Re: Libressl verify failure with 3.9.0
Thanks for the suggestion. The workaround does work, and creates (essentially) the same certificate, but one that does not fail verification with the new libressl. I did notice the option of not have the leading "20" for dates before 2050, but I did not know enough to try doing that. Ted > -Original Message- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf > > Of Theo Buehler > > Sent: Monday, April 08, 2024 6:45 AM > > To: Ted Wynnychenko > > Cc: 'OpenBSD misc'; b...@openbsd.org; js...@openbsd.org > > Subject: Re: Libressl verify failure with 3.9.0 > > > > On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote: > > > Hello, > > > > > > I recently updated to -current (about a week ago). > > > > > > I see that Libressl is at 3.9.1 just now, but I hope that won't be > an > > issue > > > (I did not see anything in the release notes that would impact my > > question). > > > --- > > > $ openssl version > > > LibreSSL 3.9.0 > > > --- > > > > > > Over the years, I have made certificates for personal > > servers/resources on > > > my home network. This is just for me, so I do some things that > would > > be > > > frowned on (although, technically, there is nothing "wrong" with > > them). > > > > > > In this case, since I have Apple iOS devices that I want to connect > > to > > > https, I backdate any certificates I create to 1/2/2019. Apple has > > imposed > > > a 300 or 800 day time limit on the validity for certificates > created > > after > > > (about) 7/1/2019. Since I don't want to constantly make new > > certificates > > > for my personal/home network, I have just been setting the > > certificates' > > > "not before" date to early 2019. > > > > > > Anyway, this had worked fine. > > > In fact, earlier this year (Jan 2024), I created a new certificate, > > and all > > > is good. > > > > > > A few weeks ago, I added a new thing to the network - a raspberry > pi > > (I got > > > as a gift about 2013 and installed a linux image from 2019 on it) > > that is > > > connected to the home alarm system. > > > > > > Since I was annoyed that my browser was constantly giving me self- > > signed > > > certificate warnings, I decided to make a certificate for the nginx > > running > > > on this appliance. > > > > > > I created a key, made a csr, and then signed it with: > > > openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem - > config > > > /etc/ssl/openssl.cnf > > > > As a workaround, try using '-startdate 19010200Z' instead. I > think > > this is fallout from this commit: > > > > > https://github.com/openbsd/src/commit/3feee4c53fbd67a4a480080d8ef5ae835 > > d3fbf82 > > > > ASN1_TIME_set_string_X509() is documented as > > > > In LibreSSL, ASN1_TIME_set_string() and > > ASN1_TIME_set_string_X509() > > behave identically and always set the time object to a valid > value > > to use > > in an X.509 certificate. > > > > It seems to me that this is just wrong (it is true that both behave > > identically because RFC5280 is defined to 0), but they do not set the > > time object to "a valid value to use in an X.509 certificate". > > > > Confusingly, ASN1_TIME_adj_internal() actually honours its RFC5280 > > parameter by behaving the expected way whereas its meaning in > > ASN1_TIME_set_string_internal() is different. > > > > I am unsure if the bug is in my commit above or in our version of > > ASN1_TIME_set_string_X509() (or both). > > > > > > > > This all works fine, and a certificate is created > > > > > > When I check with: > > > openssl x509 -text -noout -in pi.pem > > > > > > everything seems as expected, including the not before/after dates: > > > > > > Validity > > > Not Before: Jan 2 00:00:00 2019 GMT > > > Not After : Apr 7 15:39:59 2054 GMT > > > > > > (yes, it is valid for 35 years - as I said before, if someone > breaks > > into my > > > house to secretly do things, I have way bigger problems) > > > > > > But, if I try to verify this on the openbsd system, I get: > > > > > > # openssl verify pi.pem > > > C = US, ST = Illinois, L = ***, O =
Libressl verify failure with 3.9.0
Hello, I recently updated to -current (about a week ago). I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue (I did not see anything in the release notes that would impact my question). --- $ openssl version LibreSSL 3.9.0 --- Over the years, I have made certificates for personal servers/resources on my home network. This is just for me, so I do some things that would be frowned on (although, technically, there is nothing "wrong" with them). In this case, since I have Apple iOS devices that I want to connect to https, I backdate any certificates I create to 1/2/2019. Apple has imposed a 300 or 800 day time limit on the validity for certificates created after (about) 7/1/2019. Since I don't want to constantly make new certificates for my personal/home network, I have just been setting the certificates' "not before" date to early 2019. Anyway, this had worked fine. In fact, earlier this year (Jan 2024), I created a new certificate, and all is good. A few weeks ago, I added a new thing to the network - a raspberry pi (I got as a gift about 2013 and installed a linux image from 2019 on it) that is connected to the home alarm system. Since I was annoyed that my browser was constantly giving me self-signed certificate warnings, I decided to make a certificate for the nginx running on this appliance. I created a key, made a csr, and then signed it with: openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf This all works fine, and a certificate is created When I check with: openssl x509 -text -noout -in pi.pem everything seems as expected, including the not before/after dates: Validity Not Before: Jan 2 00:00:00 2019 GMT Not After : Apr 7 15:39:59 2054 GMT (yes, it is valid for 35 years - as I said before, if someone breaks into my house to secretly do things, I have way bigger problems) But, if I try to verify this on the openbsd system, I get: # openssl verify pi.pem C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = *** error 20 at 0 depth lookup:unable to get local issuer certificate pi.pem: verification failed: 20 (unable to get local issuer certificate) --- But, if I install this on the raspberry pi, which has a much older version of openssl on it: $ openssl version OpenSSL 1.1.1c 28 May 2019 The certificate verifies without an issue: $ openssl verify pi.pem pi.pem: OK The last time I created a certificate was in January of this year (1/22/2024). I am thinking the openbsd system was using Libressl 3.8.2 at that point. I created that certificate in the exact same way, backdating the start date: openssl ca -startdate 2019010200Z -in 54.csr -out 54.pem -config /etc/ssl/openssl.cnf This previously created certificate also has them same backdated and very long valid period: Validity Not Before: Jan 2 00:00:00 2019 GMT Not After : Jan 21 23:49:22 2054 GMT (Notice the not after date is a little different) Today, with the new libressl, this certificate verifies OK. $ openssl verify 54.pem 54.pem: OK Finally, if I create the new certificate WITHOUT backdating it e.g.: openssl ca -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf The certificate is created and verifies OK. So, it seems, there is some sort of issue with backdating the certificate, but not an issue with the crazy long validity window, that was not present in January of this year. However, as I said, if I don't backdate, then in about a year the ipad will refuse to connect because of the restrictions apple has imposed, unless I update the certificate. I know this is not "best practice," but it should still work, right? Is there something I am missing? Otherwise, it appears something has changed in Libressl 3.9.0 but is not documented. Thanks in advance for any suggestions. Ted
Re: No login prompt on console ttyC0 after boot when using "set tty com0"
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Andrew Daugherity > > > > Hello > > I was wondering if there is anything I could do to help figure this > out. > > I do not have the requisite knowledge to even begin to understand why > the > > kernel does not configure the vga output when boot.conf redirects to > com0. > > Look for a "redirection after boot" setting in your BIOS and try > disabling that. The behavior you've described of both physical and > serial consoles working at the boot prompt _without_ 'set tty com0' > seems to indicate the BIOS is still handling redirection from > keyboard/video to serial, and my guess is that when OpenBSD > initializes the port for a serial console, it causes something in the > BIOS-linked local keyboard/vga to go wonky (wsdisplay at vga1 not > configured). Thanks for suggestion. The BIOS does, in fact, redirect output to both the local console and a serial console at startup. This makes the BIOS configuration available on the serial console and the local monitor. After the BIOS screen, if "set tty com0" is _not_ included, then the boot dmesg is displayed on the local monitor, the serial goes silent, and at the end of openBSD boot, a login prompt is available on both serial console and local monitor. If "set tty com0" is _set_, then, after the BIOS page shows on both the serial console and local monitor, the boot dmesg scrolls on the serial console, and then login prompt is available on the serial console. The local monitor shows the openBSD boot "redirecting" message, and then nothing more. At the end of boot, there is _no_ login prompt on the local monitor. If I _disable_ the BIOS serial redirection feature, but keep "set tty com0" _set_, I see the following: - the local monitor shows: BIOS screen, openBSD start text ending with "redirecting to...", and that is all. No login prompt at the end of boot - the serial console shows: _no_ BIOS screen, then the openBSD boot and dmesg information, and ends with a login prompt The only change which, apparently, disables the configuration of ttyC0 during/after boot is setting "set tty com0" in boot.conf. However, the local monitor is alive, since it gets the BIOS information and the initial openBSD boot message, which suggests that the BIOS is correctly recognizing the monitor/output early in the boot, but then openBSD is unable to configure it later. Again, the only change that seems to make a difference is setting "set tty com0" or not. The console redirection option in the BIOS for the pre-boot/BIOS information does not affect this. > > Note that in UEFI mode, "wsdisplay at vga1 not configured" would be > expected, as efifb takes over: > > $ dmesg|egrep 'wsdisplay|fb|vga|com[0-9]' > vga1 at pci7 dev 0 function 0 "Matrox MGA G200eR" rev 0x01 > wsdisplay at vga1 not configured > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > com1: console > efifb0 at mainbus0: 1280x1024, 32bpp > wsdisplay0 at efifb0 mux 1 > wsdisplay0: screen 0-5 added (std, vt100 emulation) > > You might give UEFI mode a try, to see if efifb works better than the > vga console. Redirection after boot is probably the more important > setting though. > The system is installed on one full disk openBSD partition. I believe (not 100% sure) that changing to UEFI would require a small EFI partition (which would mean changing the fdisk partition and disklabel without destroying the software RAID), which is not a challenge I can take on right now. But, I will keep it in mind. > Note that the login prompt appearing on a console (spawning a getty as > configured in /etc/ttys) and the bootloader/kernel console device are > independent settings. > Yes, which is my confusion. Both the serial console (tty00) and the local terminal (ttyC0) are set in ttys: head -n 20 /etc/ttys # # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ # # name getty typestatus comments # console "/usr/libexec/getty std.9600" vt220 off secure ttyC0 "/usr/libexec/getty std.9600" vt220 on secure ttyC1 "/usr/libexec/getty std.9600" vt220 on secure ... ttyCb "/usr/libexec/getty std.9600" vt220 off secure tty00 "/usr/libexec/getty autologin" vt220on secure tty01 "/usr/libexec/getty std.9600" unknown off (Note, the "autologin" type for getty is an addition in my gettytab which allows getty to spawn a login prompt that does not require the long, complex password to login when at the serial console.) > -Andrew Thanks Ted
Re: No login prompt on console ttyC0 after boot when using "set tty com0"
Hello I was wondering if there is anything I could do to help figure this out. I do not have the requisite knowledge to even begin to understand why the kernel does not configure the vga output when boot.conf redirects to com0. Not trying to be a bother. Thanks Ted > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Ted Wynnychenko > Sent: Monday, June 27, 2022 8:55 AM > To: 'Stuart Henderson'; misc@openbsd.org > Subject: Re: No login prompt on console ttyC0 after boot when using > "set tty com0" > > > > > -Original Message- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf > > Of Stuart Henderson > > Sent: Saturday, June 25, 2022 6:21 AM > > > On 2022-06-24, Ted Wynnychenko wrote: > > > Hello > > > > When there is a boot.conf file present in /etc with only the > > following: > > >> stty com0 115200 > > > > > > > So in this case the serial output during boot is only coming from a > > serial-port redirector in the bios, the "stty com0 115200" probably > > doesn't change anything, and the serial output in multiuser is via > > init / /etc/ttys > > > > > Now, if I change boot.conf to direct output to the serial terminal > > with: > > >> stty com0 115200 > > >> set tty com0 > > > > > So far that is expected, OpenBSD doesn't support dual serial+glass > > console > > > > > Then, the three wsconsctl error messages appear, and it ends with a > > login > > > prompt on the serial console (tty0) ONLY. > > > > > > The screen and keyboard for ttyC0 are dead. There is no login > > prompt, and > > > the keyboard is not functional. > > > > Assuming ttys is setup to run a login on ttyC0 that is not expected > > > > > > Can you try kernels between known-good and known-bad (or maybe you > have > > something in /var/log/messages*gz) and look for when this started > > appearing? > > > > Unfortunately, I have not checked the ttyC0 display in a long time. > When I was updating to current, I also did not specifically check for a > login prompt on ttyC0 BEFORE the update to current. > However, I think that I did notice that there was no login prompt when > I > plugged in the display, just before it switched to the bios pages. > My last update was in July 2021. > > > A diff of dmesg between serial and non-serial boots might give some > > clues > > > > This maybe implicated: > > > > >> vga1 at pci3 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a > > >> wsdisplay at vga1 not configured > > > > I booted in three configurations. > With the boot.conf NOT including "set tty com0" AND a monitor and > keyboard > attached, dmesg shows: > 109,110c110 > < wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > < wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > 136c136 > < wskbd0 at pckbd0: console keyboard, using wsdisplay0 > 148d147 > < wskbd1: connecting to wsdisplay0 > 153d151 > < wskbd2: connecting to wsdisplay0 > > With boot.conf including "set tty com0" AND a monitor and keyboard > attached, > dmesg shows: > 62a63 > > com0: console > 109,110c110 > > wsdisplay at vga1 not configured > 136c136 > > wskbd0 at pckbd0 mux 1 > > When boot.conf including "set tty com0" and without a monitor or > keyboard, > the dmesg is the same as the "serial" dmesg with them connected, except > for > missing information about the keyboard: > 144,152d143 > < uhidev0 at uhub3 port 1 configuration 1 interface 0 "Primax > Electronics > USB Keyboard" rev 2.00/1.00 addr 3 > < uhidev0: iclass 3/1 > < ukbd0 at uhidev0: 8 variable keys, 6 key codes > < wskbd1 at ukbd0 mux 1 > < uhidev1 at uhub3 port 1 configuration 1 interface 1 "Primax > Electronics > USB Keyboard" rev 2.00/1.00 addr 3 > < uhidev1: iclass 3/0, 2 report ids > < ucc0 at uhidev1 reportid 1: 24 usages, 13 keys, enum > < wskbd2 at ucc0 mux 1 > < uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 > > > I don't know what this means. It seems that when boot.conf redirects > to the > com0 console, the vga connection does not get configured by OpenBSD on > boot. > That would explain why no login prompt is presented there later by > init, > even though the terminal is defined in ttys. > > Although it has been a few years, I feel certain that a login prompt > was > displayed on b
Re: No login prompt on console ttyC0 after boot when using "set tty com0"
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Stuart Henderson > Sent: Saturday, June 25, 2022 6:21 AM > On 2022-06-24, Ted Wynnychenko wrote: > > Hello > > When there is a boot.conf file present in /etc with only the > following: > >> stty com0 115200 > > > > So in this case the serial output during boot is only coming from a > serial-port redirector in the bios, the "stty com0 115200" probably > doesn't change anything, and the serial output in multiuser is via > init / /etc/ttys > > > Now, if I change boot.conf to direct output to the serial terminal > with: > >> stty com0 115200 > >> set tty com0 > > > So far that is expected, OpenBSD doesn't support dual serial+glass > console > > > Then, the three wsconsctl error messages appear, and it ends with a > login > > prompt on the serial console (tty0) ONLY. > > > > The screen and keyboard for ttyC0 are dead. There is no login > prompt, and > > the keyboard is not functional. > > Assuming ttys is setup to run a login on ttyC0 that is not expected > > > Can you try kernels between known-good and known-bad (or maybe you have > something in /var/log/messages*gz) and look for when this started > appearing? > Unfortunately, I have not checked the ttyC0 display in a long time. When I was updating to current, I also did not specifically check for a login prompt on ttyC0 BEFORE the update to current. However, I think that I did notice that there was no login prompt when I plugged in the display, just before it switched to the bios pages. My last update was in July 2021. > A diff of dmesg between serial and non-serial boots might give some > clues > > This maybe implicated: > > >> vga1 at pci3 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a > >> wsdisplay at vga1 not configured > I booted in three configurations. With the boot.conf NOT including "set tty com0" AND a monitor and keyboard attached, dmesg shows: 109,110c110 < wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) < wsdisplay0: screen 1-5 added (80x25, vt100 emulation) 136c136 < wskbd0 at pckbd0: console keyboard, using wsdisplay0 148d147 < wskbd1: connecting to wsdisplay0 153d151 < wskbd2: connecting to wsdisplay0 With boot.conf including "set tty com0" AND a monitor and keyboard attached, dmesg shows: 62a63 > com0: console 109,110c110 > wsdisplay at vga1 not