network.  This is just for me, so I do some things that
> would
> > be
> > > frowned on (although, technically, there is nothing "wrong" with
> > them).
> > >
> > > In this case, since I have Apple iOS devices that I want to connect
> > to
> > > https, I backdate any certificates I create to 1/2/2019.  Apple has
> > imposed
> > > a 300 or 800 day time limit on the validity for certificates
> created
> > after
> > > (about) 7/1/2019.  Since I don't want to constantly make new
> > certificates
> > > for my personal/home network, I have just been setting the
> > certificates'
> > > "not before" date to early 2019.
> > >
> > > Anyway, this had worked fine.
> > > In fact, earlier this year (Jan 2024), I created a new certificate,
> > and all
> > > is good.
> > >
> > > A few weeks ago, I added a new thing to the network - a raspberry
> pi
> > (I got
> > > as a gift about 2013 and installed a linux image from 2019 on it)
> > that is
> > > connected to the home alarm system.
> > >
> > > Since I was annoyed that my browser was constantly giving me self-
> > signed
> > > certificate warnings, I decided to make a certificate for the nginx
> > running
> > > on this appliance.
> > >
> > > I created a key, made a csr, and then signed it with:
> > > openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -
> config
> > > /etc/ssl/openssl.cnf
> >
> > As a workaround, try using '-startdate 19010200Z' instead. I
> think
> > this is fallout from this commit:
> >
> >
> https://github.com/openbsd/src/commit/3feee4c53fbd67a4a480080d8ef5ae835
> > d3fbf82
> >
> > ASN1_TIME_set_string_X509() is documented as
> >
> >  In LibreSSL, ASN1_TIME_set_string() and
> > ASN1_TIME_set_string_X509()
> >  behave identically and always set the time object to a valid
> value
> > to use
> >  in an X.509 certificate.
> >
> > It seems to me that this is just wrong (it is true that both behave
> > identically because RFC5280 is defined to 0), but they do not set the
> > time object to "a valid value to use in an X.509 certificate".
> >
> > Confusingly, ASN1_TIME_adj_internal() actually honours its RFC5280
> > parameter by behaving the expected way whereas its meaning in
> > ASN1_TIME_set_string_internal() is different.
> >
> > I am unsure if the bug is in my commit above or in our version of
> > ASN1_TIME_set_string_X509() (or both).
> >
> > >
> > > This all works fine, and a certificate is created
> > >
> > > When I check with:
> > > openssl x509 -text -noout -in pi.pem
> > >
> > > everything seems as expected, including the not before/after dates:
> > >
> > > Validity
> > > Not Before: Jan  2 00:00:00 2019 GMT
> > > Not After : Apr  7 15:39:59 2054 GMT
> > >
> > > (yes, it is valid for 35 years - as I said before, if someone
> breaks
> > into my
> > > house to secretly do things, I have way bigger problems)
> > >
> > > But, if I try to verify this on the openbsd system, I get:
> > >
> > > # openssl verify pi.pem
> > > C = US, ST = Illinois, L = ***, O = 

Libressl verify failure with 3.9.0

[Ted Wynnychenko]

Hello,

I recently updated to -current (about a week ago).

I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue 
(I did not see anything in the release notes that would impact my question).
---
$ openssl version
LibreSSL 3.9.0
---

Over the years, I have made certificates for personal servers/resources on 
my home network.  This is just for me, so I do some things that would be 
frowned on (although, technically, there is nothing "wrong" with them).

In this case, since I have Apple iOS devices that I want to connect to 
https, I backdate any certificates I create to 1/2/2019.  Apple has imposed 
a 300 or 800 day time limit on the validity for certificates created after 
(about) 7/1/2019.  Since I don't want to constantly make new certificates 
for my personal/home network, I have just been setting the certificates' 
"not before" date to early 2019.

Anyway, this had worked fine.
In fact, earlier this year (Jan 2024), I created a new certificate, and all 
is good.

A few weeks ago, I added a new thing to the network - a raspberry pi (I got 
as a gift about 2013 and installed a linux image from 2019 on it) that is 
connected to the home alarm system.

Since I was annoyed that my browser was constantly giving me self-signed 
certificate warnings, I decided to make a certificate for the nginx running 
on this appliance.

I created a key, made a csr, and then signed it with:
openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -config 
/etc/ssl/openssl.cnf

This all works fine, and a certificate is created

When I check with:
openssl x509 -text -noout -in pi.pem

everything seems as expected, including the not before/after dates:

Validity
Not Before: Jan  2 00:00:00 2019 GMT
Not After : Apr  7 15:39:59 2054 GMT

(yes, it is valid for 35 years - as I said before, if someone breaks into my 
house to secretly do things, I have way bigger problems)

But, if I try to verify this on the openbsd system, I get:

# openssl verify pi.pem
C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = ***
error 20 at 0 depth lookup:unable to get local issuer certificate
pi.pem: verification failed: 20 (unable to get local issuer certificate)
---

But, if I install this on the raspberry pi, which has a much older version 
of openssl on it:
$ openssl version
OpenSSL 1.1.1c  28 May 2019

The certificate verifies without an issue:
$ openssl verify pi.pem
pi.pem: OK

The last time I created a certificate was in January of this year 
(1/22/2024).
I am thinking the openbsd system was using Libressl 3.8.2 at that point.

I created that certificate in the exact same way, backdating the start date:
openssl ca -startdate 2019010200Z -in 54.csr -out 54.pem -config 
/etc/ssl/openssl.cnf

This previously created certificate also has them same backdated and very 
long valid period:

Validity
Not Before: Jan  2 00:00:00 2019 GMT
Not After : Jan 21 23:49:22 2054 GMT

(Notice the not after date is a little different)
Today, with the new libressl, this certificate verifies OK.

$ openssl verify 54.pem
54.pem: OK

Finally, if I create the new certificate WITHOUT backdating it
e.g.:  openssl ca -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf

The certificate is created and verifies OK.

So, it seems, there is some sort of issue with backdating the certificate, 
but not an issue with the crazy long validity window, that was not present 
in January of this year.

However, as I said, if I don't backdate, then in about a year the ipad will 
refuse to connect because of the restrictions apple has imposed, unless I 
update the certificate.

I know this is not "best practice," but it should still work, right?

Is there something I am missing?
Otherwise, it appears something has changed in Libressl 3.9.0 but is not 
documented.

Thanks in advance for any suggestions.
Ted

Re: No login prompt on console ttyC0 after boot when using "set tty com0"

[Ted Wynnychenko]

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Andrew Daugherity
> >
> > Hello
> > I was wondering if there is anything I could do to help figure this
> out.
> > I do not have the requisite knowledge to even begin to understand why
> the
> > kernel does not configure the vga output when boot.conf redirects to
> com0.
> 
> Look for a "redirection after boot" setting in your BIOS and try
> disabling that.  The behavior you've described of both physical and
> serial consoles working at the boot prompt _without_ 'set tty com0'
> seems to indicate the BIOS is still handling redirection from
> keyboard/video to serial, and my guess is that when OpenBSD
> initializes the port for a serial console, it causes something in the
> BIOS-linked local keyboard/vga to go wonky (wsdisplay at vga1 not
> configured).

Thanks for suggestion.  The BIOS does, in fact, redirect output to both the 
local console and a serial console at startup.  This makes the BIOS 
configuration available on the serial console and the local monitor.

After the BIOS screen, if "set tty com0" is _not_ included, then the boot dmesg 
is displayed on the local monitor, the serial goes silent, and at the end of 
openBSD boot, a login prompt is available on both serial console and local 
monitor.

If "set tty com0" is _set_, then, after the BIOS page shows on both the serial 
console and local monitor, the boot dmesg scrolls on the serial console, and 
then login prompt is available on the serial console.  The local monitor shows 
the openBSD boot "redirecting" message, and then nothing more.  At the end of 
boot, there is _no_ login prompt on the local monitor.

If I _disable_ the BIOS serial redirection feature, but keep "set tty com0" 
_set_, I see the following:
- the local monitor shows:  BIOS screen, openBSD start text ending with 
"redirecting to...", and that is all.  No login prompt at the end of boot
- the serial console shows:  _no_ BIOS screen, then the openBSD boot and dmesg 
information, and ends with a login prompt

The only change which, apparently, disables the configuration of ttyC0 
during/after boot is setting "set tty com0" in boot.conf.

However, the local monitor is alive, since it gets the BIOS information and the 
initial openBSD boot message, which suggests that the BIOS is correctly 
recognizing the monitor/output early in the boot, but then openBSD is unable to 
configure it later.

Again, the only change that seems to make a difference is setting "set tty 
com0" or not.  The console redirection option in the BIOS for the pre-boot/BIOS 
information does not affect this.


