Re: ssl/libssl certificate validation broken?

2020-10-25 Thread Uwe Werler
On 22 Oct 22:59, Daniel Jakots wrote: > On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai" > wrote: > > > >Hi Bob, it was in the middle of the night and I got quite kinda > > >stressed because all services depending on our ldap proxy stopped > > >working after the upgrade and it took me a

Re: ssl/libssl certificate validation broken?

2020-10-25 Thread Uwe Werler
On 22 Oct 21:49, Rafael Possamai wrote: > >Hi Bob, it was in the middle of the night and I got quite kinda stressed > >because all services depending on our ldap proxy stopped working after the > >upgrade and it took me a while to figure the problem out. > > Perhaps this is unsolicited advice,

Re: ssl/libssl certificate validation broken?

2020-10-21 Thread Uwe Werler
On 20 Oct 20:21, Bob Beck wrote: > On 20 Oct 21:01, Uwe Werler wrote: > > Hi folks, > > > > before opening a bug report I'll ask here because I want to make sure that I > > have not missed something. > > You should probably submit a real bug report instead of

Re: CARP load balancing problems under KVM

2020-10-21 Thread Uwe Werler
On 21 Oct 07:12, Carlos Lopez wrote: > Hi all, > > Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using > carp in IP balance mode without problems from several months. These firewalls > are installed in a RHEL 8.2 (fully patched) KVM host. > > After upgrading to OpenBSD

Re: ssl/libssl certificate validation broken?

2020-10-20 Thread Uwe Werler
On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are n

ssl/libssl certificate validation broken?

2020-10-20 Thread Uwe Werler
Hi folks, before opening a bug report I'll ask here because I want to make sure that I have not missed something. With the upgrade to 6.8 my cert validation seems to be broken because the hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our L1 and L2 ca certs in

Re: iwm0: fatal firmware error on Dell Latitude E5570

2020-09-24 Thread Uwe Werler
On 24 Sep 12:24, Jan Stary wrote: > On Sep 24 11:36:24, h...@stare.cz wrote: > > This is 6.8-beta/amd64 on a Dell Latitude E5570 (dmesg below). > > iwm stopped working, saying > > > > iwm0: hw rev 0x200, fw ver 34.0.1, address e4:a4:71:40:21:08 > > iwm0: fatal firmware error > > iwm0:

Re: ideas needed for password management

2020-09-24 Thread Uwe Werler
On 24 Sep 10:55, Uwe Werler wrote: > On 23 Sep 20:52, Hakan E. Duran wrote: > > Dear all, > > > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > > Dovecot. The users will be the Unix users on the VPS for simplicity. > > However, I

Re: ideas needed for password management

2020-09-24 Thread Uwe Werler
On 23 Sep 20:52, Hakan E. Duran wrote: > Dear all, > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > Dovecot. The users will be the Unix users on the VPS for simplicity. However, > I now have the problem of allowing users setting and modifying their own > passwords

Re: Web based document / spredsheet editor

2020-09-22 Thread Uwe Werler
On 22 Sep 15:37, Martin Sukany wrote: > Hi colleges, > > I need to set up some kind of collaborative environment (rich text > docjuments, basic tables) — request is „something like google docs“. > > As I’m almost working in shell I have to say that I’m little bit lost in this > area. > >

Re: Troubleshooting pf congestion

2020-09-14 Thread Uwe Werler
Without seeing a rule set what should one say? Am 14. September 2020 15:19:46 GMT+00:00 schrieb Scott Reese : >Greetings: > >I am troubleshooting an issue: users complaining about network >performance. The firewall >is an OpenBSD 6.7 system with patches applied. I've traced the issue >and I'm

Re: Cleaning system's old ibraries/files after update to next -release or -current

2020-07-15 Thread Uwe Werler
On 14 Jul 15:44, Stuart Henderson wrote: > On 2020-07-14, Christian Weisgerber wrote: > > Old versions of libraries are innocuous. They will simply be > > ignored. > > Until you run out of disk space, which is fairly easy in /usr if you > installed a couple of releases ago and took the auto

Re: How did it happen?