configured 136c136 > wskbd0 at pckbd0 mux 1 When boot.conf including "set tty com0" and without a monitor or keyboard, the dmesg is the same as the "serial" dmesg with them connected, except for missing information about the keyboard: 144,152d143 < uhidev0 at uhub3 port 1 configuration 1 interface 0 "Primax Electronics USB Keyboard" rev 2.00/1.00 addr 3 < uhidev0: iclass 3/1 < ukbd0 at uhidev0: 8 variable keys, 6 key codes < wskbd1 at ukbd0 mux 1 < uhidev1 at uhub3 port 1 configuration 1 interface 1 "Primax Electronics USB Keyboard" rev 2.00/1.00 addr 3 < uhidev1: iclass 3/0, 2 report ids < ucc0 at uhidev1 reportid 1: 24 usages, 13 keys, enum < wskbd2 at ucc0 mux 1 < uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 I don't know what this means. It seems that when boot.conf redirects to the com0 console, the vga connection does not get configured by OpenBSD on boot. That would explain why no login prompt is presented there later by init, even though the terminal is defined in ttys. Although it has been a few years, I feel certain that a login prompt was displayed on both the serial line and ttyC0 when I originally redirected output with "set tty com0" in boot.conf. I am pretty sure my detail orientated personality would have immediately flagged the discrepancy from what was documented if it had not, and I would have brought up the issue way back then. Thanks Ted > > > >> -Original Message- > >> From: Ted Wynnychenko > >> Sent: Thursday, June 23, 2022 5:19 PM > >> To: misc@openbsd.org > >> Subject: No login prompt on console ttyC0 after boot > >> > >> Hello > >> > >> I have been following current since 5.6, and had been pretty good > about > >> updates until this last year (issues not related). > >> > >> Anyway, I asked about updating, found some suggestions that it would > >> work, > >> and decided to blaze ahead. And, it basically worked. > >> I have a few things to clean up, but overall the update to current > from > >> my > >> last update in July 2021 went well. > >> > >> However, in planning for this, I decided to
Re: No login prompt on console ttyC0 after boot when using "set tty com0"
Hello I am leaving the original message intact below. I did some experimenting, and have found the following. When there is a boot.conf file present in /etc with only the following: > stty com0 115200 Then, the system will boot. At the INTIAL boot prompt, EITHER tty0 or ttyC0 will accept input (for example, a simple "enter" to skip the timeout), and will start the boot process. At that point, the serial terminal goes quiet, and boot messages are displayed on the ttyC0 monitor. At the end, a login prompt appears on BOTH the serial terminal, and on the ttyC0 display, and either can be used to login and access the system. Also, there are no wsconsctl errors generated, and the ttyC0 screen blanks after the appropriate time. Now, if I change boot.conf to direct output to the serial terminal with: > stty com0 115200 > set tty com0 Now, when the system boots, at the INITIAL boot prompt, ONLY the serial console (tty0) keyboard input works. The ttyC0 screen shows a final message "switching to com0," but it does not accept any keyboard input. The serial console still works, and the boot messages appear on it. Then, the three wsconsctl error messages appear, and it ends with a login prompt on the serial console (tty0) ONLY. The screen and keyboard for ttyC0 are dead. There is no login prompt, and the keyboard is not functional. I can see nothing in the man pages (boot/boot.conf, ttys, termcap, gettytab) that would explain this. In addition, when I first installed (at 5.6) both the local terminal (ttyC0) and the serial terminal (tty0) would present a login prompt. If there are any ideas about why this is happening, please let me know. Thanks Ted > -----Original Message- > From: Ted Wynnychenko > Sent: Thursday, June 23, 2022 5:19 PM > To: misc@openbsd.org > Subject: No login prompt on console ttyC0 after boot > > Hello > > I have been following current since 5.6, and had been pretty good about > updates until this last year (issues not related). > > Anyway, I asked about updating, found some suggestions that it would > work, > and decided to blaze ahead. And, it basically worked. > I have a few things to clean up, but overall the update to current from > my > last update in July 2021 went well. > > However, in planning for this, I decided to hook up a monitor and > keyboard > directly, as I have basically just used a serial console ever since I > first installed the systems at 5.6. > > Unfortunately, I did not look at the monitor before updating to current > (OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022 - > full DMESG below), but after the update I found that there is no login > prompt on the monitor (ttyC0), and the keyboard does not do anything (I > cannot ALT-CTRL-F2 to change to another virtual console. > > I don't know when this happened, since I haven't attached a > monitor/keyboard in a very long time. > But, now that I know, I am trying to fix it, but can't seem to > understand > why/how to do so. > > When the machine boots, the monitor and keyboard work, and I can access > the bios pages and make changes. > > Then, if I allow the boot to start, I get the "switching to com0" > message, > and that's it. > > When the boot is complete, I can access the system using a serial > console > (tty00) or ssh, but the direct monitor shows nothing after "switching > to > com0," and the keyboard does nothing. > > The /etc/boot.conf file correctly routes things to the serial console: > stty com0 115200 > set tty com0 > > I have not changed /etc/ttys in a long time: > # > # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ > # > # name getty typestatus > comments > # > console "/usr/libexec/getty std.9600" vt220 off secure > ttyC0 "/usr/libexec/getty std.9600" vt220 on secure > ttyC1 "/usr/libexec/getty std.9600" vt220 on secure > ttyC2 "/usr/libexec/getty std.9600" vt220 on secure > ttyC3 "/usr/libexec/getty std.9600" vt220 on secure > ttyC4 "/usr/libexec/getty std.9600" vt220 off secure > ttyC5 "/usr/libexec/getty std.9600" vt220 on secure > ttyC6 "/usr/libexec/getty std.9600" vt220 off secure > ttyC7 "/usr/libexec/getty std.9600" vt220 off secure > ttyC8 "/usr/libexec/getty std.9600" vt220 off secure > ttyC9 "/usr/libexec/getty std.9600" vt220 off secure > ttyCa "/usr/libexec/getty std.9600" vt220 off secure > ttyCb "/usr/libexec/getty std.9600" vt220 off secure > tty00 "/usr/libexec/getty autologin" vt220on secure > tty01 "/usr
No login prompt on console ttyC0 after boot
Hello I have been following current since 5.6, and had been pretty good about updates until this last year (issues not related). Anyway, I asked about updating, found some suggestions that it would work, and decided to blaze ahead. And, it basically worked. I have a few things to clean up, but overall the update to current from my last update in July 2021 went well. However, in planning for this, I decided to hook up a monitor and keyboard directly, as I have basically just used a serial console ever since I first installed the systems at 5.6. Unfortunately, I did not look at the monitor before updating to current (OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022 - full DMESG below), but after the update I found that there is no login prompt on the monitor (ttyC0), and the keyboard does not do anything (I cannot ALT-CTRL-F2 to change to another virtual console. I don't know when this happened, since I haven't attached a monitor/keyboard in a very long time. But, now that I know, I am trying to fix it, but can't seem to understand why/how to do so. When the machine boots, the monitor and keyboard work, and I can access the bios pages and make changes. Then, if I allow the boot to start, I get the "switching to com0" message, and that's it. When the boot is complete, I can access the system using a serial console (tty00) or ssh, but the direct monitor shows nothing after "switching to com0," and the keyboard does nothing. The /etc/boot.conf file correctly routes things to the serial console: stty com0 115200 set tty com0 I have not changed /etc/ttys in a long time: # # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ # # name getty typestatus comments # console "/usr/libexec/getty std.9600" vt220 off secure ttyC0 "/usr/libexec/getty std.9600" vt220 on secure ttyC1 "/usr/libexec/getty std.9600" vt220 on secure ttyC2 "/usr/libexec/getty std.9600" vt220 on secure ttyC3 "/usr/libexec/getty std.9600" vt220 on secure ttyC4 "/usr/libexec/getty std.9600" vt220 off secure ttyC5 "/usr/libexec/getty std.9600" vt220 on secure ttyC6 "/usr/libexec/getty std.9600" vt220 off secure ttyC7 "/usr/libexec/getty std.9600" vt220 off secure ttyC8 "/usr/libexec/getty std.9600" vt220 off secure ttyC9 "/usr/libexec/getty std.9600" vt220 off secure ttyCa "/usr/libexec/getty std.9600" vt220 off secure ttyCb "/usr/libexec/getty std.9600" vt220 off secure tty00 "/usr/libexec/getty autologin" vt220on secure tty01 "/usr/libexec/getty std.9600" unknown off tty02 "/usr/libexec/getty std.9600" unknown off tty03 "/usr/libexec/getty std.9600" unknown off tty04 "/usr/libexec/getty std.9600" unknown off tty05 "/usr/libexec/getty std.9600" unknown off tty06 "/usr/libexec/getty std.9600" unknown off tty07 "/usr/libexec/getty std.9600" unknown off I also noticed these errors in DMESG-S: ... /dev/sd2g (be3bcca0ef32a6bd.g): file system is clean; not checking wsconsctl: /dev/ttyC0: Device not configured wsconsctl: /dev/ttyC0: Device not configured wsconsctl: /dev/ttyC0: Device not configured pf enabled ... The wsconsctl.conf file has also not been changed in a long time, and only had three things enabled: display.vblank=on # enable vertical sync blank for screen burner display.screen_off=6# set screen burner timeout to 60 seconds display.kbdact=on # restore on keyboard input If I comment out the three parameters above, then "Device not configured" messages disappear, but there is still no login prompt on the ttyC0 monitor, and the keyboard still does not appear to function (I still cannot change virtual consoles). As far as I can tell, there should be a login prompt on ttyC0, but there is not. What am I missing? (Or, what did I miss when following current since 5.6 that may have changed?) Thanks Ted DMESG: OpenBSD 7.1-current (GENERIC.MP) #587: Fri Jun 17 08:49:40 MDT 2022 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4249260032 (4052MB) avail mem = 4103114752 (3913MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb5a0 (55 entries) bios0: vendor American Megatrends Inc. version "2.3a" date 01/06/2021 bios0: Supermicro X9SCL/X9SCM acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT SPCR EINJ ERST HEST BERT acpi0: wakeup devices UAR1(S4) UAR2(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz, 2800.47 MHz, 06-3a-09 cpu0:
MariaDB in current - fatal error with clients "utf8 is not supported by MySQL"
Hello Ok, to start with, I am not sure about any of this, but, here goes: I don't know why this happened just now, since I last updated the system about 3 weeks ago, but today, I was unable to access data on my home server via a php web application (horde). This was working fine this morning, but I then restarted the server, and I started getting this error: utf8 is not supported by MySQL (big5, dec8, cp850, hp8, koi8r, latin1, latin2, swe7, ascii, ujis, sjis, hebrew, tis620, euckr, koi8u, gb2312, greek, cp1250, gbk, latin5, armscii8, utf8mb3, ucs2, cp866, keybcs2, macce, macroman, cp852, latin7, utf8mb4, cp1251, utf16, utf16le, cp1256, cp1257, utf32, binary, geostd8, cp932, eucjpms) The system is running MariaDB, and when I look at the available character sets, I see: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 69 Server version: 10.6.4-MariaDB-log OpenBSD port: mariadb-server-10.6.4p1v1 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show character set; +--+-+-++ | Charset | Description | Default collation | Maxlen | +--+-+-++ | big5 | Big5 Traditional Chinese| big5_chinese_ci | 2 | | dec8 | DEC West European | dec8_swedish_ci | 1 | | cp850| DOS West European | cp850_general_ci| 1 | | hp8 | HP West European| hp8_english_ci | 1 | | koi8r| KOI8-R Relcom Russian | koi8r_general_ci| 1 | | latin1 | cp1252 West European| latin1_swedish_ci | 1 | | latin2 | ISO 8859-2 Central European | latin2_general_ci | 1 | | swe7 | 7bit Swedish| swe7_swedish_ci | 1 | | ascii| US ASCII| ascii_general_ci| 1 | | ujis | EUC-JP Japanese | ujis_japanese_ci| 3 | | sjis | Shift-JIS Japanese | sjis_japanese_ci| 2 | | hebrew | ISO 8859-8 Hebrew | hebrew_general_ci | 1 | | tis620 | TIS620 Thai | tis620_thai_ci | 1 | | euckr| EUC-KR Korean | euckr_korean_ci | 2 | | koi8u| KOI8-U Ukrainian| koi8u_general_ci| 1 | | gb2312 | GB2312 Simplified Chinese | gb2312_chinese_ci | 2 | | greek| ISO 8859-7 Greek| greek_general_ci| 1 | | cp1250 | Windows Central European| cp1250_general_ci | 1 | | gbk | GBK Simplified Chinese | gbk_chinese_ci | 2 | | latin5 | ISO 8859-9 Turkish | latin5_turkish_ci | 1 | | armscii8 | ARMSCII-8 Armenian | armscii8_general_ci | 1 | | utf8mb3 | UTF-8 Unicode | utf8mb3_general_ci | 3 | | ucs2 | UCS-2 Unicode | ucs2_general_ci | 2 | | cp866| DOS Russian | cp866_general_ci| 1 | | keybcs2 | DOS Kamenicky Czech-Slovak | keybcs2_general_ci | 1 | | macce| Mac Central European| macce_general_ci| 1 | | macroman | Mac West European | macroman_general_ci | 1 | | cp852| DOS Central European| cp852_general_ci| 1 | | latin7 | ISO 8859-13 Baltic | latin7_general_ci | 1 | | utf8mb4 | UTF-8 Unicode | utf8mb4_general_ci | 4 | | cp1251 | Windows Cyrillic| cp1251_general_ci | 1 | | utf16| UTF-16 Unicode | utf16_general_ci| 4 | | utf16le | UTF-16LE Unicode| utf16le_general_ci | 4 | | cp1256 | Windows Arabic | cp1256_general_ci | 1 | | cp1257 | Windows Baltic | cp1257_general_ci | 1 | | utf32| UTF-32 Unicode | utf32_general_ci| 4 | | binary | Binary pseudo charset | binary | 1 | | geostd8 | GEOSTD8 Georgian| geostd8_general_ci | 1 | | cp932| SJIS for Windows Japanese | cp932_japanese_ci | 2 | | eucjpms | UJIS for Windows Japanese | eucjpms_japanese_ci | 3 | +--+-+-++ 40 rows in set (0.000 sec) Well, there is no "utf8" listed, so that explains the error (I think). But, I don't understand why it is missing. According to the MariaDB site: "Until MariaDB 10.5, this was a UTF-8 encoding using one to three bytes per character. Basic Latin letters, numbers and punctuation use one byte. European and Middle East letters mostly fit into 2 bytes. Korean, Chinese, and Japanese ideographs use 3-bytes. No supplementary characters are stored. >From MariaDB 10.6, utf8 is an alias for utf8mb3, but this can changed to ut8mb4 by changing the default value of the old_mode
DDclient in curent seems to work but ends with "FAILED" and errors
Hello I updated to the current -current a few days ago. Since then, I noticed that ddclient (installed from packages - version 3.9.1) started complaining with the message: WARNING: found neither ipv4 nor ipv6 address When I tried running ddclient directly, it seems to work but end with some error messages, and a final "FAILED" notice: # /usr/local/sbin/ddclient -force -verbose CONNECT: checkip.dyndns.org CONNECTED: using HTTP SENDING: GET / HTTP/1.0 SENDING: Host: checkip.dyndns.org SENDING: User-Agent: ddclient/3.9.1 SENDING: Connection: close SENDING: SENDING: RECEIVE: HTTP/1.1 200 OK RECEIVE: Date: Wed, 21 Jul 2021 15:41:49 GMT RECEIVE: Content-Type: text/html RECEIVE: Content-Length: 103 RECEIVE: Connection: close RECEIVE: Cache-Control: no-cache RECEIVE: Pragma: no-cache RECEIVE: RECEIVE: Current IP CheckCurrent IP Address: xx.xx.xx.xx INFO: forcing update of host.tld.com. Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/ddclient line 2353. INFO: setting IP address to xx.xx.xx.xx for host.tld.com UPDATE: updating host.tld.com CONNECT: dynamic.zoneedit.com CONNECTED: using SSL SENDING: GET /auth/dynamic.html?host=host.tld.com = xx.xx.xx.xx HTTP/1.0 SENDING: Host: dynamic.zoneedit.com SENDING: Authorization: Basic [key] SENDING: User-Agent: ddclient/3.9.1 SENDING: Connection: close SENDING: SENDING: RECEIVE: HTTP/1.1 200 OK RECEIVE: Date: Wed, 21 Jul 2021 15:41:49 GMT RECEIVE: Server: Apache RECEIVE: Set-Cookie: PHPSESSID=cookie; path=/ RECEIVE: Expires: Thu, 19 Nov 1981 08:52:00 GMT RECEIVE: Cache-Control: no-store, no-cache, must-revalidate RECEIVE: Pragma: no-cache RECEIVE: Vary: Accept-Encoding RECEIVE: Content-Length: 209 RECEIVE: Connection: close RECEIVE: Content-Type: text/html; charset=UTF-8 RECEIVE: RECEIVE: RECEIVE: SUCCESS: updating host.tld.com: IP address set to xx.xx.xx.xx (201: no update required for host.tld.com to xx.xx.xx.xx) Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 3319. Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 3320. Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 3321. Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line 1771. SUCCESS: updating : IP address set to xx.xx.xx.xx (200: host.tld.com updated to xx.xx.xx.xx) FAILED:was not updated because protocol is not supported. If I take a copy of the ddclient (version 3.8.3) script from 6.6 stable and put it in place of the -current version, it works without a problem. I don't know how to investigate this further, but am happy to help with direction. At this point, I am just leaving the older script in place. Thanks Ted
Re: SOLVED - Re: Unable to login to courier-imap after update to current
Thanks for the information about the salt with encrypt. I actually figured that out at some point. I sent the messages below yesterday, but for some reason they were not posted to the list. Thanks Ted > >> Hello >> I just updated the 2/18 snapshot for amd64 (6.0 GENERIC.MP#178 amd64). >> >> After updating, I updated all the packages. >> >> Now, I cannot login to imap. >> >> I am using postfix, courier-imap, with mysql (mariadb). >> >> I recall that when I set this up 2 years ago, I used the command line >> "encrypt" function to create the password hashes that were inserted in >> the mysql user table for authentication. >> >> Since all my user accounts cannot access imap, I wondered if something >> had changed in the hashing. So, I used "encrypt" on the password, and >> got a different hash than I did originally. >> >> for example, last year the hash (of one password) started with >> "$2b$08$GbrcrMOiXb..." and now it starts with "$2b$10$9xJ8rv1D..." >> >> I tried changing the hash in the database, restarting mysql, courier >> (imap, authd), postfix; but am unable to login to imap. >> >> I keep getting login failures. >> >> Any help would be really appreciated. >> >> Thanks >> Ted > > I am responding to my own message. > > I still cannot authenticate to courier-imap. > > I have found this in /var/log/maillog: > > authdaemond: marker line not found in /etc/courier/authmysqlrc > (probably forgot to run sysconftool after an upgrade) > > This occurs with each login attempt, and preceeds each "LOGIN FAILED" > line, such as: > > imapd-ssl: LOGIN FAILED, user=u...@example.com, ip=[:::172.xx.x.xx] > > I found that something called sysconftool exists at: > /usr/local/libexec/courier-authlib/sysconftool > > But running it as root (# > /usr/local/libexec/courier-authlib/sysconftool), and then restarting > courier_authdaemond, courier_imap, and courier_imap_ssl (in that > order), does not resolve the login failures or the message in maillog. > > As I said, any pointers on how I can fix this would be welcome. > At this point, I don't think the login failure has anything to do with > encrypt (as I implied in my original message). > > Thanks again > Ted Ok, sorry for bothering the list, but the loss of email access bugged me, and I did not know what to do. But now, 3 hours later, I have gotten imap working again. Whether or not I "fixed" the problem, I don' know. But, it seems, in the most recent package update of courier-imap, something is missing. I basically added: --- ##NAME: MARKER:0 # # Do not remove this section from this configuration file. This section # must be present at the end of this file. --- to the end of /etc/courier/authmysqlrc and restarted courier, and I can now login again. I mention this in case it may be of help to another. Thanks Ted