> 
> Note that in UEFI mode, "wsdisplay at vga1 not configured" would be
> expected, as efifb takes over:
> 
> $ dmesg|egrep 'wsdisplay|fb|vga|com[0-9]'
> vga1 at pci7 dev 0 function 0 "Matrox MGA G200eR" rev 0x01
> wsdisplay at vga1 not configured
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> com1: console
> efifb0 at mainbus0: 1280x1024, 32bpp
> wsdisplay0 at efifb0 mux 1
> wsdisplay0: screen 0-5 added (std, vt100 emulation)
> 
> You might give UEFI mode a try, to see if efifb works better than the
> vga console.  Redirection after boot is probably the more important
> setting though.
> 

The system is installed on one full disk openBSD partition.  I believe (not 
100% sure) that changing to UEFI would require a small EFI partition (which 
would mean changing the fdisk partition and disklabel without destroying the 
software RAID), which is not a challenge I can take on right now.  But, I will 
keep it in mind.


> Note that the login prompt appearing on a console (spawning a getty as
> configured in /etc/ttys) and the bootloader/kernel console device are
> independent settings.
> 

Yes, which is my confusion.  Both the serial console (tty00) and the local 
terminal (ttyC0) are set in ttys:

head -n 20 /etc/ttys
#
#   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
#
# name  getty   typestatus  comments
#
console "/usr/libexec/getty std.9600"   vt220   off secure
ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
...
ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
tty00   "/usr/libexec/getty autologin"  vt220on secure
tty01   "/usr/libexec/getty std.9600"   unknown off

(Note, the "autologin" type for getty is an addition in my gettytab which 
allows getty to spawn a login prompt that does not require the long, complex 
password to login when at the serial console.)
 

> -Andrew

Thanks
Ted

Re: No login prompt on console ttyC0 after boot when using "set tty com0"

[Ted Wynnychenko]

Hello
I was wondering if there is anything I could do to help figure this out.
I do not have the requisite knowledge to even begin to understand why the
kernel does not configure the vga output when boot.conf redirects to com0.
Not trying to be a bother.
Thanks
Ted


> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Ted Wynnychenko
> Sent: Monday, June 27, 2022 8:55 AM
> To: 'Stuart Henderson'; misc@openbsd.org
> Subject: Re: No login prompt on console ttyC0 after boot when using
> "set tty com0"
> 
> 
> 
> > -Original Message-
> > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
> Behalf
> > Of Stuart Henderson
> > Sent: Saturday, June 25, 2022 6:21 AM
> 
> > On 2022-06-24, Ted Wynnychenko  wrote:
> > > Hello
> 
> > > When there is a boot.conf file present in /etc with only the
> > following:
> > >> stty com0 115200
> > >
> >
> > So in this case the serial output during boot is only coming from a
> > serial-port redirector in the bios, the "stty com0 115200" probably
> > doesn't change anything, and the serial output in multiuser is via
> > init / /etc/ttys
> >
> > > Now, if I change boot.conf to direct output to the serial terminal
> > with:
> > >> stty com0 115200
> > >> set tty com0
> > >
> > So far that is expected, OpenBSD doesn't support dual serial+glass
> > console
> >
> > > Then, the three wsconsctl error messages appear, and it ends with a
> > login
> > > prompt on the serial console (tty0) ONLY.
> > >
> > > The screen and keyboard for ttyC0 are dead.  There is no login
> > prompt, and
> > > the keyboard is not functional.
> >
> > Assuming ttys is setup to run a login on ttyC0 that is not expected
> >
> >
> > Can you try kernels between known-good and known-bad (or maybe you
> have
> > something in /var/log/messages*gz) and look for when this started
> > appearing?
> >
> 
> Unfortunately, I have not checked the ttyC0 display in a long time.
> When I was updating to current, I also did not specifically check for a
> login prompt on ttyC0 BEFORE the update to current.
> However, I think that I did notice that there was no login prompt when
> I
> plugged in the display, just before it switched to the bios pages.
> My last update was in July 2021.
> 
> > A diff of dmesg between serial and non-serial boots might give some
> > clues
> >
> > This maybe implicated:
> >
> > >> vga1 at pci3 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a
> > >> wsdisplay at vga1 not configured
> >
> 
> I booted in three configurations.
> With the boot.conf NOT including "set tty com0" AND a monitor and
> keyboard
> attached, dmesg shows:
> 109,110c110
> < wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> < wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> 136c136
> < wskbd0 at pckbd0: console keyboard, using wsdisplay0
> 148d147
> < wskbd1: connecting to wsdisplay0
> 153d151
> < wskbd2: connecting to wsdisplay0
> 
> With boot.conf including "set tty com0" AND a monitor and keyboard
> attached,
> dmesg shows:
> 62a63
> > com0: console
> 109,110c110
> > wsdisplay at vga1 not configured
> 136c136
> > wskbd0 at pckbd0 mux 1
> 
> When boot.conf including "set tty com0" and without a monitor or
> keyboard,
> the dmesg is the same as the "serial" dmesg with them connected, except
> for
> missing information about the keyboard:
> 144,152d143
> < uhidev0 at uhub3 port 1 configuration 1 interface 0 "Primax
> Electronics
> USB Keyboard" rev 2.00/1.00 addr 3
> < uhidev0: iclass 3/1
> < ukbd0 at uhidev0: 8 variable keys, 6 key codes
> < wskbd1 at ukbd0 mux 1
> < uhidev1 at uhub3 port 1 configuration 1 interface 1 "Primax
> Electronics
> USB Keyboard" rev 2.00/1.00 addr 3
> < uhidev1: iclass 3/0, 2 report ids
> < ucc0 at uhidev1 reportid 1: 24 usages, 13 keys, enum
> < wskbd2 at ucc0 mux 1
> < uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
> 
> 
> I don't know what this means.  It seems that when boot.conf redirects
> to the
> com0 console, the vga connection does not get configured by OpenBSD on
> boot.
> That would explain why no login prompt is presented there later by
> init,
> even though the terminal is defined in ttys.
> 
> Although it has been a few years, I feel certain that a login prompt
> was
> displayed on b

Re: No login prompt on console ttyC0 after boot when using "set tty com0"

[Ted Wynnychenko]

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Stuart Henderson
> Sent: Saturday, June 25, 2022 6:21 AM

> On 2022-06-24, Ted Wynnychenko  wrote:
> > Hello

> > When there is a boot.conf file present in /etc with only the
> following:
> >> stty com0 115200
> >
> 
> So in this case the serial output during boot is only coming from a
> serial-port redirector in the bios, the "stty com0 115200" probably
> doesn't change anything, and the serial output in multiuser is via
> init / /etc/ttys
> 
> > Now, if I change boot.conf to direct output to the serial terminal
> with:
> >> stty com0 115200
> >> set tty com0
> >
> So far that is expected, OpenBSD doesn't support dual serial+glass
> console
> 
> > Then, the three wsconsctl error messages appear, and it ends with a
> login
> > prompt on the serial console (tty0) ONLY.
> >
> > The screen and keyboard for ttyC0 are dead.  There is no login
> prompt, and
> > the keyboard is not functional.
> 
> Assuming ttys is setup to run a login on ttyC0 that is not expected
> 
> 
> Can you try kernels between known-good and known-bad (or maybe you have
> something in /var/log/messages*gz) and look for when this started
> appearing?
> 

Unfortunately, I have not checked the ttyC0 display in a long time.
When I was updating to current, I also did not specifically check for a
login prompt on ttyC0 BEFORE the update to current.
However, I think that I did notice that there was no login prompt when I
plugged in the display, just before it switched to the bios pages.
My last update was in July 2021.

> A diff of dmesg between serial and non-serial boots might give some
> clues
> 
> This maybe implicated:
> 
> >> vga1 at pci3 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a
> >> wsdisplay at vga1 not configured
> 

I booted in three configurations.
With the boot.conf NOT including "set tty com0" AND a monitor and keyboard
attached, dmesg shows:
109,110c110
< wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
< wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
136c136
< wskbd0 at pckbd0: console keyboard, using wsdisplay0
148d147
< wskbd1: connecting to wsdisplay0
153d151
< wskbd2: connecting to wsdisplay0

With boot.conf including "set tty com0" AND a monitor and keyboard attached,
dmesg shows:
62a63
> com0: console
109,110c110
> wsdisplay at vga1 not configured
136c136
> wskbd0 at pckbd0 mux 1

When boot.conf including "set tty com0" and without a monitor or keyboard,
the dmesg is the same as the "serial" dmesg with them connected, except for
missing information about the keyboard:
144,152d143
< uhidev0 at uhub3 port 1 configuration 1 interface 0 "Primax Electronics
USB Keyboard" rev 2.00/1.00 addr 3
< uhidev0: iclass 3/1
< ukbd0 at uhidev0: 8 variable keys, 6 key codes
< wskbd1 at ukbd0 mux 1
< uhidev1 at uhub3 port 1 configuration 1 interface 1 "Primax Electronics
USB Keyboard" rev 2.00/1.00 addr 3
< uhidev1: iclass 3/0, 2 report ids
< ucc0 at uhidev1 reportid 1: 24 usages, 13 keys, enum
< wskbd2 at ucc0 mux 1
< uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0


I don't know what this means.  It seems that when boot.conf redirects to the
com0 console, the vga connection does not get configured by OpenBSD on boot.
That would explain why no login prompt is presented there later by init,
even though the terminal is defined in ttys.

Although it has been a few years, I feel certain that a login prompt was
displayed on both the serial line and ttyC0 when I originally redirected
output with "set tty com0" in boot.conf.
I am pretty sure my detail orientated personality would have immediately
flagged the discrepancy from what was documented if it had not, and I would
have brought up the issue way back then.

