Re: rpki-client: ensure X.509 Subject only contains commonName and serialNumber

On Tue, Sep 12, 2023 at 12:03:01AM +, Job Snijders wrote: > On Mon, Sep 11, 2023 at 09:31:03AM +0200, Theo Buehler wrote: > > > - * This only parses the RFC 3779 extensions since these are necessary for > > > - * validation. > > > > Isn't this still true? Y

Re: rpki-client: ensure X.509 Subject only contains commonName and serialNumber

On Mon, Sep 11, 2023 at 09:31:03AM +0200, Theo Buehler wrote: > > - * This only parses the RFC 3779 extensions since these are necessary for > > - * validation. > > Isn't this still true? You don't really parse the subject name. I took 'parse' to mean something like 'inspects',

Re: rpki-client: ensure X.509 Subject only contains commonName and serialNumber

On Mon, Sep 11, 2023 at 01:42:03AM +, Job Snijders wrote: > This adds another compliance check for the X.509 subject name. > > Only commonName, and optionally serialNumber, are permitted in the > certificate subject name. See RFC 6487 section 4.4 and 4.5. > > It se

rpki-client: ensure X.509 Subject only contains commonName and serialNumber

This adds another compliance check for the X.509 subject name. Only commonName, and optionally serialNumber, are permitted in the certificate subject name. See RFC 6487 section 4.4 and 4.5. It seems the one CA who was not compliant with this requirement got their act together, so now

[no subject]

S V wrote: > 2023-07-27 17:24 GMT+03:00, Theo de Raadt : > > You don't explain why you are trying to enable floating point register > > use in the kernel. > > I just have CPU with it (Cortex-a57 with NEON), so was toying with it > trying to look if I get more performance. > Got this error and

[no subject]

I was trying (as an experiment) to build aarch64 current kernel with -march=armv8-a+simd and stumble upon error Interesting to notice that armv8-a+nofp+simd compiles and runs OK part of output with error: cc -g -Werror -Wall -Wimplicit-function-declaration -Wno-pointer-sign

Re: rpki-client: Enforce X509v3 SKIs to be the SHA-1 hash of the Subject Public Key

On Mon, Mar 06, 2023 at 08:10:49PM +, Job Snijders wrote: > Upon re-reading RFC 6487 section 4.8.2, SKIs are not at all arbitary > identifiers: they must be the SHA-1 hash of the 'Subject Public Key'. Ah, good. > The below changeset adds a SPK digest calculation and c

rpki-client: Enforce X509v3 SKIs to be the SHA-1 hash of the Subject Public Key

Upon re-reading RFC 6487 section 4.8.2, SKIs are not at all arbitary identifiers: they must be the SHA-1 hash of the 'Subject Public Key'. The below changeset adds a SPK digest calculation and comparison to the X509v3 extension containing the SKI. OK? Index: x509.c

[no subject]

On Tue, 08 Nov 2022 18:05:24 +, Klemens Nanni wrote: > Subject: Document ifc_list immutability Sure. OK millert@ - todd

[no subject]

Subject: Document ifc_list immutability OK? diff --git a/sys/net/if_var.h b/sys/net/if_var.h index 28514a0bfcd..a472c586f3c 100644 --- a/sys/net/if_var.h +++ b/sys/net/if_var.h @@ -78,11 +78,15 @@ struct ifnet; struct task; struct cpumem; +/* + * Locks used to protect struct members

[no subject]

Hello OpenBSD developers! I have a suggestion on how to get the current executable path in OpenBSD that might be reliable enough and not too costly that it might be accepted for a future OpenBSD version. Even if it won't be accepted, I need a little help completing the solution I have in

[no subject]

Hi, I sent this to bugs a while back, but it doesn't seem to have been picked up by anyone. On both i386 and amd64, the machine boot command in the bootloader has an off by one bug, which has been present since revision 1.20 in 1998. The machine boot command is implemented by patching the

Re: rpki-client parse and check caRepository Subject Information Access

On Fri, Feb 05, 2021 at 02:45:41PM +0100, Claudio Jeker wrote: > RPKI certificates have 3 possible Subject Information Access URI that we > may be interested in: > - 1.3.6.1.5.5.7.48.5 (caRepository) > - 1.3.6.1.5.5.7.48.10 (rpkiManifest) > - 1.3.6.1.5.5.7.48

rpki-client parse and check caRepository Subject Information Access

RPKI certificates have 3 possible Subject Information Access URI that we may be interested in: - 1.3.6.1.5.5.7.48.5 (caRepository) - 1.3.6.1.5.5.7.48.10 (rpkiManifest) - 1.3.6.1.5.5.7.48.13 (rpkiNotify) rpkiManifest points to the .mft file inside the caRepository. Because

(No Subject)

subscribe

[no subject]

foo

[no subject]

subscribe tech@openbsd.org

Re: httpd logging X509 cert subject when CA option is used.