FW: smtpd dies on current
I tried sending this to bugs@, but it does not seem to have been accepted. So, I decide to send it to misc@. I hope that's ok. -Original Message- Sent: Friday, November 11, 2016 8:44 AM To: 'b...@openbsd.org' Subject: smtpd dies on current Hello I updated current a few days ago. At that point, I noticed that no mail was going out. Looking at /var/log/maillog, I saw that smtpd was dying with a fatal error immediately on startup. I just updated again to the new snapshot. Same problem. I hope this is the right place to send this, and that I have included enough information. I can't directly use sendbug, since the system can't send the mail out... But, from sendbug: >Synopsis: sendmail dies on startup with fatal error >Category: >Environment: System : OpenBSD 6.0 Details : OpenBSD 6.0-current (GENERIC.MP) #0: Thu Nov 10 22:14:46 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 >Description: When booting up, or starting smtpd manually, the demon dies with a fatal error >From /var/log/maillog: Nov 11 08:24:21 system smtpd[31422]: info: OpenSMTPD 6.0.0 starting Nov 11 08:24:22 system smtpd[17404]: ab291948ab3ce73f mta event=connecting address=tls://96.114.157.81:587 host=omta-po.sys.comcast.net Nov 11 08:24:22 system smtpd[17404]: ab291948ab3ce73f mta event=connected Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=message address=local host=system.domain.com msgid=3dc96514 from=to= size=8083 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=message address=local host=system.domain.com msgid=791261cf from= to= size=704 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab291949645ed964 smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab29194ca0da4904 smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=message address=local host=system.domain.com msgid=c62f2f22 from= to= size=95641 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab2919546f1001e9 smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=message address=local host=system.domain.com msgid=3ac75830 from= to= size=65992 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab2919563f86cc18 smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=message address=local host=system.domain.com msgid=16b1e1ba from= to= size=95641 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab291967e3dfd3fa smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=message address=local host=system.domain.com msgid=b605e6ae from= to= size=8326 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab29197127bb2edb smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=message address=local host=system.domain.com msgid=6bd27110 from= to= size=8083 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab2919791af498ee smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=connected address=local host=system.domain.com Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=message address=local host=system.domain.com msgid=d75b3657 from= to= size=541 ndest=1 proto=ESMTP Nov 11 08:24:22 system smtpd[17404]: ab291981a25b9195 smtp event=closed address=local host=system.domain.com reason=quit Nov 11 08:24:22 system
iked - how to keep traffic outside the tunnel?
Hello I recently moved from ipsec/npppd to ikev2. Making the change went easily enough. However, there is something that I can't seem to figure out. I am using ikev2/ipsec to create a tunnel between two networks. Each network faces the internet through a openbsd gateway which gets is public IP via DHCP. Local Net --> IPSEC GW--> Internet<-- IPSEC GW<-- Remote Net 10.3.0.0/16 10.3.0.20 (int) 192.168.0.1 (int) 192.168.0.0/24 73.208.x.x (public DHCP) 99.23.x.x (public DHCP) The iked.conf file on each end is relatively simple. The "local" end: ikev2 "static_vpn" quick passive ipcomp esp from 10.3.0.0/16 to 192.168.0.0/24 peer 99.23.x.x srcid local.domain.com dstid remote.domain.com And, on the "remote" end: ikev2 "static_vpn" active ipcomp esp from 192.168.0.0/24 to 10.3.0.0/16 peer 73.208.x.x srcid remote.domain.com dstid local.domain.com This works without an issue. The tunnel is created, and all traffic gets forwarded from the two networks as expected. I can also contact (ssh) the "remote" IPSEC GW from a client on the "local" net via the tunnel (i.e. using 192.168.0.1 as the destination). But, if I try to connect to the "remote" IPSEC GW using its public IP (99.23.x.x) from a client on the "local" net, there is no connection. If I take the tunnel down, then I can connect (ssh) to the public IP of the remote IPSEC GW again. But, I don't understand why the traffic destined for the public IP of the remote IPSEC GW is (apparently??) being intercepted by iked. The way I read the man page, I was under the impression that only traffic for "192.168.0.0/24" would be encapsulated in the tunnel (using the rules above); and that traffic destined for the public IP of the "peer" would be ignored by iked. Is there something I am missing? Thanks
Re: Using isc-dhcp-client as alternate dhclient - Alias working (I think)
Hello I am responding to my original question. I have been able to get isc-dhcp-client to work assigning an alias on the dhcp interface. In case this is of value to anyone, here is how I did it. Obviously, I added isc-dhcp-client from packages. I then created a new configuration file I called "isc-dhclient.conf" In it, following the isc dhclient.conf man page, I added an "alias" section, e.g.: alias { interface "em0"; fixed-address 10.0.0.0; option subnet-mask 255.255.255.0; } Now, it seems, the isc dhclient modifies things on the system by calling "dhclient-script" and passing it information as environment variables. I realized that the reason alias information wasn't being assigned was because the "out-of-the-box" script included with the package completely ignores any alias information sent to it. So, I added two functions, and called them at (I think) the appropriate places, to a new file dhclient-script-alias. --- # diff /usr/local/sbin/dhclient-script /usr/local/sbin/dhclient-script-alias 23a24,36 > add_new_alias() { > if [ -n "$alias_ip_address" ]; then > ifconfig $interface inet alias $alias_ip_address netmask \ > $alias_subnet_mask > fi > } > > delete_old_alias() { > if [ -n "$alias_ip_address" ]; then > ifconfig $interface inet $alias_ip_address delete > /dev/null 2>&1 > fi > } > 186a200,203 > if [ "$old_ip_address" != "$alias_ip_address" ]; then > delete_old_alias > fi > 198a216,218 > if [ "$new_ip_address" != "$alias_ip_address" ]; then > add_new_alias > fi 216a237 > delete_old_alias 237a259 > delete_old_alias --- Went back add added a "script" line to the isc-dhclient.conf file, as: script "/usr/local/sbin/dhclient-script-alias"; Then modified /etc/hostname.em0 to run the isc dhclient. But, before starting the client, the interface needs to be brought up. This resulted in: # cat hostname.em0 ! ifconfig em0 up ! /usr/local/sbin/dhclient -4 -cf /etc/isc-dhclient.conf -pf /var/db/dhclient.pid em0 (I "know" - well, actually, "think" - that I could just use "up" for the first line, but I did it this way.) I also specified the /var/db location for the pid file, as the default location (/var/run) for the pid file did not seem to work when starting the client during boot (I don't know exactly why, but there was no "dhclient.pid" file present in /var/run after boot, although it is created when starting the isc dhclient manually on a running system). Finally, I deleted a /etc/mygate file that was hanging around on the system. (I couldn't figure out why the default route was not being set correctly, but eventually realized that removing the "dhcp" line from the hostname file told netstart to stop ignoring the mygate file that was present, and so netstart would reset the default route after the isc dhclient had set it correctly.) So, I don't know if this will be of help to anyone. I don't even know if the is a sane way to do this. But, I did come across a question or two about alias addresses with dhcp on openbsd in the relatively recent past, so... Ted [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Creating https certificates dynamically for redirected/blocked requests