Thanks
Ted


> 
> 
> >> -Original Message-
> >> From: Ted Wynnychenko
> >> Sent: Thursday, June 23, 2022 5:19 PM
> >> To: misc@openbsd.org
> >> Subject: No login prompt on console ttyC0 after boot
> >>
> >> Hello
> >>
> >> I have been following current since 5.6, and had been pretty good
> about
> >> updates until this last year (issues not related).
> >>
> >> Anyway, I asked about updating, found some suggestions that it would
> >> work,
> >> and decided to blaze ahead.  And, it basically worked.
> >> I have a few things to clean up, but overall the update to current
> from
> >> my
> >> last update in July 2021 went well.
> >>
> >> However, in planning for this, I decided to 

Re: No login prompt on console ttyC0 after boot when using "set tty com0"

[Ted Wynnychenko]

Hello
I am leaving the original message intact below.

I did some experimenting, and have found the following.

When there is a boot.conf file present in /etc with only the following:
> stty com0 115200

Then, the system will boot.  At the INTIAL boot prompt, EITHER tty0 or ttyC0
will accept input (for example, a simple "enter" to skip the timeout), and
will start the boot process.

At that point, the serial terminal goes quiet, and boot messages are
displayed on the ttyC0 monitor.
At the end, a login prompt appears on BOTH the serial terminal, and on the
ttyC0 display, and either can be used to login and access the system.

Also, there are no wsconsctl errors generated, and the ttyC0 screen blanks
after the appropriate time.

Now, if I change boot.conf to direct output to the serial terminal with:
> stty com0 115200
> set tty com0

Now, when the system boots, at the INITIAL boot prompt, ONLY the serial
console (tty0) keyboard input works.  The ttyC0 screen shows a final message
"switching to com0," but it does not accept any keyboard input.  The serial
console still works, and the boot messages appear on it.

Then, the three wsconsctl error messages appear, and it ends with a login
prompt on the serial console (tty0) ONLY.

The screen and keyboard for ttyC0 are dead.  There is no login prompt, and
the keyboard is not functional.

I can see nothing in the man pages (boot/boot.conf, ttys, termcap, gettytab)
that would explain this.
In addition, when I first installed (at 5.6) both the local terminal (ttyC0)
and the serial terminal (tty0) would present a login prompt.

If there are any ideas about why this is happening, please let me know.
Thanks
Ted


> -----Original Message-
> From: Ted Wynnychenko
> Sent: Thursday, June 23, 2022 5:19 PM
> To: misc@openbsd.org
> Subject: No login prompt on console ttyC0 after boot
> 
> Hello
> 
> I have been following current since 5.6, and had been pretty good about
> updates until this last year (issues not related).
> 
> Anyway, I asked about updating, found some suggestions that it would
> work,
> and decided to blaze ahead.  And, it basically worked.
> I have a few things to clean up, but overall the update to current from
> my
> last update in July 2021 went well.
> 
> However, in planning for this, I decided to hook up a monitor and
> keyboard
> directly, as I have basically just used a serial console ever since I
> first installed the systems at 5.6.
> 
> Unfortunately, I did not look at the monitor before updating to current
> (OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022 -
> full DMESG below), but after the update I found that there is no login
> prompt on the monitor (ttyC0), and the keyboard does not do anything (I
> cannot ALT-CTRL-F2 to change to another virtual console.
> 
> I don't know when this happened, since I haven't attached a
> monitor/keyboard in a very long time.
> But, now that I know, I am trying to fix it, but can't seem to
> understand
> why/how to do so.
> 
> When the machine boots, the monitor and keyboard work, and I can access
> the bios pages and make changes.
> 
> Then, if I allow the boot to start, I get the "switching to com0"
> message,
> and that's it.
> 
> When the boot is complete, I can access the system using a serial
> console
> (tty00) or ssh, but the direct monitor shows nothing after "switching
> to
> com0," and the keyboard does nothing.
> 
> The /etc/boot.conf file correctly routes things to the serial console:
> stty com0 115200
> set tty com0
> 
> I have not changed /etc/ttys in a long time:
> #
> #   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
> #
> # name  getty   typestatus
> comments
> #
> console "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
> tty00   "/usr/libexec/getty autologin"  vt220on secure
> tty01   "/usr

No login prompt on console ttyC0 after boot

[Ted Wynnychenko]

Hello

I have been following current since 5.6, and had been pretty good about
updates until this last year (issues not related).

Anyway, I asked about updating, found some suggestions that it would work,
and decided to blaze ahead.  And, it basically worked.
I have a few things to clean up, but overall the update to current from my
last update in July 2021 went well.

However, in planning for this, I decided to hook up a monitor and keyboard
directly, as I have basically just used a serial console ever since I first
installed the systems at 5.6.

Unfortunately, I did not look at the monitor before updating to current
(OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022 - full
DMESG below), but after the update I found that there is no login prompt on
the monitor (ttyC0), and the keyboard does not do anything (I cannot
ALT-CTRL-F2 to change to another virtual console.

I don't know when this happened, since I haven't attached a monitor/keyboard
in a very long time.
But, now that I know, I am trying to fix it, but can't seem to understand
why/how to do so.

When the machine boots, the monitor and keyboard work, and I can access the
bios pages and make changes.

Then, if I allow the boot to start, I get the "switching to com0" message,
and that's it.

When the boot is complete, I can access the system using a serial console
(tty00) or ssh, but the direct monitor shows nothing after "switching to
com0," and the keyboard does nothing.

The /etc/boot.conf file correctly routes things to the serial console:
stty com0 115200
set tty com0

I have not changed /etc/ttys in a long time:
#
#   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
#
# name  getty   typestatus  comments
#
console "/usr/libexec/getty std.9600"   vt220   off secure
ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
tty00   "/usr/libexec/getty autologin"  vt220on secure
tty01   "/usr/libexec/getty std.9600"   unknown off
tty02   "/usr/libexec/getty std.9600"   unknown off
tty03   "/usr/libexec/getty std.9600"   unknown off
tty04   "/usr/libexec/getty std.9600"   unknown off
tty05   "/usr/libexec/getty std.9600"   unknown off
tty06   "/usr/libexec/getty std.9600"   unknown off
tty07   "/usr/libexec/getty std.9600"   unknown off



I also noticed these errors in DMESG-S:
...
/dev/sd2g (be3bcca0ef32a6bd.g): file system is clean; not checking
wsconsctl: /dev/ttyC0: Device not configured
wsconsctl: /dev/ttyC0: Device not configured
wsconsctl: /dev/ttyC0: Device not configured
pf enabled
...

The wsconsctl.conf file has also not been changed in a long time, and only
had three things enabled:

display.vblank=on   # enable vertical sync blank for screen
burner
display.screen_off=6# set screen burner timeout to 60 seconds
display.kbdact=on   # restore on keyboard input

If I comment out the three parameters above, then "Device not configured"
messages disappear, but there is still no login prompt on the ttyC0 monitor,
and the keyboard still does not appear to function (I still cannot change
virtual consoles).

As far as I can tell, there should be a login prompt on ttyC0, but there is
not.
What am I missing?  (Or, what did I miss when following current since 5.6
that may have changed?)

Thanks
Ted




DMESG:

OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4249260032 (4052MB)
avail mem = 4103114752 (3913MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb5a0 (55 entries)
bios0: vendor American Megatrends Inc. version "2.3a" date 01/06/2021
bios0: Supermicro X9SCL/X9SCM
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT SPCR EINJ ERST
HEST BERT
acpi0: wakeup devices UAR1(S4) UAR2(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4)
USB4(S4) USB5(S4) USB6(S4) USB7(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4)
RP03(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz, 2800.47 MHz, 06-3a-09
cpu0:

MariaDB in current - fatal error with clients "utf8 is not supported by MySQL"

[Ted Wynnychenko]

Hello

Ok, to start with, I am not sure about any of this, but, here goes:

I don't know why this happened just now, since I last updated the system
about 3 weeks ago, but today, I was unable to access data on my home server
via a php web application (horde).

This was working fine this morning, but I then restarted the server, and I
started getting this error:

utf8 is not supported by MySQL (big5, dec8, cp850, hp8, koi8r, latin1,
latin2, swe7, ascii, ujis, sjis, hebrew, tis620, euckr, koi8u, gb2312,
greek, cp1250, gbk, latin5, armscii8, utf8mb3, ucs2, cp866, keybcs2, macce,
macroman, cp852, latin7, utf8mb4, cp1251, utf16, utf16le, cp1256, cp1257,
utf32, binary, geostd8, cp932, eucjpms)

The system is running MariaDB, and when I look at the available character
sets, I see:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 69
Server version: 10.6.4-MariaDB-log OpenBSD port: mariadb-server-10.6.4p1v1

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.