2020-02-01 Thread Uwe Werler
Am 31. Januar 2020 18:48:51 GMT+00:00 schrieb gil...@poolp.org: >January 30, 2020 4:44 PM, gil...@poolp.org wrote: > >> It depends on your configuration, not all setups are vulnerable. >> >> I think I recall your name from the comments on my tutorial and this >is a >> setup that would not be

Re: ksh complete_command for commands with "-" in name

2020-01-17 Thread Uwe Werler
On 18 Jan 00:27, Andreas Kusalananda Kähäri wrote: > On Fri, Jan 17, 2020 at 10:41:30PM +0000, Uwe Werler wrote: > > On 17 Jan 22:32, Ottavio Caruso wrote: > > > On Fri, 17 Jan 2020 at 22:03, Uwe Werler wrote: > > > > > > > > Hi misc, > > >

Re: ksh complete_command for commands with "-" in name

2020-01-17 Thread Uwe Werler
On 17 Jan 22:32, Ottavio Caruso wrote: > On Fri, 17 Jan 2020 at 22:03, Uwe Werler wrote: > > > > Hi misc, > > > > I use heavily the feature to set command completion in ksh. Unfortunately > > this doesn't work for commands with "-" (like ssh-add,

ksh complete_command for commands with "-" in name

2020-01-17 Thread Uwe Werler
Hi misc, I use heavily the feature to set command completion in ksh. Unfortunately this doesn't work for commands with "-" (like ssh-add, salt-call etc.) in command name because the parameter name for the array is invalid. Any idea to work around that or plans to allow at least "-" when

Re: tinc on openBSD?

2017-04-27 Thread Uwe Werler
On 27. Apr 7:51:18, Harald Dunkel wrote: > Hi folks, > > AFAICS tinc is included in the packages for 6.1, but surely > that doesn't mean its safe to use without looking. > > Are there security concerns against running tinc on an OpenBSD > gateway as an alternative to IPsec and openvpn in a +50

Re: tmux, option allow-rename off allows renaming

2017-03-17 Thread Uwe Werler
That's exactly the reason why I wrote this little wrapper script: https://github.com/uwerler/tmux_ssh Am 17. März 2017 12:12:52 MEZ schrieb "Andreas Kusalananda Kähäri" : >Hi, > >I'm doing some development on a Linux machine over SSH from a tmux >shell >session. >

Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?

2017-02-27 Thread Uwe Werler
27. Februar 2017 17:09, "Florian Viehweger" schrieb: > Hey, > >> I use php56 and nginx from ports. Any other idea? > > try to upgrade to PHP 7. I've experienced a significant performance > improvement, albeit on Arch Linux. > > -- > greetings, > > Florian

Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?

2017-02-27 Thread Uwe Werler
> make sure your SQL encoding is set to unicode/UTF8, I recently did a fresh > install and the encoding ended up as SQL_ASCII and performance was abysmal. > Switching to UTF-8 and performance was as expected. (this was with postgresql) Mmh, I checked my mysql settings and they are still utf8 - and

httpd rewrite

2017-02-02 Thread Uwe Werler
Hello guys, I try to move from nginx to httpd. But I have a problem with rewrite. I try to use this nginx-rule: rewrite ^/Microsoft-Server-ActiveSync?(.*)$ /tine20/index.php?frontend=activesync$1; with httpd: location "/Microsoft-Server-ActiveSync" {

Re: spreed server

2017-01-18 Thread Uwe Werler
Hi Stephen, did You get the spreed server built? -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/spreed-server-tp300701p311543.html Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: rdomain incompatible with NSD ? (OpenBSD 6)

2016-09-03 Thread Uwe Werler
You have to start nsd in rdomain 1. Von meinem Samsung Galaxy Smartphone gesendet. Ursprüngliche Nachricht Von: Bob Jones Datum: 03.09.16 20:13 (GMT+01:00) An: misc@openbsd.org Betreff: rdomain incompatible with NSD ? (OpenBSD

Re: DigitalOcean and OpenBSD

2016-08-25 Thread Uwe Werler
On 25. Aug 12:02:37, Daniel Winters wrote: > Hi, > > > Hetzner customer here. Hetzner doesn't support OpenBSD natively. The > > only instructions I could find are kind of dated, in German, seem to > > apply only to dedicated servers (as opposed to VMs), and overall look > > like a giant hack.