>From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson >Sent: Tuesday, June 14, 2016 12:31 PM > >On 2016-06-14, Ted Wynnychenko <ted@comcast.net> wrote: >> This really isn't a big deal; but as more sites have started using https, and as >> tools such as relayd and squid (and others?) have developed ways to "inject" >> https certificates on the fly, I am wondering if there is a way to create https >> certificates based solely on the requested URL in a connection attempt using an >> internal CA to avoid the certificate errors with blocked HTTPS connections? > >How are you identifying connections to block? I block connections based on a list from malwaredomains.com. A script runs nightly that downloads the list/changes, creates zone files, and reloads unbound/nsd. The "blocked" zone files point those domains at an internal (10.0.x.x) IP address. - >From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Christopher Ahrens >Sent: Tuesday, June 14, 2016 1:11 PM > >If all your internal clients trust a CA you control, just have it issue >a certificate with a common name of * and install that cert onto your >webserver. Its how we do MitM virus scanning at my day job. I had tried this, but it did not seem to work. I tried again and created a certificate with CN of * without success. Then added a number of combinations of alternative names: DNS:*, DNS:*.*, DNS:*.*.* --- etc None of these certificates are acceptable to either Firefox, IE, or Safari. Firefox complains with error: SSL_ERROR_BAD_CERT_DOMAIN "The certificate is only valid for the following names: *, *.*, *.*.*, *.*.*.*, *.*.*.*.*" (this is just the most recent example, same error with no and other SAN's) >From my looking, it appears that a certificate is only accepted by browsers >with "one level" of domain wildcard present; so I am not sure how to get a certificate with a common name of * to be accepted for any/every domain. Am I missing something? Thanks [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Creating https certificates dynamically for redirected/blocked requests
Hello For many years now I have been using a DNS black hole setup to stop http/https connections to blocked websites (well, any connection to those sites). This has worked well. Connections with http are routed to an IP on the internal network which returns a simple "blocked" web page. Connections with https come back to the browser complaining of a certificate error (clearly, the HTTPS certificate of the web-server at the redirected IP does not have a valid certificate for any blocked site). This really isn't a big deal; but as more sites have started using https, and as tools such as relayd and squid (and others?) have developed ways to "inject" https certificates on the fly, I am wondering if there is a way to create https certificates based solely on the requested URL in a connection attempt using an internal CA to avoid the certificate errors with blocked HTTPS connections? In other words, rather than having an "SSL-MITM" setup, where the proxy goes out and connects to the ultimate destination before responding to the client with a forged certificate; all I want is for the "proxy" to generate a certificate for the requested URL signed by a locally trusted CA, before returning a static "blocked" webpage. This (to me) seems simpler than what has already been accomplished with relayd. I have been looking at relayd, and I don't think it will do what I want (or, at least, I can't figure it out). I also have been unable to find anything else that will help me with this. Are there any tools available to do what I am looking for? Or, is there a way to setup relayd to accomplish this? Thanks [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Trying to get squid with ssl bump working
Hello I posted my question to the squid-users mailing list a week ago, and have had no reply. I decided to try here as well. Basically, I can get squid 3.5.13 to work for http in current (a bit "older" current), but HTTPS connections do not work (time out). Here is an updated version of my email to squid-users. If anyone has any insight, that would be great. I have been trying to get this working for a week or two without success. Trying to setup Squid with https inspection as an explicit proxy. On OpenBSD current (# uname -srv -> OpenBSD 5.9 GENERIC.MP#1783) Running squid from packages (# pkg_info | grep squid -> squid-3.5.13) # squid -v Squid Cache: Version 3.5.13 Service Name: squid configure options: '--disable-strict-error-checking' '--disable-arch-native' '--enable-shared' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--enable-external-acl-helpers=LDAP_group SQL_session file_userip time_quota unix_group wbinfo_group LDAP_group eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' (as above, compiled with enable-ssl and enable-ssl-crtd) With a basic squid.conf file: # cat /etc/squid/squid.conf - acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl step1 at_step SslBump1 http_access deny !Safe_ports http_access allow localnet http_access deny all http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump peek step1 ssl_bump bump all always_direct allow all sslproxy_cafile /etc/ssl/cert.pem sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB sslcrtd_children 32 startup=5 idle=1 cache_dir ufs /var/squid/cache 5 64 512 coredump_dir /var/squid/cache refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 - Certificates made per the squid wiki at: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit # cd /etc/squid/ssl_cert # openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem # ls -lah /etc/squid drwxr-xr-x 4 rootwheel512B Jan 24 20:33 . drwxr-xr-x 35 rootwheel2.0K Jan 23 16:17 .. -rw-r--r-- 1 rootwheel692B Jan 17 10:22 cachemgr.conf -rw-r--r-- 1 rootwheel1.8K Jan 17 10:22 errorpage.css -rw-r--r-- 1 rootwheel 11.8K Jan 17 10:22 mime.conf -rw-r--r-- 1 rootwheel1.1K Jan 24 21:36 squid.conf drwx-- 2 _squid _squid 512B Jan 24 18:23 ssl_cert # ls -lah /etc/squid/ssl_cert drwx-- 2 _squid _squid 512B Jan 24 18:23 . drwxr-xr-x 3 rootwheel512B Jan 24 23:39 .. -rw--- 1 _squid _squid 2.9K Jan 24 17:07 myCA.pem Made a .der verison: # openssl x509 -in myCA.pem -outform DER -out myCA.der And imported it into the "Authorities" section of Firefox certificate store, giving it all "trust settings." ssl_crtd is present and executable: # ls -lah /usr/local/libexec/squid/ssl_crtd -r-xr-xr-x 1 root bin 97.7K Jan 15 16:31 /usr/local/libexec/squid/ssl_crtd Created dynamic certificate directory structure: # /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_db # chown -R _squid._squid /var/squid/ssl_db # ls -lah /var/squid drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 . drwxr-xr-x 25 rootwheel512B Jan 19 19:47 .. drwxrwx--x 66 _squid _squid 1.0K Jan 24 21:44 cache drwxrwxr-x 2 _squid _squid 512B Jan 24 03:00 logs drwxr-xr-x 3 _squid _squid 512B Jan 24 23:42 ssl_db # ls -lah /var/squid/ssl_db drwxr-xr-x 3 _squid _squid
Re: httpd stops accepting connections after a few hours on current
Hello again: I was hoping someone might have an idea of how I could proceed with the httpd failure that I am seeing. As I said, I see nothing in the logs, and the only indication I have that something is wrong is that httpd stops responding to requests. At this point, I have added a cronjob of rcctl restart httpd to run every couple of hours; but, it seems to me that my solution is not something that is consistent with the quality/stability of OpenBSD. If anyone has any suggestions on what I can do, or what information might be helpful in identifying the issue, I would appreciate it. Thanks -Original Message- Hello On current: OpenBSD 5.8-beta (GENERIC.MP) #1125: Fri Jul 3 20:54:45 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP System using 2 aliases on one interface: ifconfig em0 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:25:90:de:f8:67 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.0.28.129 netmask 0xff00 broadcast 10.0.28.255 inet 10.0.28.130 netmask 0x inet 10.0.28.131 netmask 0x HTTPD listening on all three IP's with different content: cat /etc/httpd.conf http_ip=10.0.28.129 types { include /usr/share/misc/mime.types } server server1.tldn.com { listen on $http_ip port 80 connection max requests 100 root /htdocs directory index index.html block return 301 https://server1.tldn.com$REQUEST_URI; } server server1.tldn.com { listen on $http_ip tls port 443 tls certificate /etc/ssl/server-129.crt tls key /etc/ssl/private/server-129.key connection max requests 100 root /htdocs directory index index.html location /cgi-bin/* { fastcgi root / } } server server2.tldn.com { listen on 10.0.28.130 port 80 connection max requests 100 root /htdocs-130 directory index index.html block return 301 https://server2.tldn.com/default.html; } server server2.tldn.com { listen on 10.0.28.130 tls port 443 tls certificate /etc/ssl/server-130.crt tls key /etc/ssl/private/server-130.key connection max requests 100 root /htdocs-130 directory index index.html } server server3.tldn.com { listen on 10.0.28.131 port 80 connection max requests 100 root /htdocs-131 directory index index.html block return 301 https://server3.tldn.com/index.html; } server server3.tldn.com { listen on 10.0.28.131 tls port 443 tls certificate /etc/ssl/server-131.crt tls key /etc/ssl/private/server-131.key connection max requests 100 root /htdocs-131 directory index index.html } The httpd daemon starts up without an issue and runs without a problem for a few hours (I have not actually timed it, but it goes for about 6-8 hours), and then just stops responding. This is true on all three of the ip's that it is listening on; and whether or not the original connection is to port 80 or 443. The access log show all connections until (I presume) the daemon stops answering connections. I have tried combining all the ssl certs into one (with a lot of alternative names), but that did not make a difference. A simple rcctl restart httpd brings the server back up for a few hours. I would be happy to investigate this more, but I don't know where to go. Similarly, I don't know what other information I could provide to help diagnose the problem. Any help would be great. Thanks - ted [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