MariaDB [(none)]> show character set;
+--+-+-++
| Charset  | Description | Default collation   | Maxlen |
+--+-+-++
| big5 | Big5 Traditional Chinese| big5_chinese_ci |  2 |
| dec8 | DEC West European   | dec8_swedish_ci |  1 |
| cp850| DOS West European   | cp850_general_ci|  1 |
| hp8  | HP West European| hp8_english_ci  |  1 |
| koi8r| KOI8-R Relcom Russian   | koi8r_general_ci|  1 |
| latin1   | cp1252 West European| latin1_swedish_ci   |  1 |
| latin2   | ISO 8859-2 Central European | latin2_general_ci   |  1 |
| swe7 | 7bit Swedish| swe7_swedish_ci |  1 |
| ascii| US ASCII| ascii_general_ci|  1 |
| ujis | EUC-JP Japanese | ujis_japanese_ci|  3 |
| sjis | Shift-JIS Japanese  | sjis_japanese_ci|  2 |
| hebrew   | ISO 8859-8 Hebrew   | hebrew_general_ci   |  1 |
| tis620   | TIS620 Thai | tis620_thai_ci  |  1 |
| euckr| EUC-KR Korean   | euckr_korean_ci |  2 |
| koi8u| KOI8-U Ukrainian| koi8u_general_ci|  1 |
| gb2312   | GB2312 Simplified Chinese   | gb2312_chinese_ci   |  2 |
| greek| ISO 8859-7 Greek| greek_general_ci|  1 |
| cp1250   | Windows Central European| cp1250_general_ci   |  1 |
| gbk  | GBK Simplified Chinese  | gbk_chinese_ci  |  2 |
| latin5   | ISO 8859-9 Turkish  | latin5_turkish_ci   |  1 |
| armscii8 | ARMSCII-8 Armenian  | armscii8_general_ci |  1 |
| utf8mb3  | UTF-8 Unicode   | utf8mb3_general_ci  |  3 |
| ucs2 | UCS-2 Unicode   | ucs2_general_ci |  2 |
| cp866| DOS Russian | cp866_general_ci|  1 |
| keybcs2  | DOS Kamenicky Czech-Slovak  | keybcs2_general_ci  |  1 |
| macce| Mac Central European| macce_general_ci|  1 |
| macroman | Mac West European   | macroman_general_ci |  1 |
| cp852| DOS Central European| cp852_general_ci|  1 |
| latin7   | ISO 8859-13 Baltic  | latin7_general_ci   |  1 |
| utf8mb4  | UTF-8 Unicode   | utf8mb4_general_ci  |  4 |
| cp1251   | Windows Cyrillic| cp1251_general_ci   |  1 |
| utf16| UTF-16 Unicode  | utf16_general_ci|  4 |
| utf16le  | UTF-16LE Unicode| utf16le_general_ci  |  4 |
| cp1256   | Windows Arabic  | cp1256_general_ci   |  1 |
| cp1257   | Windows Baltic  | cp1257_general_ci   |  1 |
| utf32| UTF-32 Unicode  | utf32_general_ci|  4 |
| binary   | Binary pseudo charset   | binary  |  1 |
| geostd8  | GEOSTD8 Georgian| geostd8_general_ci  |  1 |
| cp932| SJIS for Windows Japanese   | cp932_japanese_ci   |  2 |
| eucjpms  | UJIS for Windows Japanese   | eucjpms_japanese_ci |  3 |
+--+-+-++
40 rows in set (0.000 sec)


Well, there is no "utf8" listed, so that explains the error (I think).

But, I don't understand why it is missing.
According to the MariaDB site:
"Until MariaDB 10.5, this was a UTF-8 encoding using one to three bytes per
character. Basic Latin letters, numbers and punctuation use one byte.
European and Middle East letters mostly fit into 2 bytes. Korean, Chinese,
and Japanese ideographs use 3-bytes. No supplementary characters are stored.
>From MariaDB 10.6, utf8 is an alias for utf8mb3, but this can changed to
ut8mb4 by changing the default value of the old_mode 

DDclient in curent seems to work but ends with "FAILED" and errors

[Ted Wynnychenko]

Hello

I updated to the current -current a few days ago.

Since then, I noticed that ddclient (installed from packages - version
3.9.1) started complaining with the message:

WARNING:  found neither ipv4 nor ipv6 address


When I tried running ddclient directly, it seems to work but end with some
error messages, and a final "FAILED" notice:

# /usr/local/sbin/ddclient -force -verbose

CONNECT:  checkip.dyndns.org
CONNECTED:  using HTTP
SENDING:  GET / HTTP/1.0
SENDING:   Host: checkip.dyndns.org
SENDING:   User-Agent: ddclient/3.9.1
SENDING:   Connection: close
SENDING:
SENDING:
RECEIVE:  HTTP/1.1 200 OK
RECEIVE:  Date: Wed, 21 Jul 2021 15:41:49 GMT
RECEIVE:  Content-Type: text/html
RECEIVE:  Content-Length: 103
RECEIVE:  Connection: close
RECEIVE:  Cache-Control: no-cache
RECEIVE:  Pragma: no-cache
RECEIVE:
RECEIVE:  Current IP CheckCurrent IP
Address: xx.xx.xx.xx
INFO: forcing update of host.tld.com.
Use of uninitialized value in concatenation (.) or string at
/usr/local/sbin/ddclient line 2353.
INFO: setting IP address to xx.xx.xx.xx for host.tld.com
UPDATE:   updating host.tld.com
CONNECT:  dynamic.zoneedit.com
CONNECTED:  using SSL
SENDING:  GET /auth/dynamic.html?host=host.tld.com = xx.xx.xx.xx
HTTP/1.0
SENDING:   Host: dynamic.zoneedit.com
SENDING:   Authorization: Basic [key]
SENDING:   User-Agent: ddclient/3.9.1
SENDING:   Connection: close
SENDING:
SENDING:
RECEIVE:  HTTP/1.1 200 OK
RECEIVE:  Date: Wed, 21 Jul 2021 15:41:49 GMT
RECEIVE:  Server: Apache
RECEIVE:  Set-Cookie: PHPSESSID=cookie; path=/
RECEIVE:  Expires: Thu, 19 Nov 1981 08:52:00 GMT
RECEIVE:  Cache-Control: no-store, no-cache, must-revalidate
RECEIVE:  Pragma: no-cache
RECEIVE:  Vary: Accept-Encoding
RECEIVE:  Content-Length: 209
RECEIVE:  Connection: close
RECEIVE:  Content-Type: text/html; charset=UTF-8
RECEIVE:
RECEIVE:  
RECEIVE:  
SUCCESS:  updating host.tld.com: IP address set to xx.xx.xx.xx (201: no
update required for host.tld.com to xx.xx.xx.xx)
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient
line 3319.
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient
line 3320.
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient
line 3321.
Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line
1771.
SUCCESS:  updating : IP address set to xx.xx.xx.xx (200: host.tld.com
updated to xx.xx.xx.xx)
FAILED:was not updated because protocol  is not supported.


If I take a copy of the ddclient (version 3.8.3) script from 6.6 stable and
put it in place of the -current version, it works without a problem.

I don't know how to investigate this further, but am happy to help with
direction.

At this point, I am just leaving the older script in place.

Thanks
Ted

Re: SOLVED - Re: Unable to login to courier-imap after update to current

[Ted Wynnychenko]

Thanks for the information about the salt with encrypt.
I actually figured that out at some point.
I sent the messages below yesterday, but for some reason they were not posted to
the list.
Thanks
Ted



>
>> Hello
>> I just updated the 2/18 snapshot for amd64 (6.0 GENERIC.MP#178 amd64).
>>
>> After updating, I updated all the packages.
>>
>> Now, I cannot login to imap.
>>
>> I am using postfix, courier-imap, with mysql (mariadb).
>>
>> I recall that when I set this up 2 years ago, I used the command line
>> "encrypt" function to create the password hashes that were inserted in
>> the mysql user table for authentication.
>>
>> Since all my user accounts cannot access imap, I wondered if something
>> had changed in the hashing.  So, I used "encrypt" on the password, and
>> got a different hash than I did originally.
>>
>> for example, last year the hash (of one password) started with
>> "$2b$08$GbrcrMOiXb..." and now it starts with "$2b$10$9xJ8rv1D..."
>>
>> I tried changing the hash in the database, restarting mysql, courier
>> (imap, authd), postfix; but am unable to login to imap.
>>
>> I keep getting login failures.
>>
>> Any help would be really appreciated.
>>
>> Thanks
>> Ted
>
> I am responding to my own message.
>
> I still cannot authenticate to courier-imap.
>
> I have found this in /var/log/maillog:
>
> authdaemond: marker line not found in /etc/courier/authmysqlrc
> (probably forgot to run sysconftool after an upgrade)
>
> This occurs with each login attempt, and preceeds each "LOGIN FAILED"
> line, such as:
>
> imapd-ssl: LOGIN FAILED, user=u...@example.com, ip=[:::172.xx.x.xx]
>
> I found that something called sysconftool exists at:
> /usr/local/libexec/courier-authlib/sysconftool
>
> But running it as root (#
> /usr/local/libexec/courier-authlib/sysconftool), and then restarting
> courier_authdaemond, courier_imap, and courier_imap_ssl (in that
> order), does not resolve the login failures or the message in maillog.
>
> As I said, any pointers on how I can fix this would be welcome.
> At this point, I don't think the login failure has anything to do with
> encrypt (as I implied in my original message).
>
> Thanks again
> Ted

Ok, sorry for bothering the list, but the loss of email access bugged  
me, and I did not know what to do.