ksh, PS1 and PWD

2016-08-03 Thread Uwe Werler
Hello list, maybe this can be done better (~/.kshrc): _pwd(){ local _len="25" local _sym="/<.." [[ ${PWD} == ${HOME}* ]] && { PWD="~${PWD#${HOME}}"; _sym="~${_sym#/}"; } [[ ${#PWD} -gt $_len ]] && { typeset -R"$_len" local _pwd=$PWD; PWD="${_sym}/${_pwd#*/}"; } print $PWD }

Re: PF and interface changing IP

2016-05-12 Thread Uwe Werler
pass in on pppoe0 inet proto tcp to (pppoe0) port ssh keep state Von meinem Samsung Gerät gesendet. Ursprüngliche Nachricht Von: Gabriele Tozzi Datum: 12.05.2016 09:45 (GMT+01:00) An: misc@openbsd.org Betreff: PF and interface changing IP

Re: openbsd vs freebsd NAT performance

2016-04-19 Thread Uwe Werler
On 16. Apr 5:10:56, bluesun08 wrote: > Hi, > > beside OpenBSD 5.8 i installed FreeBSD 10.3 on my router-pc. For routing i > use pf. > I noticed that the routing/NAT-performance is in FreeBSD noticeable higher > than in OpenBSD. I think that is due to the SMP-support of pf in FreeBSD. > > Is

Re: LibreNMS chroot issues

2015-12-27 Thread Uwe Werler
Why not pointing the socket to chroot?  Von meinem Samsung Galaxy Smartphone gesendet. Ursprüngliche Nachricht Von: Ax0n Datum:27.12.2015 18:58 (GMT+01:00) An: cou...@gmail.com, punoseva...@gmail.com Cc: misc@openbsd.org Betreff: Re: LibreNMS chroot

Re: Highest Speed Network Packet Generator?

2015-12-26 Thread Uwe Werler
tcpbench in base or iperf from ports. Ursprüngliche Nachricht Von: Mohammad BadieZadegan Datum:26.12.2015 09:15 (GMT+01:00) An: misc@openbsd.org Cc: Betreff: Highest Speed Network Packet Generator?

resize crypto raid

2015-12-21 Thread Uwe Werler
Hello list, is it currently possible to resize/increase a crypto raid anyhow? I tested it with a virtual disk image via vnconfig - created an image file, attached it via vnconfig, created a raid partition and configured a raid with crypto discipline. Later I increased the image and adopted the

Re: resize crypto raid

2015-12-21 Thread Uwe Werler
n you change just partition/disklabel > size, but I would not expect it. > > On Mon, Dec 21, 2015 at 10:49 PM, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello Ted, > > > > this is exactly my problem - i can't change the disk boundaries at the > >

Re: resize crypto raid

2015-12-21 Thread Uwe Werler
Hello Ted, this is exactly my problem - i can't change the disk boundaries at the softraid disk. I tried it with saving the disklabel of softraid0/sd0 and editing manually - with no success. Any ideas? Regards Uwe On 21. Dec 16:05:28, Ted Unangst wrote: > Uwe Werler wrote: > > H

Re: Playing with rdomains and bridge on 5.8 and current

2015-12-17 Thread Uwe Werler
Take a look at pair(4). On 17. Dec 12:19:42, Claer wrote: > Hello, > > I'm trying a "strange" setup with rdomains, bridge and vether. As there is > something I don't understand, I'd like to know if the behavior is normal or if > it is an issue. This is not a production system, just

Re: authentication infra structure

2015-12-10 Thread Uwe Werler
On 09. Dec 17:25:14, Friedrich Locke wrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc > LDAP is Your friend. You can even

Re: Empty MFS on root

2015-12-08 Thread Uwe Werler
Am 08.12.2015 16:03:14, schrieb Tati Chevron: > Currently, it's possible, (as root), to do something like: > > # mount_mfs -s 1g swap / > > which succeeds, and mounts the empty filesystem as the root filesystem. > > This makes the machine inoperable and requires a physical reset, without a

Re: relayd ssl interception and certificate subject

2015-12-02 Thread Uwe Werler
On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > > Sometimes the Subject/Subject Alternative Name of the cert is a

Re: relayd ssl interception and certificate subject

2015-11-26 Thread Uwe Werler
Thank You very much for the explanation Stuart! I'll check this. On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > &

Re: TLS intercepting proxy [MitM]