L2TP/IPSEC issue - Any generic pointers would be great
Hello This may be off topic, since I don't think it's an openbsd issue, but (honestly) I have run out of ideas about where to go next. There aren't going to be many specifics, since I don't know what details or outputs might be useful at this point. Here is my story (oh, this is just a home/personal situation). I have a openbsd 5.1 server as a firewall/ipsec server. This one also is able to accept L2TP (from my ipad) connections, and is running npppd. I have a second openbsd 5.1 server as a second firewall/ipsec server. When I set this up (over a year ago), everything worked great. The ipsec endpoints talk to each other, the tunnel comes up like magic, and I am able to backup data at a remote location without even thinking about. At the same time, I got npppd working, and was able to connect with my ipad when I wasn't at home to access stuff that I wanted to. I don't need to do this often. Well, 4-6 months ago, everything was good. The static IPSEC tunnel was working, and I could connect with the ipad. About 3 weeks ago I wanted to connect with the ipad and L2TP and no joy (server not responding that ipad says). And here is where I start getting lost. First, during this entire time, the static IPSEC tunnel has been rock stable (with the occasional dropout because my internet service provider drops my connection at one end or the other, but the static tunnel always comes back up when the connection is restored - maybe 5 or 10 minutes a day, usually at night). When trying to connect with the ipad, most ( 95%) of the time, the connection is unsuccessful. But, occasionally, the ipad connects. NO changes to configuration of the openbsd server, or changes to configuration of the ipad. It just happens. This may last for 3 minutes, or 5 minutes, or 7 minutes; but then it's gone. During these connections, the tablet may or may not be able to access something on the internal/protected network. I have not seen a pattern so far, given the infrequent and limited connection opportunities. But, (to repeat) the static IPSEC tunnel is up the whole time. So, I tried this with a second ipad - same thing - most of the time it does not work; rarely, it works for a few minutes. I tried with an old laptop I have - using L2TP/IPSEC to establish a VPN; no success - I only tried with the laptop a dozen or so times, however. I tried from different locations, in different states, and different cities; same issue, most of the time no, rarely yes (Oh, by the way, almost all of these locations had been used in the past - prior to 6 months ago, and the ipad connected fine). Now, if I am at home, and try to connect to the now local IPSEC/L2TP server (from its internal interface) with the tablet, everything works fine, every time. Also, I can reliably access the network, and the network sees the traffic as coming from the L2TP server, and the associated VPN IP address. So, I used my meager knowledge to explore this issue - and here is where I REALLY get lost. Using tcpdump, I watch the L2TP/IPSEC server's external interface (so, I am looking at traffic before it hits PF or anything else - right?). Well, when the connections fail, there is NO traffic from the tablet getting to the external interface. At the same time, I can ssh into the server, and I can see that traffic using tcpdump fine (connecting from the same location/IP address that the ipad is trying to connect). On those rare occasions when the ipad is able to connect, I see packets coming in on the external interface for isakmpd, and then the established tunnel. During all of this, the static IPSEC tunnel is up and working. I have no idea where to go with this, or what to try. I feel like this is not related to the openbsd server, since when the tablet fails to connect, there is no traffic on the external interface. But, in that case, the failure is upstream (somewhere in the route between the tablet and the server). But, why would the other IPSEC tunnel be fine? If my ISP was filtering traffic, both shouldn't work, right? The variety of locations that I have tried to connect from and (mostly) failed, would seem to suggest the problem is near the end of the route back to the IPSEC/L2TP server, but that makes no sense to me either, since the static tunnel is rock solid. I am sorry for the long, rambling email. I wanted to thoroughly explain my issue, and since I don't really know what might have be important, I included the whole story. If this is not an openbsd issue (which (frankly) I don't think it is), sorry for the noise. But, if anyone has a friendly (or, for that matter, and unfriendly) suggestion of what I could try, please let me know. Thanks. Bye - ted [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
L2TP/IPSEC with 4.9 and Ipad - fails to complete
Hello: I am hoping someone can point me in some sort of direction. I have been trying to connect an iPad (ios 5.0.1) to an openbsd 4.9 server using L2TP/IPSEC. I followed the outline in /usr/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt, and was able to get npppd compiled. I then started isakmpd and updated ipsecctl (sudo ipsecctl -f /etc/ipsec.conf). Finally, started npppd: npppd -d 2012-02-10 15:02:48:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2012-02-10 15:02:48:WARNING: write() failed in in_route0 on RTM_ADD : File exists 2012-02-10 15:02:48:INFO: tun0 Started ip4addr=10.0.3.1 2012-02-10 15:02:48:INFO: pool name=default dyn_pool=[10.0.3.0/25] pool=[10.0.3.0/24] 2012-02-10 15:02:48:INFO: Added 2 routes for new pool addresses 2012-02-10 15:02:48:INFO: Loading pool config successfully. 2012-02-10 15:02:48:INFO: realm name=local(local) Loaded users from='/etc/npppd/npppd-users.csv' successfully. 2 users 2012-02-10 15:02:48:INFO: Listening /var/run/npppd_ctl (npppd_ctl) 2012-02-10 15:02:48:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] 2012-02-10 15:02:48:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] 2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:1723/tcp (PPTP PAC) [PPTP] 2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:gre (PPTP PAC) 2012-02-10 15:02:48:INFO: tun0 is using ipcp=default(1 pools). --- Now, when I try enabling the L2TP/IPSEC VPN on the iPad, I can see that the IPSEC tunnel is created. isakmpd -Kv -d --- 150059.011921 Default isakmpd: starting [priv] 150358.338625 Default isakmpd: phase 1 done: initiator id 10.0.222.201, responder id 10.0.28.20, src: 10.0.28.20 dst: 10.0.28.201 150359.377301 Default isakmpd: quick mode done: src: 10.0.28.20 dst: 10.0.28.201 --- And flows get established: ipsecctl -s all --- FLOWS: flow esp in proto udp from 10.0.222.201 port 56701 to 10.0.28.20 port l2tp peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type use flow esp out proto udp from 10.0.28.20 port l2tp to 10.0.222.201 port 56701 peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type require SAD: esp transport from 10.0.28.20 to 10.0.28.201 spi 0x06c8118f auth hmac-sha1 enc aes-256 esp transport from 10.0.28.201 to 10.0.28.20 spi 0x55c61855 auth hmac-sha1 enc aes-256 --- And, then, npppd tries to negotiate the L2TP connection, but it fails: npppd -d (continued) --- 2012-02-10 15:03:59:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=1/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:03:59:INFO: l2tpd ctrl=1 SendSCCRP 2012-02-10 15:04:00:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=2/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:00:INFO: l2tpd ctrl=2 SendSCCRP 2012-02-10 15:04:02:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=3/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:02:INFO: l2tpd ctrl=3 SendSCCRP 2012-02-10 15:04:06:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=4/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:06:INFO: l2tpd ctrl=4 SendSCCRP 2012-02-10 15:04:10:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=5/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:10:INFO: l2tpd ctrl=5 SendSCCRP 2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl packets. 2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 logtype=Finished 2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl packets. 2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=6/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:14:INFO: l2tpd ctrl=6 SendSCCRP 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl packets. 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 logtype=Finished 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=7 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=7/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:18:INFO: l2tpd ctrl=7 SendSCCRP 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl packets. 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 logtype=Finished 2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 timeout waiting ack for ctrl packets. 2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 logtype=Finished 2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 timeout waiting ack for ctrl packets. 2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 logtype=Finished 2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7 timeout waiting ack for ctrl packets. 2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7