But now, 3 hours later, I have gotten imap working again.  Whether or  
not I "fixed" the problem, I don' know.

But, it seems, in the most recent package update of courier-imap,  
something is missing.

I basically added:
---
##NAME: MARKER:0
#
# Do not remove this section from this configuration file. This section
# must be present at the end of this file.
---
to the end of /etc/courier/authmysqlrc and restarted courier, and I  
can now login again.

I mention this in case it may be of help to another.

Thanks
Ted

FW: smtpd dies on current

[Ted Wynnychenko]

I tried sending this to bugs@, but it does not seem to have been accepted.
So, I decide to send it to misc@.
I hope that's ok.

-Original Message-
Sent: Friday, November 11, 2016 8:44 AM
To: 'b...@openbsd.org'
Subject: smtpd dies on current

Hello
I updated current a few days ago.
At that point, I noticed that no mail was going out.
Looking at /var/log/maillog, I saw that smtpd was dying with a fatal error
immediately on startup.

I just updated again to the new snapshot.
Same problem.
I hope this is the right place to send this, and that I have included enough
information.
I can't directly use sendbug, since the system can't send the mail out...

But, from sendbug:

>Synopsis:  sendmail dies on startup with fatal error
>Category:  
>Environment:
System  : OpenBSD 6.0
Details : OpenBSD 6.0-current (GENERIC.MP) #0: Thu Nov 10 22:14:46
MST 2016
 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64
>Description:
When booting up, or starting smtpd manually, the demon dies with a fatal
error
>From /var/log/maillog:

Nov 11 08:24:21 system smtpd[31422]: info: OpenSMTPD 6.0.0 starting
Nov 11 08:24:22 system smtpd[17404]: ab291948ab3ce73f mta event=connecting
address=tls://96.114.157.81:587 host=omta-po.sys.comcast.net
Nov 11 08:24:22 system smtpd[17404]: ab291948ab3ce73f mta event=connected
Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=message
address=local host=system.domain.com msgid=3dc96514
from= to= size=8083 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=message
address=local host=system.domain.com msgid=791261cf
from= to= size=704 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=message
address=local host=system.domain.com msgid=c62f2f22
from= to= size=95641 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=message
address=local host=system.domain.com msgid=3ac75830
from= to= size=65992 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=message
address=local host=system.domain.com msgid=16b1e1ba
from= to= size=95641 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=message
address=local host=system.domain.com msgid=b605e6ae
from= to= size=8326 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=message
address=local host=system.domain.com msgid=6bd27110
from= to= size=8083 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=connected
address=local host=system.domain.com
Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=message
address=local host=system.domain.com msgid=d75b3657
from= to= size=541 ndest=1
proto=ESMTP
Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=closed
address=local host=system.domain.com reason=quit
Nov 11 08:24:22 system 

iked - how to keep traffic outside the tunnel?

[Ted Wynnychenko]

Hello
I recently moved from ipsec/npppd to ikev2.

Making the change went easily enough.

However, there is  something that I can't seem to figure out.

I am using ikev2/ipsec to create a tunnel between two networks.  Each network
faces the internet through a openbsd gateway which gets is public IP via DHCP.


Local Net   --> IPSEC GW--> Internet<--
IPSEC GW<-- Remote Net
10.3.0.0/16 10.3.0.20 (int)
192.168.0.1 (int)   192.168.0.0/24
73.208.x.x (public DHCP)
99.23.x.x (public DHCP)


The iked.conf file on each end is relatively simple.
The "local" end:

ikev2 "static_vpn" quick passive ipcomp esp from 10.3.0.0/16 to 192.168.0.0/24
peer 99.23.x.x srcid local.domain.com dstid remote.domain.com

And, on the "remote" end:

ikev2 "static_vpn" active ipcomp esp from 192.168.0.0/24 to 10.3.0.0/16 peer
73.208.x.x srcid remote.domain.com dstid local.domain.com

This works without an issue.  The tunnel is created, and all traffic gets
forwarded from the two networks as expected.

I can also contact (ssh) the "remote" IPSEC GW from a client on the "local" net
via the tunnel (i.e. using 192.168.0.1 as the destination).

But, if I try to connect to the "remote" IPSEC GW using its public IP
(99.23.x.x) from a client on the "local" net, there is no connection.

If I take the tunnel down, then I can connect (ssh) to the public IP of the
remote IPSEC GW again.

But, I don't understand why the traffic destined for the public IP of the remote
IPSEC GW is (apparently??) being intercepted by iked.

The way I read the man page, I was under the impression that only traffic for
"192.168.0.0/24" would be encapsulated in the tunnel (using the rules above);
and that traffic destined for the public IP of the "peer" would be ignored by
iked.

Is there something I am missing?

Thanks

Re: Using isc-dhcp-client as alternate dhclient - Alias working (I think)

[Ted Wynnychenko]

Hello

I am responding to my original question.
I have been able to get isc-dhcp-client to work assigning an alias on the dhcp
interface.
In case this is of value to anyone, here is how I did it.

Obviously, I added isc-dhcp-client from packages.

I then created a new configuration file I called "isc-dhclient.conf"

In it, following the isc dhclient.conf man page, I added an "alias" section,
e.g.:

alias {
interface "em0";
fixed-address 10.0.0.0;
option subnet-mask 255.255.255.0;
}

Now, it seems, the isc dhclient modifies things on the system by calling
"dhclient-script" and passing it information as environment variables.  I
realized that the reason alias information wasn't being assigned was because the
"out-of-the-box" script included with the package completely ignores any alias
information sent to it.

So, I added two functions, and called them at (I think) the appropriate places,
to a new file dhclient-script-alias.
---
# diff /usr/local/sbin/dhclient-script /usr/local/sbin/dhclient-script-alias
23a24,36
> add_new_alias() {
>   if [ -n "$alias_ip_address" ]; then
>   ifconfig $interface inet alias $alias_ip_address netmask \
>   $alias_subnet_mask
>   fi
> }
>
> delete_old_alias() {
>   if [ -n "$alias_ip_address" ]; then
>   ifconfig $interface inet $alias_ip_address delete > /dev/null
2>&1
>   fi
> }
>
186a200,203
>   if [ "$old_ip_address" != "$alias_ip_address" ]; then
>   delete_old_alias
>   fi
>
198a216,218
>   if [ "$new_ip_address" != "$alias_ip_address" ]; then
>   add_new_alias
>   fi
216a237
>   delete_old_alias
237a259
>   delete_old_alias
---

Went back add added a "script" line to the isc-dhclient.conf file, as:

script "/usr/local/sbin/dhclient-script-alias";

Then modified /etc/hostname.em0 to run the isc dhclient.  But, before starting
the client, the interface needs to be brought up.  This resulted in:

# cat hostname.em0
! ifconfig em0 up
! /usr/local/sbin/dhclient -4 -cf /etc/isc-dhclient.conf -pf
/var/db/dhclient.pid em0

(I "know" - well, actually, "think" - that I could just use "up" for the first
line, but I did it this way.)

I also specified the /var/db location for the pid file, as the default location
(/var/run) for the pid file did not seem to work when starting the client during
boot (I don't know exactly why, but there was no "dhclient.pid" file present in
/var/run after boot, although it is created when starting the isc dhclient
manually on a running system).

Finally, I deleted a /etc/mygate file that was hanging around on the system.  (I
couldn't figure out why the default route was not being set correctly, but
eventually realized that removing the "dhcp" line from the hostname file told
netstart to stop ignoring the mygate file that was present, and so netstart
would reset the default route after the isc dhclient had set it correctly.)

So, I don't know if this will be of help to anyone.  I don't even know if the is
a sane way to do this.

But, I did come across a question or two about alias addresses with dhcp on
openbsd in the relatively recent past, so...

Ted

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: Creating https certificates dynamically for redirected/blocked requests

[Ted Wynnychenko]

>From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Stuart Henderson
>Sent: Tuesday, June 14, 2016 12:31 PM
>
>On 2016-06-14, Ted Wynnychenko <ted@comcast.net> wrote:
>> This really isn't a big deal; but as more sites have started using https, and
as
>> tools such as relayd and squid (and others?) have developed ways to "inject"
>> https certificates on the fly, I am wondering if there is a way to create
https
>> certificates based solely on the requested URL in a connection attempt using
an
>> internal CA to avoid the certificate errors with blocked HTTPS connections?
>
>How are you identifying connections to block?

I block connections based on a list from malwaredomains.com.  A script runs
nightly that downloads the list/changes, creates zone files, and reloads
unbound/nsd.  The "blocked" zone files point those domains at an internal
(10.0.x.x) IP address.

-

>From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Christopher Ahrens
>Sent: Tuesday, June 14, 2016 1:11 PM
>
>If all your internal clients trust a CA you control, just have it issue 
>a certificate with a common name of * and install that cert onto your 
>webserver.  Its how we do MitM virus scanning at my day job.

I had tried this, but it did not seem to work.

I tried again and created a certificate with CN of * without success.