2015-11-24 Thread Uwe Werler
Am 24.11.2015 14:52:58, schrieb Jiri B: > > With a little bit pf-magic this works like this: > > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > > pass out log on > > $ext_if proto tcp to any port 443 user _relayd > > pass in log on lo0 proto tcp to > > any port 443 divert-to

relayd ssl interception and certificate subject

2015-11-24 Thread Uwe Werler
Hello, I'm just testing ssl interception and noticed the following problem. Sometimes the Subject/Subject Alternative Name of the cert is altered with a different name than the one the original cert has: The faked cert:

Re: TLS intercepting proxy [MitM]

2015-11-24 Thread Uwe Werler
Am 24.11.2015 14:17:41, schrieb Lampshade: > Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. > I have also problem with Reyk's config because I can not divert outgoing

Kerberos disabled in SSH now?

2013-07-29 Thread Uwe Werler
Kerberos is disabled per default in SSH now? Revision 1.60: download - view: text, markup, annotated - select for diffs Wed Jun 19 05:27:06 2013 UTC (5 weeks, 5 days ago) by deraadt Branches: MAIN Diff to: previous 1.59: preferred, coloured Changes since revision 1.59: +2 -1 lines stop doing

Re: Internet Connection - Load Balancing and Failover

2012-11-13 Thread Uwe Werler
-Ursprüngliche Nachricht- An: OpenBSD-misc list misc@openbsd.org; Von:Imre Oolberg i...@auul.pri.ee Gesendet: Di 13.11.2012 09:05 Betreff:Re: Internet Connection - Load Balancing and Failover On 11/13/12 08:57, Tomas Bodzar wrote: On Mon, Nov 12, 2012 at 11:09 PM,

Re: Ipsec tunnel between 2 sites with same network addressing

2010-02-15 Thread Uwe Werler
-Urspr|ngliche Nachricht- Von: open...@e-solutions.re Gesendet: Mo 15.02.2010 09:15 An: misc@openbsd.org; Betreff: Ipsec tunnel between 2 sites with same network addressing Hi, It is very simple to do a tunnel ipsec with 2 sites when they have different network addressing. But if

Re: Maximizing File/Network I/O

2010-01-08 Thread Uwe Werler
* Iqigo Ortiz de Urbina tarom...@gmail.com [2010-01-05 11:24]: On Tue, Jan 5, 2010 at 9:13 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: There is much more to do. You can find some ideas eg. here http://www.openbsd.org/papers/tuning-openbsd.ps . It's good idea to follow outputs of

Re: What does your environment look like?

2010-01-05 Thread Uwe Werler
On Sun, 3 Jan 2010 10:34:07 -0500 Anders Langworthy lagrang...@gmail.com wrote: On Sat, Jan 2, 2010 at 9:08 PM, Brynet bry...@gmail.com wrote: * Do you use one of the bundled window managers like cwm(1)/twm(1)/fvwm(1) or something else? I wasn't going to reply, but I couldn't believe that

rtable and pf

2009-05-07 Thread Uwe Werler
Hello list, I have an OpenBSD box with 4.5 connected to two carriers, to one per dhcp and to the other static configured. Now I tried to change my rule set from route-to/reply-to syntax to rtable usage. Up to now I added my static configured gateway with route add default $GW -mpath so the

Re: automaticaly mount/umount encrypted $HOME or ...

2009-05-02 Thread Uwe Werler
Hi Maxim, Choosing bash was a quick solution for executing the job after I'v logged out, e.g. how else do you umount and vnconfig -u? I'd like to use default ksh, but quick google-search gave me an answer - ksh can not exec after logout. Here I hope someone can point me to the right

Re: F5 FirePass SSL VPN on OpenBSD

2009-04-03 Thread Uwe Werler
Hi Mikolaj, You can connect to F5 with a little bit perl and ppp. I know a perl script with does the magic with pppd and openssl s_client: http://devcentral.f5.com/SDK/sslvpn.public.pl.txt . But in OpenBSD there is no pty option in pppd - that's why it should converted to use ppp. Regards Uwe

Re: PF and CLamAV Integration - how to do it?