Karel Gardas(gard...@gmail.com) on 2019.02.10 14:18:00 +0100: > > Any issues with the patch now? no, i just lost track of it. commited, thanks! > Anything I shall improve to get that > into acceptable/comitable state? > > Thanks, > Karel > > On Fri, 1 Feb 2019 17:48:46 +0100 > Karel Gardas

Re: httpd logging X509 cert subject when CA option is used.

Any issues with the patch now? Anything I shall improve to get that into acceptable/comitable state? Thanks, Karel On Fri, 1 Feb 2019 17:48:46 +0100 Karel Gardas wrote: > On Fri, 1 Feb 2019 16:53:14 +0100 > Sebastian Benoit wrote: > > > > + if (clt->clt_remote_user == NULL && > > >

Re: httpd logging X509 cert subject when CA option is used.

On Fri, 1 Feb 2019 16:53:14 +0100 Sebastian Benoit wrote: > > + if (clt->clt_remote_user == NULL && > > + clt->clt_tls_ctx != NULL && > > + (srv_conf->tls_flags & TLSFLAG_CA) && > > + stravis(, tls_peer_cert_subject(clt->clt_tls_ctx), > >

Re: httpd logging X509 cert subject when CA option is used.

Karel Gardas(gard...@gmail.com) on 2019.02.01 16:28:17 +0100: > > Hello, > > I'd like to have X509 peer's cert subject name logged in some form when > ca option in httpd.conf is used. That is, we do have X509 verified > client accessing web resource. Following patch implemen

httpd logging X509 cert subject when CA option is used.

Hello, I'd like to have X509 peer's cert subject name logged in some form when ca option in httpd.conf is used. That is, we do have X509 verified client accessing web resource. Following patch implements this behavior for combined logging style and for the case http connection

[no subject]

Currently, pcap_setdirection() is described in pcap.3 as follows: pcap_setdirection() is used to limit the direction that packets must be flowing in order to be captured. The "direction" is not described, except in pcap.h. Should the constants be mentioned in the manpage? Also, the direction

[no subject]

Hi, this removes the currently unused arguments *warnmess and ratecap from pool_sethardlimit(). ok? diff --git share/man/man9/pool.9 share/man/man9/pool.9 index 75742cf12ab..27226e14a25 100644 --- share/man/man9/pool.9 +++ share/man/man9/pool.9 @@ -72,8 +72,6 @@ .Fo pool_sethardlimit .Fa

[no subject]

Including when using getopt(3) also makes extern int opterr, optind, optopt, optreset; and friends declared, but many utils redeclare them again. Is there a reason for that, or can those be removed? As a harmless example, here's a diff to games. Jan Index: fortune/strfile/strfile.c

Re: ssl.8 and subject altnames

Stuart Henderson wrote: > On 2017/06/27 18:11, Ted Unangst wrote: > > so chrome at least has gotten pretty uppity about certs that lack subject > > altnames. > > Oh that's going to be hilarious. There are at least valid reasons for > doing this (e.g. nameConstraints don'

Re: ssl.8 and subject altnames

On 2017/06/27 18:11, Ted Unangst wrote: > so chrome at least has gotten pretty uppity about certs that lack subject > altnames. Oh that's going to be hilarious. There are at least valid reasons for doing this (e.g. nameConstraints don't work with CN). > >

ssl.8 and subject altnames

so chrome at least has gotten pretty uppity about certs that lack subject altnames. following the instructions in ssl.8 is no longer sufficient. here's a short hint about how to fix this. Index: ssl.8 === RCS file: /cvs/src/share

[PATCH] objects: add EV subject OID names

The "EV SSL Certificate Guidelines" available from: https://cabforum.org/extended-validation/ defines three OIDs commonly seen in leaf certificates: jurisdictionLocalityName 1.3.6.1.4.1.311.60.2.1.1 jurisdictionStateOrProvinceName 1.3.6.1.4.1.311.60.2.1.2 jurisdictionCountryName

Re: sendbug subject

ourreges-Anglas wrote: > >>> "Ted Unangst" <t...@tedunangst.com> writes: > >>> > >>> > i'm tired of seeing bug reports with no subject. i also get a fair bit > >>> of spam > >>> > with no subject and i am easily

Re: sendbug subject

"trondd" <tro...@kagu-tsuchi.com> writes: > On Sun, May 15, 2016 1:22 pm, Juan Francisco Cantero Hurtado wrote: >> On Sun, May 15, 2016 at 06:43:16PM +0200, Jeremie Courreges-Anglas wrote: >>> "Ted Unangst" <t...@tedunangst.com> writes: >>&g