Then added a number of combinations of alternative names:  DNS:*, DNS:*.*,
DNS:*.*.* --- etc

None of these certificates are acceptable to either Firefox, IE, or Safari.

Firefox complains with error: SSL_ERROR_BAD_CERT_DOMAIN
"The certificate is only valid for the following names: *, *.*, *.*.*, *.*.*.*,
*.*.*.*.*"
(this is just the most recent example, same error with no and other SAN's)

>From my looking, it appears that a certificate is only accepted by browsers 
>with
"one level" of domain wildcard present; so I am not sure how to get a
certificate with a common name of * to be accepted for any/every domain.

Am I missing something?
Thanks

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Creating https certificates dynamically for redirected/blocked requests

[Ted Wynnychenko]

Hello

For many years now I have been using a DNS black hole setup to stop http/https
connections to blocked websites (well, any connection to those sites).  This has
worked well.

Connections with http are routed to an IP on the internal network which returns
a simple "blocked" web page.

Connections with https come back to the browser complaining of a certificate
error (clearly, the HTTPS certificate of the web-server at the redirected IP
does not have a valid certificate for any blocked site).

This really isn't a big deal; but as more sites have started using https, and as
tools such as relayd and squid (and others?) have developed ways to "inject"
https certificates on the fly, I am wondering if there is a way to create https
certificates based solely on the requested URL in a connection attempt using an
internal CA to avoid the certificate errors with blocked HTTPS connections?

In other words, rather than having an "SSL-MITM" setup, where the proxy goes out
and connects to the ultimate destination before responding to the client with a
forged certificate; all I want is for the "proxy" to generate a certificate for
the requested URL signed by a locally trusted CA, before returning a static
"blocked" webpage.

This (to me) seems simpler than what has already been accomplished with relayd.

I have been looking at relayd, and I don't think it will do what I want (or, at
least, I can't figure it out).  I also have been unable to find anything else
that will help me with this.

Are there any tools available to do what I am looking for?  Or, is there a way
to setup relayd to accomplish this?

Thanks

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Trying to get squid with ssl bump working

[Ted Wynnychenko]

Hello
I posted my question to the squid-users mailing list a week ago, and have had no
reply.
I decided to try here as well.
Basically, I can get squid 3.5.13 to work for http in current (a bit "older"
current), but HTTPS connections do not work (time out).

Here is an updated version of my email to squid-users.  If anyone has any
insight, that would be great.



I have been trying to get this working for a week or two without success.

Trying to setup Squid with https inspection as an explicit proxy.

On OpenBSD current (# uname -srv -> OpenBSD 5.9 GENERIC.MP#1783)

Running squid from packages (# pkg_info | grep squid -> squid-3.5.13)

# squid -v
Squid Cache: Version 3.5.13
Service Name: squid
configure options:  '--disable-strict-error-checking' '--disable-arch-native'
'--enable-shared' '--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-follow-x-forwarded-for' '--enable-forw-via-db'
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
'--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl'
'--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd'
'--with-default-user=_squid' '--with-filedescriptors=8192'
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--enable-external-acl-helpers=LDAP_group
SQL_session file_userip time_quota  unix_group wbinfo_group  LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc'
'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'

(as above, compiled with enable-ssl and enable-ssl-crtd)

With a basic squid.conf file:

# cat /etc/squid/squid.conf
-
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl step1 at_step SslBump1

http_access deny !Safe_ports

http_access allow localnet

http_access deny all

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump peek step1
ssl_bump bump all
always_direct allow all

sslproxy_cafile /etc/ssl/cert.pem
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB
sslcrtd_children 32 startup=5 idle=1

cache_dir ufs /var/squid/cache 5 64 512

coredump_dir /var/squid/cache

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
-

Certificates made per the squid wiki at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

# cd /etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout
myCA.pem  -out myCA.pem
# ls -lah /etc/squid
drwxr-xr-x   4 rootwheel512B Jan 24 20:33 .
drwxr-xr-x  35 rootwheel2.0K Jan 23 16:17 ..
-rw-r--r--   1 rootwheel692B Jan 17 10:22 cachemgr.conf
-rw-r--r--   1 rootwheel1.8K Jan 17 10:22 errorpage.css
-rw-r--r--   1 rootwheel   11.8K Jan 17 10:22 mime.conf
-rw-r--r--   1 rootwheel1.1K Jan 24 21:36 squid.conf
drwx--   2 _squid  _squid   512B Jan 24 18:23 ssl_cert

# ls -lah /etc/squid/ssl_cert
drwx--  2 _squid  _squid   512B Jan 24 18:23 .
drwxr-xr-x  3 rootwheel512B Jan 24 23:39 ..
-rw---  1 _squid  _squid   2.9K Jan 24 17:07 myCA.pem

Made a .der verison:
# openssl x509 -in myCA.pem -outform DER -out myCA.der

And imported it into the "Authorities" section of Firefox certificate store,
giving it all "trust settings."

ssl_crtd is present and executable:

# ls -lah /usr/local/libexec/squid/ssl_crtd
-r-xr-xr-x  1 root  bin  97.7K Jan 15 16:31 /usr/local/libexec/squid/ssl_crtd

Created dynamic certificate directory structure:

# /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_db
# chown -R _squid._squid /var/squid/ssl_db
# ls -lah /var/squid
drwxrwx--x   5 _squid  _squid   512B Jan 24 23:42 .
drwxr-xr-x  25 rootwheel512B Jan 19 19:47 ..
drwxrwx--x  66 _squid  _squid   1.0K Jan 24 21:44 cache
drwxrwxr-x   2 _squid  _squid   512B Jan 24 03:00 logs
drwxr-xr-x   3 _squid  _squid   512B Jan 24 23:42 ssl_db

# ls -lah /var/squid/ssl_db
drwxr-xr-x  3 _squid  _squid  

Re: httpd stops accepting connections after a few hours on current

[Ted Wynnychenko]

Hello again:

I was hoping someone might have an idea of how I could proceed with the httpd
failure that I am seeing.

As I said, I see nothing in the logs, and the only indication I have that
something is wrong is that httpd stops responding to requests.

At this point, I have added a cronjob of rcctl restart httpd to run every
couple of hours; but, it seems to me that my solution is not something that is
consistent with the quality/stability of OpenBSD.

If anyone has any suggestions on what I can do, or what information might be
helpful in identifying the issue, I would appreciate it.

Thanks

-Original Message-

Hello

On current:
OpenBSD 5.8-beta (GENERIC.MP) #1125: Fri Jul  3 20:54:45 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

System using 2 aliases on one interface:
ifconfig em0
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:25:90:de:f8:67
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.0.28.129 netmask 0xff00 broadcast 10.0.28.255
inet 10.0.28.130 netmask 0x
inet 10.0.28.131 netmask 0x


HTTPD listening on all three IP's with different content:
cat /etc/httpd.conf

http_ip=10.0.28.129

types {
include /usr/share/misc/mime.types
}

server server1.tldn.com {
listen on $http_ip port 80
connection max requests 100
root /htdocs
directory index index.html
block return 301 https://server1.tldn.com$REQUEST_URI;
}

server server1.tldn.com {
listen on $http_ip tls port 443
tls certificate /etc/ssl/server-129.crt
tls key /etc/ssl/private/server-129.key
connection max requests 100
root /htdocs
directory index index.html
location /cgi-bin/* {
fastcgi
root /
}
}

server server2.tldn.com {
listen on 10.0.28.130 port 80
connection max requests 100
root /htdocs-130
directory index index.html
block return 301 https://server2.tldn.com/default.html;
}

server server2.tldn.com {
listen on 10.0.28.130 tls port 443
tls certificate /etc/ssl/server-130.crt
tls key /etc/ssl/private/server-130.key
connection max requests 100
root /htdocs-130
directory index index.html
}

server server3.tldn.com {
listen on 10.0.28.131 port 80
connection max requests 100
root /htdocs-131
directory index index.html
block return 301 https://server3.tldn.com/index.html;
}

server server3.tldn.com {
listen on 10.0.28.131 tls port 443
tls certificate /etc/ssl/server-131.crt
tls key /etc/ssl/private/server-131.key
connection max requests 100
root /htdocs-131
directory index index.html
}


The httpd daemon starts up without an issue and runs without a problem for a few
hours (I have not actually timed it, but it goes for about 6-8 hours), and then
just stops responding.
This is true on all three of the ip's that it is listening on; and whether or
not the original connection is to port 80 or 443.

The access log show all connections until (I presume) the daemon stops answering
connections.

I have tried combining all the ssl certs into one (with a lot of alternative
names), but that did not make a difference.

A simple rcctl restart httpd brings the server back up for a few hours.

I would be happy to investigate this more, but I don't know where to go.
Similarly, I don't know what other information I could provide to help diagnose
the problem.

Any help would be great.

Thanks - ted

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

L2TP/IPSEC issue - Any generic pointers would be great

[Ted Wynnychenko]

Hello

This may be off topic, since I don't think it's an openbsd issue, but
(honestly) I have run out of ideas about where to go next.

There aren't going to be many specifics, since I don't know what details
or outputs might be useful at this point.

 

Here is my story (oh, this is just a home/personal situation).