2009-03-19 Thread Uwe Werler
Hi Sarah, try to make a search in ports tree for different kind of proxies: Port: havp-0.89 Path: www/havp Info: web proxy with antivirus filter Maint: Giovanni Bechis g.bec...@snb.it Index: www L-deps: clamav.=1::security/clamav B-deps: :devel/gmake R-deps: Archs: any For scanning

Re: Can't get relayd to work for DNS + problem with relayctl reload

2009-01-15 Thread Uwe Werler
...@mipih.fr -- Mit freundlichen Gruessen Uwe Werler OB3SI Open Source Software Solution Integration Hosterwitzer Str. 15 D-01259 Dresden Fon +49 351 41722902 http://www.o3si.de mailto:i...@o3si.de Sitz des Unternehmens: 01259 Dresden Der Austausch von Nachrichten mit OB3SI via E-Mail dient

Re: LDAP and OpenBSD

2008-10-23 Thread Uwe Werler
Am Thu, 23 Oct 2008 01:02:18 +1100 schrieb Gavin Norman [EMAIL PROTECTED]: I attempted the steps based on your experience with ypldap. I downloaded a snapshot 2 days ago and setup a fresh install on a virtual machine. However I get the following after running ypldap: # ypldap -dv

Re: perl and openbsd

2008-10-15 Thread Uwe Werler
Am Wed, 15 Oct 2008 09:28:06 +0200 (CEST) schrieb Holger Glaess [EMAIL PROTECTED]: hi which option i have to change that perl is able to ge more memory resoruces ? i an script that works on linux complete well but under openbsd , he start and then perl stop to work an left the memory.

Fw: LDAP and OpenBSD

2008-10-13 Thread Uwe Werler
On Sat, 11 Oct 2008, Uwe Werler wrote: SNIP 2. Add a line to /etc/rc.conf ypldap_flags= 3. Add lines to /etc/rc.local: or more appropriately /ect/rc.conf.local otherwise your local changes could get overwritten on a future upgrade. Hello Diana, You are right

Re: CARP multicast and ADSL bridge

2008-10-10 Thread Uwe Werler
Am Thu, 09 Oct 2008 19:45:01 -0700 schrieb Brian [EMAIL PROTECTED]: Hello, After much reading of man pages, FAQs and googling, I have come up against a dead end. I have a dual redundant CARP setup on 2 sparc64 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet connectivity.

Re: LDAP and OpenBSD

2008-10-10 Thread Uwe Werler
Am Fri, 10 Oct 2008 19:52:10 +0200 schrieb raven [EMAIL PROTECTED]: Hi misc :) I'm thinking how my users into an ldap db can login into my openbsd machine as users. I try to use google but no clue at all. Thanks guys :) Francesco Hello Francesco, there's a solution ;-). I've gotten my

Re: LDAP and OpenBSD

2008-10-10 Thread Uwe Werler
starting applying configuration connecting to directories trying directory: $IP starting directory update starting directory update updates are over, cleaning up trees now flattening trees pushing line: anonymous:*:4:3:ldap:0:/home/anonymous:/bin/ksh pushing line: uwerler:*:1000:1000:ldap:12011:0:Uwe

Re: LDAP and OpenBSD

2008-10-10 Thread Uwe Werler
Ok, it's quite late tonight - after some beer: # vipw ^G i +:* :wq # vi /etc/group ^G i +:*:: :wq # You've done.

Re: pf - queue filter directive sticky?

2008-09-30 Thread Uwe Werler
Am Tue, 30 Sep 2008 10:53:05 +0200 schrieb [EMAIL PROTECTED]: Am Mon, 29 Sep 2008 15:29:08 -0400 schrieb (private) HKS [EMAIL PROTECTED]: If the following two rules apply to a given packet in the order shown, will the packet be queued? pass in on $int_if from 10.0.0.1 queue tens

howto determine boot device?

2005-07-04 Thread Uwe Werler
hi, is it possible to determine, after the kernel has loaded, from which device it has booted? regards uwe -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse f|r Mail, Message, More +++

determine boot device after boot

2005-07-01 Thread Uwe Werler
hello, is it possible to determine the boot device after the kernel has loaded? i did'nt find any variable (with sysctl or an entry in logs) which contains this information. i want to boot from any device like floppy, cd etc. and the root will be a ramdisk. after boot i want to read some

Re: read-only storage media

2005-07-01 Thread Uwe Werler
hi matt, what is with an usb stick? that's my approach. regards uwe Is there any kind of storage media that can be set as read-only, and only reset to read and write by physical access? I'm thinking about something like the (seemingly ancient) 3.5 floppy disks that had that little