Re: sendbug subject

On Sun, May 15, 2016 1:22 pm, Juan Francisco Cantero Hurtado wrote: > On Sun, May 15, 2016 at 06:43:16PM +0200, Jeremie Courreges-Anglas wrote: >> "Ted Unangst" <t...@tedunangst.com> writes: >> >> > i'm tired of seeing bug reports with no s

Re: sendbug subject

On Sun, May 15, 2016 at 06:43:16PM +0200, Jeremie Courreges-Anglas wrote: > "Ted Unangst" <t...@tedunangst.com> writes: > > > i'm tired of seeing bug reports with no subject. i also get a fair bit of > > spam > > with no subject and i am easily confused.

Re: sendbug subject

"Ted Unangst" <t...@tedunangst.com> writes: > i'm tired of seeing bug reports with no subject. i also get a fair bit of spam > with no subject and i am easily confused. something is better than nothing. I fear that after that change all bug reports will only have [

sendbug subject

i'm tired of seeing bug reports with no subject. i also get a fair bit of spam with no subject and i am easily confused. something is better than nothing. Index: sendbug.c === RCS file: /cvs/src/usr.bin/sendbug/sendbug.c,v

[no subject]

espie@openbsd, dera...@cvs.openbsd.org Bcc: Subject: Re: sqlite 3.8.11.1 Reply-To: In-Reply-To: <20150909084510.gh30...@tazenat.gentiane.org> On Wed, Sep 09, 2015 at 08:45:10AM +, Miod Vallat wrote: > > Hi, > > > > thanks to the hard work of jturner@, here'

[no subject]

Merge two identical if() statements. The change in ip_spd.c 1.59 makes it appear that there is a cut pasto. We should merge the two identical and adjacent if() statements to avoid confusing people (and static analyzers). - todd Index: sys/netinet/ip_spd.c

[no subject]

[no subject]

Hi again after discussins with Helg, second change is not relevant, so only the first should remains. Kind regards. Index: fuse.c === RCS file: /cvs/src/lib/libfuse/fuse.c,v retrieving revision 1.24 diff -u -p -r1.24 fuse.c ---

[no subject]

Envoyé depuis Windows Mail

[no subject]

Yes. As it would seem, that was unintentional, possibly caused by a bad merge. I didn't pick this up as it worked on my system. It was thanks to Otto's messae re parsing changes that I managed to pick that up. I am working on a new diff which will be released some time within the next few

[no subject]

Fcc: +outbox Subject: Re: that private mailing list (fwd) Solar Designer: Re: that private mailing list I haven't even read this. I don't care. if this is the situation with open source disclosure, all of you users are fucked. --- Forwarded Message Received: from

[no subject]

I generally associate negative connotations with so-called, as in the so-called free world. I wouldn't use it just to name something, as in the kernel is written in the so-called C language. so-called implies it's called this, but it's not. Two imo dubious occurrences in the install notes. It's

[no subject]

Dk sqoexmncn p`gbhrh ahgmeq` menaundhl` j`weqrbemm` h dnqrsom` pejk`l`. B m`xe bpel nqmnbm{l qpedqrbnl pejk`l{ bkerq Hmrepmer, on qjnk|js d`er bnglnfmnqr| p`qxhphr| cp`mhv{, nap`rhr| m` qea bmhl`mhe h ophbkew| mnb{u jkhemrnb hg whqk` xhpnjni `sdhrnphh bqelhpmni o`srhm{. Opedk`c`el B`l

(no subject)

What's happening! I was searching the web and found... there doing a giveaway for an iPad2! you need to hurry up and get yours before they run out heres the web link.. http://so.ee/K50

[no subject]

Index: dev/pci/piixpm.c === RCS file: /cvs/src/sys/dev/pci/piixpm.c,v retrieving revision 1.35 diff -u -r1.35 piixpm.c --- dev/pci/piixpm.c9 Apr 2011 04:33:40 - 1.35 +++ dev/pci/piixpm.c24 Apr 2011 03:16:31 - @@

[no subject]

We must protect our planet. Turn off your computer! Nous devons protC)ger notre planC(te. C teignez votre ordinateur! Debemos proteger nuestro planeta. Apague su ordenador! Musimy chroniD naszD planetD. WyEDcz komputer! PQ P4PP;P6P=Q P7P0Q P8QP8QQ P=P0QQ P?P;P0P=P5QQ. PQ

[no subject]

http://sites.google.com/site/jgctidjtom/yzmbbezipo

[no subject]

http://www.salni.com/ertTUUIOPP.html

[no subject]

http://skateboa.skateboarding-videos.com/GJJlxxcCVB.html