 

I have a openbsd 5.1 server as a firewall/ipsec server.  This one also is
able to accept L2TP (from my ipad) connections, and is running npppd.

I have a second openbsd 5.1 server as a second firewall/ipsec server.

 

When I set this up (over a year ago), everything worked great.  The ipsec
endpoints talk to each other, the tunnel comes up like magic, and I am able
to backup data at a remote location without even thinking about.

At the same time, I got npppd working, and was able to connect with my ipad
when I wasn't at home to access stuff that I wanted to.  I don't need to
do this often.

 

Well, 4-6 months ago, everything was good.  The static IPSEC tunnel was
working, and I could connect with the ipad.

 

About 3 weeks ago I wanted to connect with the ipad and L2TP and no joy
(server not responding that ipad says).


And here is where I start getting lost.

 

First, during this entire time, the static IPSEC tunnel has been rock
stable (with the occasional dropout because my internet service provider
drops my connection at one end or the other, but the static tunnel always
comes back up when the connection is restored - maybe 5 or 10 minutes a day,
usually at night).

 

When trying to connect with the ipad, most ( 95%) of the time, the
connection is unsuccessful.  But, occasionally, the ipad connects.  NO
changes to configuration of the openbsd server, or changes to configuration
of the ipad.  It just happens.  This may last for 3 minutes, or 5 minutes,
or 7 minutes; but then it's gone.


During these connections, the tablet may or may not be able to access
something on the internal/protected network.  I have not seen a pattern so
far, given the infrequent and limited connection opportunities.

 

But, (to repeat) the static IPSEC tunnel is up the whole time.

 

So, I tried this with a second ipad - same thing - most of the time it does
not work; rarely, it works for a few minutes.

I tried with an old laptop I have - using L2TP/IPSEC to establish a VPN; no
success - I only tried with the laptop a dozen or so times, however.

I tried from different locations, in different states, and different cities;
same issue, most of the time no, rarely yes (Oh, by the way, almost all of
these locations had been used in the past - prior to 6 months ago, and the
ipad connected fine).

 

Now, if I am at home, and try to connect to the now local IPSEC/L2TP
server (from its internal interface) with the tablet, everything works fine,
every time.  Also, I can reliably access the network, and the network sees
the traffic as coming from the L2TP server, and the associated VPN IP
address.

 

So, I used my meager knowledge to explore this issue - and here is where I
REALLY get lost.

 

Using tcpdump, I watch the L2TP/IPSEC server's external interface (so, I am
looking at traffic before it hits PF or anything else - right?).   Well,
when the connections fail, there is NO traffic from the tablet getting to
the external interface.   At the same time, I can ssh into the server, and I
can see that traffic using tcpdump fine (connecting from the same
location/IP address that the ipad is trying to connect).

 

On those rare occasions when the ipad is able to connect, I see packets
coming in on the external interface for isakmpd, and then the established
tunnel.

 

During all of this, the static IPSEC tunnel is up and working.

 

I have no idea where to go with this, or what to try.

I feel like this is not related to the openbsd server, since when the tablet
fails to connect, there is no traffic on the external interface.

But, in that case, the failure is upstream (somewhere in the route between
the tablet and the server).  But, why would the other IPSEC tunnel be fine?

If my ISP was filtering traffic, both shouldn't work, right?

The variety of locations that I have tried to connect from and (mostly)
failed, would seem to suggest the problem is near the end of the route
back to the IPSEC/L2TP server, but that makes no sense to me either, since
the static tunnel is rock solid.

 

I am sorry for the long, rambling email.  I wanted to thoroughly explain my
issue, and since I don't really know what might have be important, I
included the whole story.

 

If this is not an openbsd issue (which (frankly) I don't think it is), sorry
for the noise.

 

But, if anyone has a friendly (or, for that matter, and unfriendly)
suggestion of what I could try, please let me know.

 

Thanks.

Bye - ted

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

L2TP/IPSEC with 4.9 and Ipad - fails to complete

[Ted Wynnychenko]

Hello:

 

I am hoping someone can point me in some sort of direction.
I have been trying to connect an iPad (ios 5.0.1) to an openbsd 4.9 server
using L2TP/IPSEC.

I followed the outline in  /usr/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt,
and was able to get npppd compiled.

I then started isakmpd and updated ipsecctl (sudo ipsecctl -f
/etc/ipsec.conf).

Finally, started npppd:

npppd -d
2012-02-10 15:02:48:NOTICE: Load configuration from='/etc/npppd/npppd.conf'
successfully.

2012-02-10 15:02:48:WARNING: write() failed in in_route0 on RTM_ADD : File
exists

2012-02-10 15:02:48:INFO: tun0 Started ip4addr=10.0.3.1

2012-02-10 15:02:48:INFO: pool name=default dyn_pool=[10.0.3.0/25]
pool=[10.0.3.0/24]

2012-02-10 15:02:48:INFO: Added 2 routes for new pool addresses

2012-02-10 15:02:48:INFO: Loading pool config successfully.

2012-02-10 15:02:48:INFO: realm name=local(local) Loaded users
from='/etc/npppd/npppd-users.csv' successfully.  2 users

2012-02-10 15:02:48:INFO: Listening /var/run/npppd_ctl (npppd_ctl)

2012-02-10 15:02:48:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP]

2012-02-10 15:02:48:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP]

2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:1723/tcp (PPTP PAC) [PPTP]

2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:gre (PPTP PAC)

2012-02-10 15:02:48:INFO: tun0 is using ipcp=default(1 pools).

---

 

Now, when I try enabling the L2TP/IPSEC VPN on the iPad, I can see that the
IPSEC tunnel is created.

 

isakmpd -Kv -d

---

150059.011921 Default isakmpd: starting [priv]

150358.338625 Default isakmpd: phase 1 done: initiator id 10.0.222.201,
responder id 10.0.28.20, src: 10.0.28.20 dst: 10.0.28.201

150359.377301 Default isakmpd: quick mode done: src: 10.0.28.20 dst:
10.0.28.201

---

 

And flows get established:

ipsecctl -s all

---

FLOWS:

flow esp in proto udp from 10.0.222.201 port 56701 to 10.0.28.20 port l2tp
peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type use

flow esp out proto udp from 10.0.28.20 port l2tp to 10.0.222.201 port 56701
peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type require

 

SAD:

esp transport from 10.0.28.20 to 10.0.28.201 spi 0x06c8118f auth hmac-sha1
enc aes-256

esp transport from 10.0.28.201 to 10.0.28.20 spi 0x55c61855 auth hmac-sha1
enc aes-256

---

 

And, then, npppd tries to negotiate the L2TP connection, but it fails:

 

npppd -d (continued)

---

2012-02-10 15:03:59:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=1/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:03:59:INFO: l2tpd ctrl=1 SendSCCRP

2012-02-10 15:04:00:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=2/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:00:INFO: l2tpd ctrl=2 SendSCCRP

2012-02-10 15:04:02:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=3/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:02:INFO: l2tpd ctrl=3 SendSCCRP

2012-02-10 15:04:06:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=4/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:06:INFO: l2tpd ctrl=4 SendSCCRP

2012-02-10 15:04:10:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=5/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:10:INFO: l2tpd ctrl=5 SendSCCRP

2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 logtype=Finished

2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 logtype=Finished

2012-02-10 15:04:14:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=6/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:14:INFO: l2tpd ctrl=6 SendSCCRP

2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 logtype=Finished

2012-02-10 15:04:18:NOTICE: l2tpd ctrl=7 logtype=Started RecvSCCRQ
from=10.0.28.201:56701/udp tunnel_id=7/14 protocol=1.0 winsize=4
hostname=iPad vendor=(no vendorname) firm=

2012-02-10 15:04:18:INFO: l2tpd ctrl=7 SendSCCRP

2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 logtype=Finished

2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 logtype=Finished

2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 logtype=Finished

2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7 timeout waiting ack for ctrl
packets.

2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7 

Scannedonly (for samba vfs) make fails - pthread_spinlock_t definition missing(?) in libpthread

[Ted Wynnychenko]

Hello:

I was wondering if anyone has tried using scannedonly with samba on openbsd
(4.9).
Scannedonly is a daemon/VFS module for samba that scans files on request
using clamav (description at http://olivier.sessink.nl/scannedonly/ )
The samba version (3.5.6) available with openbsd 4.9 already includes the
VFS module (at /usr/local/lib/samba/vfs/scannedonly.so).
However, when I try to compile the deamon from source, it dies almost
immediately with the error:

scannedonlyd_clamav.c:73: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'statuslock'

at the statement:

pthread_spinlock_t statuslock;

When I look at the pthread.h header file (which is included in the source),
I cannot find pthread_spinlock_t defined.

It is my understanding that on linux pthread_spinlock_t is defined in
/usr/include/bits/pthreadtypes.h; however, there is no pthreadtypes.h
header file that I can find on openbsd 4.9.

I must admit that this is a bit beyond my current understanding.  I am
wondering if there is some way around this, or if there is something in
ports/packages that can be installed to provide the missing
pthread_spinlock_t definition?  Or, am I just out of luck?

Thanks in advance for any advice.