Scannedonly (for samba vfs) make fails - pthread_spinlock_t definition missing(?) in libpthread
Hello: I was wondering if anyone has tried using scannedonly with samba on openbsd (4.9). Scannedonly is a daemon/VFS module for samba that scans files on request using clamav (description at http://olivier.sessink.nl/scannedonly/ ) The samba version (3.5.6) available with openbsd 4.9 already includes the VFS module (at /usr/local/lib/samba/vfs/scannedonly.so). However, when I try to compile the deamon from source, it dies almost immediately with the error: scannedonlyd_clamav.c:73: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'statuslock' at the statement: pthread_spinlock_t statuslock; When I look at the pthread.h header file (which is included in the source), I cannot find pthread_spinlock_t defined. It is my understanding that on linux pthread_spinlock_t is defined in /usr/include/bits/pthreadtypes.h; however, there is no pthreadtypes.h header file that I can find on openbsd 4.9. I must admit that this is a bit beyond my current understanding. I am wondering if there is some way around this, or if there is something in ports/packages that can be installed to provide the missing pthread_spinlock_t definition? Or, am I just out of luck? Thanks in advance for any advice. Bye - ted
snort and pf - pflog vs if
Hello I am confused about something. I have recently upgraded from 4.5 to 4.9 (not 5.0 yet). However, I have openbsd/pf as a firewall to protect a home network. Now, even though I don't really understand it all, I had/have snort running on the FW to see what kind of badness passes by. With 4.5, I had snort listening to pflog0, because I understood that listening to the interface directly (e.g. bge0) would not work since any packets dropped by pf would not be seen by snort. However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed that snort appears to see packets that are dropped by pf when it listens on the interface directly (bge0). I don't think I ever checked this with openbsd 4.5 (listening on the interface directly). So, I was wondering, is this expected? Should snort see packets dropped by pf when listening to the interface? I guess if the answer is no, I will need to check my pf.conf, although when I scan myself the only port open to the internet is ssh, everything else is silently dropped (which is as it should be). Thanks for any clarification. Bye - ted
Re: Is it possible: IPsec tunnel with no static addresses?
Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. I've never seen an example where hostnames are used in place of static IP addresses in configuration files. Is it the case that anywhere I see an ip address (filenames, conf file values, etc), I could just as easily put in foo.dyndns.org? I don't consider myself expert at this, but, yes, I think that is the case. At least for me, it has worked well. I have an ipsec tunnel set up between two residential cable internet connections. Both are DHCP, so there is no static endpoint. I use dDNS to keep the endpoint IP's up to date (I do own my own domain, but I suppose you don't have to). The tunnel goes down for a few minutes from time to time (I think mostly because of problems with my internet connections, not so much DNS name resolution issues), but it has not been an issue for me. As an example, my ipsec.conf looks something like: (this is openbsd 4.6 - yes, I know I should update, I'm working on it) One end: ike passive esp from 10.0.0.1 to ipsec2.mydomain.com srcid my.local.crt.com dstid my.remote.crt.com etc... The other end: ike dynamic esp from 192.168.1.1 to ipsec1.mydomain.com srcid my.remote.crt.com dstid my.local.crt.com etc... As I said, I'm no expert on this, but I was able to figure this out from the man pages. Bye - ted
Question about moving system to different hardware
Hello: I was very happy with myself after setting up a file server for my home with some old hardware (and some new old hardware). Everything works great. Now, I have come into possession of some better old hardware (an actual server - Compaq Evo W8000 - with SCSI disks! Wow, that's big for me). So, I wanted to move my fileserver over. I was reading the FAQ (14.10) about backing up, and I think this will work, but I have a couple of basic questions, if anyone has the time to answer. 1. Since I will be moving to new hardware, and from ide to scsi disks, I will need to modify /etc/fstab. Is there anything else I should be thinking about editing for the move to new hardware (the network card will be the same, since it's moving too). I can't think of anything other than fstab. 2. I note that in the example for backing up and restoring that raw devices are used. In my situation, I will be going from ide to a usb drive, and then from the usb drive to scsi disks. So, the ide drive I can't access raw, but I don't think this is an issue. Is it? And, if I don't read from the raw device with dump, it's still okay to write to the raw device with restore, right? I think these are pretty basic questions, and I think I would figure it out on my own when I do it. I guess I am looking for peace of mind that I am on the right track. Thanks Bye - ted
pcmcia serial card sometimes recognized, sometimes not
Hello: I am trying to understand why this is happening. I have an older laptop and a new old pcmcia serial interface card (Quatech Inc, RS-232 Serial Port PC Card, SSP-100). So, when I first booted the 4.6 stable image with the pcmcia card in the slot, it would not recognize it (com3 at pcmcia0 function 0: can't allocate i/o space). Then, I did a bunch of searching, and eventually, figured out how to change the i/o memory space for pcic0 using config; and, it worked. But then, then next day, it didn't (I booted the modified kernel, but again got the same i/o space error). So, I played with config some more, disable com0,1,2,3; played with the settings for i/o address and size; and eventually, it worked again. But, again, the next day, it went unrecognized. So, I played with config some more, changed i/o address/size, made a new pcmcia com0, disabled pcic1,2, and maybe something more, and got it to work. This time I captured the dmesg. Here it is: OpenBSD 4.6 (GENERIC) #58: Thu Jul 9 21:24:42 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile Intel(R) Pentium(R) 4 - M CPU 2.00GHz (GenuineIntel 686-class) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS ,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 266891264 (254MB) avail mem = 249249792 (237MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/22/03, BIOS32 rev. 0 @ 0xfd891, SMBIOS rev. 2.31 @ 0xd8010 (15 entries) bios0: vendor Phoenix Technologies LTD version R0202B3 date 04/22/03 bios0: Sony Corporation PCG-V505BC(UC) acpi0 at bios0: rev 0 acpi0: tables DSDT FACP BOOT SSDT SSDT acpi0: wakeup devices PWRB(S5) CRD0(S3) LAN_(S3) USB1(S3) USB2(S3) USB3(S3) EC0_(S5) MODE(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (HUB_) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, FVS, 2000, 1200 MHz acpitz0 at acpi0: critical temperature 90 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: PWRB acpibat0 at acpi0: BAT1 type LION oem Sony Corp. acpiac0 at acpi0: AC unit offline bios0: ROM list: 0xc/0x1 0xd8000/0x4000! 0xdc000/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xec00, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M6 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 9 drm0 at radeondrm0 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42 pci2 at ppb1 bus 2 cbb0 at pci2 dev 5 function 0 Ricoh 5C475 CardBus rev 0xb8: couldn't map interrupt Ricoh 5C551 Firewire rev 0x00 at pci2 dev 5 function 1 not configured ohci0 at pci2 dev 7 function 0 NEC USB rev 0x43: irq 9, version 1.0, legacy support ohci1 at pci2 dev 7 function 1 NEC USB rev 0x43: couldn't map interrupt ehci0 at pci2 dev 7 function 2 NEC USB rev 0x04: couldn't map interrupt fxp0 at pci2 dev 8 function 0 Intel PRO/100 VE rev 0x42: couldn't map interrupt usb0 at ohci0: USB revision 1.0 uhub0 at usb0 NEC OHCI root hub rev 1.00/1.00 addr 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC25N040ATMR04-0 wd0: 16-sector PIO, LBA48, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, UJDA745 DVD/CDRW, 1.05 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801CA/CAM SMBus rev 0x02: polling iic0 at ichiic0 spdmem0 at iic0 addr 0x54: 256MB DDR SDRAM non-parity PC2300CL2.5 auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x02Intel 82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pcic0 at isa0 port 0x3e0/2 iomem 0xe/65536 pcic0 controller 0: Intel 82365SL rev 1 has socket A only pcmcia0 at pcic0 controller 0 socket 0 com0 at pcmcia0 function 0 Quatech Inc, RS-232 Serial Port PC Card, SSP-100 port 0x2f8/8: ns16550a, 16 byte fifo , irq 3pcic0: irq 4, polling