Bye - ted

snort and pf - pflog vs if

[Ted Wynnychenko]

Hello


I am confused about something.  I have recently upgraded from 4.5 to 4.9
(not 5.0 yet).

However, I have openbsd/pf as a firewall to protect a home network.

Now, even though I don't really understand it all, I had/have snort running
on the FW to see what kind of badness passes by.

With 4.5, I had snort listening to pflog0, because I understood that
listening to the interface directly (e.g. bge0) would not work since any
packets dropped by pf would not be seen by snort.

However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed that snort
appears to see packets that are dropped by pf when it listens on the
interface directly (bge0).

I don't think I ever checked this with openbsd 4.5 (listening on the
interface directly).

 

So, I was wondering, is this expected?  Should snort see packets dropped by
pf when listening to the interface?
I guess if the answer is no, I will need to check my pf.conf, although
when I scan myself the only port open to the internet is ssh, everything
else is silently dropped (which is as it should be).

 

Thanks for any clarification.

 

Bye - ted

Re: Is it possible: IPsec tunnel with no static addresses?

[Ted Wynnychenko]

 Why do you think IPSec needs one fixed-IP endpoint? Certainly, things
 won't work if both of you change IP addresses before the DNS updates,
 but you seem to accept that. You can also get a fixed IP for free by
 contacting one of the IPv6 tunnel brokers. Yes, this will be
 IPv6-over-IPv4, which has its issues.

I've never seen an example where hostnames are used in place of static
IP addresses in configuration files.  Is it the case that anywhere I see
an ip address (filenames, conf file values, etc), I could just as easily
put in foo.dyndns.org?

I don't consider myself expert at this, but, yes, I think that is the case.
At least for me, it has worked well.  I have an ipsec tunnel set up between
two residential cable internet connections.  Both are DHCP, so there is no
static endpoint.
I use dDNS to keep the endpoint IP's up to date (I do own my own domain, but
I suppose you don't have to).
The tunnel goes down for a few minutes from time to time (I think mostly
because of problems with my internet connections, not so much DNS name
resolution issues), but it has not been an issue for me.
As an example, my ipsec.conf looks something like: (this is openbsd 4.6 -
yes, I know I should update, I'm working on it)
One end:
ike passive esp from 10.0.0.1 to ipsec2.mydomain.com srcid
my.local.crt.com dstid my.remote.crt.com
etc...
The other end:
ike dynamic esp from 192.168.1.1 to ipsec1.mydomain.com
srcid my.remote.crt.com dstid my.local.crt.com
etc...
As I said, I'm no expert on this, but I was able to figure this out from the
man pages.
Bye - ted

Question about moving system to different hardware

[Ted Wynnychenko]

Hello:

I was very happy with myself after setting up a file server for my home with
some old hardware (and some new old hardware).  Everything works great.

Now, I have come into possession of some better old hardware (an actual
server - Compaq Evo W8000 - with SCSI disks! Wow, that's big for me).

So, I wanted to move my fileserver over.

I was reading the FAQ (14.10) about backing up, and I think this will work,
but I have a couple of basic questions, if anyone has the time to answer.

1.   Since I will be moving to new hardware, and from ide to scsi disks,
I will need to modify /etc/fstab.  Is there anything else I should be
thinking about editing for the move to new hardware (the network card will
be the same, since it's moving too).  I can't think of anything other than
fstab.

2.   I note that in the example for backing up and restoring that raw
devices are used.  In my situation, I will be going from ide to a usb drive,
and then from the usb drive to scsi disks.  So, the ide drive I can't access
raw, but I don't think this is an issue. Is it?  And, if I don't read from
the raw device with dump, it's still okay to write to the raw device with
restore, right?

I think these are pretty basic questions, and I think I would figure it out
on my own when I do it.

I guess I am looking for peace of mind that I am on the right track.

Thanks

Bye - ted

pcmcia serial card sometimes recognized, sometimes not

[Ted Wynnychenko]

Hello:

I am trying to understand why this is happening.  I have an older laptop and
a new old pcmcia serial interface card (Quatech Inc, RS-232 Serial Port PC
Card, SSP-100).

 

So, when I first booted the 4.6 stable image with the pcmcia card in the
slot, it would not recognize it (com3 at pcmcia0 function 0: can't allocate
i/o space).

Then, I did a bunch of searching, and eventually, figured out how to change
the i/o memory space for pcic0 using config; and, it worked.

But then, then next day, it didn't (I booted the modified kernel, but again
got the same i/o space error).

So, I played with config some more, disable com0,1,2,3; played with the
settings for i/o address and size; and eventually, it worked again.

But, again, the next day, it went unrecognized.  So, I played with config
some more, changed i/o address/size, made a new pcmcia com0, disabled
pcic1,2, and maybe something more, and got it to work.

This time I captured the dmesg.  Here it is:

 

OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009

dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC

cpu0: Mobile Intel(R) Pentium(R) 4 - M CPU 2.00GHz (GenuineIntel
686-class) 1.20 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS
,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR

real mem  = 266891264 (254MB)

avail mem = 249249792 (237MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 04/22/03, BIOS32 rev. 0 @ 0xfd891,
SMBIOS rev. 2.31 @ 0xd8010 (15 entries)

bios0: vendor Phoenix Technologies LTD version R0202B3 date 04/22/03

bios0: Sony Corporation PCG-V505BC(UC)

acpi0 at bios0: rev 0

acpi0: tables DSDT FACP BOOT SSDT SSDT

acpi0: wakeup devices PWRB(S5) CRD0(S3) LAN_(S3) USB1(S3) USB2(S3) USB3(S3)
EC0_(S5) MODE(S3)

acpitimer0 at acpi0: 3579545 Hz, 24 bits

acpiprt0 at acpi0: bus 0 (PCI0)

acpiprt1 at acpi0: bus 1 (AGP_)

acpiprt2 at acpi0: bus 2 (HUB_)

acpiec0 at acpi0

acpicpu0 at acpi0: C3, C2, C1, FVS, 2000, 1200 MHz

acpitz0 at acpi0: critical temperature 90 degC

acpibtn0 at acpi0: LID_

acpibtn1 at acpi0: PWRB

acpibat0 at acpi0: BAT1 type LION oem Sony Corp.

acpiac0 at acpi0: AC unit offline

bios0: ROM list: 0xc/0x1 0xd8000/0x4000! 0xdc000/0x4000!

cpu0 at mainbus0: (uniprocessor)

pci0 at mainbus0 bus 0: configuration mode 1 (bios)

pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04

intelagp0 at pchb0

agp0 at intelagp0: aperture at 0xec00, size 0x400

ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04

pci1 at ppb0 bus 1

vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M6 rev 0x00

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

radeondrm0 at vga1: irq 9

drm0 at radeondrm0

ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42

pci2 at ppb1 bus 2

cbb0 at pci2 dev 5 function 0 Ricoh 5C475 CardBus rev 0xb8: couldn't map
interrupt

Ricoh 5C551 Firewire rev 0x00 at pci2 dev 5 function 1 not configured

ohci0 at pci2 dev 7 function 0 NEC USB rev 0x43: irq 9, version 1.0,
legacy support

ohci1 at pci2 dev 7 function 1 NEC USB rev 0x43: couldn't map interrupt

ehci0 at pci2 dev 7 function 2 NEC USB rev 0x04: couldn't map interrupt

fxp0 at pci2 dev 8 function 0 Intel PRO/100 VE rev 0x42: couldn't map
interrupt

usb0 at ohci0: USB revision 1.0

uhub0 at usb0 NEC OHCI root hub rev 1.00/1.00 addr 1

ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02

pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: IC25N040ATMR04-0

wd0: 16-sector PIO, LBA48, 38154MB, 78140160 sectors

wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5

atapiscsi0 at pciide0 channel 1 drive 0

scsibus0 at atapiscsi0: 2 targets

cd0 at scsibus0 targ 0 lun 0: MATSHITA, UJDA745 DVD/CDRW, 1.05 ATAPI
5/cdrom removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2

ichiic0 at pci0 dev 31 function 3 Intel 82801CA/CAM SMBus rev 0x02:
polling

iic0 at ichiic0

spdmem0 at iic0 addr 0x54: 256MB DDR SDRAM non-parity PC2300CL2.5

auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x02Intel
82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 not configured

isa0 at ichpcib0

isadma0 at isa0

pckbc0 at isa0 port 0x60/5

pckbd0 at pckbc0 (kbd slot)

pckbc0: using irq 1 for kbd slot

wskbd0 at pckbd0: console keyboard, using wsdisplay0

pms0 at pckbc0 (aux slot)

pckbc0: using irq 12 for aux slot

wsmouse0 at pms0 mux 0

pcppi0 at isa0 port 0x61

midi0 at pcppi0: PC speaker

spkr0 at pcppi0

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

pcic0 at isa0 port 0x3e0/2 iomem 0xe/65536

pcic0 controller 0: Intel 82365SL rev 1 has socket A only

pcmcia0 at pcic0 controller 0 socket 0

com0 at pcmcia0 function 0 Quatech Inc, RS-232 Serial Port PC Card,
SSP-100 port 0x2f8/8: ns16550a, 16 byte fifo

, irq 3pcic0: irq 4, polling