Re: smtp(1) certificate validation
Eric, On Tue, Sep 10, 2019 at 05:38:30PM +0200, Eric Faurot wrote: > On Fri, Sep 06, 2019 at 08:41:21AM +0200, Eric Faurot wrote: > > Hi, > > > > This patch adds the missing bits for verifying the server certificate > > in smtp(1). > > Take two: now check the name(s) of the server certificate. >[...] With that patch [plus sthen@'s], smtp now behaves correctly for my test cases. Thanks very much, Ross
let bpf_mtap_hdr take a void * instead of caddr_t for the header
this makes it easier to call at least.
it also brings it in line with bpf_tap_hdr. otherwise there's no
functional change.
ok?
Index: sys/net/bpf.c
===
RCS file: /cvs/src/sys/net/bpf.c,v
retrieving revision 1.177
diff -u -p -r1.177 bpf.c
--- sys/net/bpf.c 13 Jun 2019 21:14:53 - 1.177
+++ sys/net/bpf.c 10 Sep 2019 23:59:14 -
@@ -1367,7 +1367,7 @@ bpf_mtap(caddr_t arg, const struct mbuf
* it or keep a pointer to it.
*/
int
-bpf_mtap_hdr(caddr_t arg, caddr_t data, u_int dlen, const struct mbuf *m,
+bpf_mtap_hdr(caddr_t arg, const void *data, u_int dlen, const struct mbuf *m,
u_int direction, void (*cpfn)(const void *, void *, size_t))
{
struct m_hdr mh;
@@ -1377,7 +1377,7 @@ bpf_mtap_hdr(caddr_t arg, caddr_t data,
mh.mh_flags = 0;
mh.mh_next = (struct mbuf *)m;
mh.mh_len = dlen;
- mh.mh_data = data;
+ mh.mh_data = (void *)data;
m0 = (struct mbuf *)
} else
m0 = m;
Index: sys/net/bpf.h
===
RCS file: /cvs/src/sys/net/bpf.h,v
retrieving revision 1.66
diff -u -p -r1.66 bpf.h
--- sys/net/bpf.h 17 Mar 2019 23:57:12 - 1.66
+++ sys/net/bpf.h 10 Sep 2019 23:59:14 -
@@ -315,7 +315,7 @@ struct mbuf;
int bpf_validate(struct bpf_insn *, int);
int bpf_mtap(caddr_t, const struct mbuf *, u_int);
-int bpf_mtap_hdr(caddr_t, caddr_t, u_int, const struct mbuf *, u_int,
+int bpf_mtap_hdr(caddr_t, const void *, u_int, const struct mbuf *, u_int,
void (*)(const void *, void *, size_t));
int bpf_mtap_af(caddr_t, u_int32_t, const struct mbuf *, u_int);
int bpf_mtap_ether(caddr_t, const struct mbuf *, u_int);
Index: share/man/man9/bpf_mtap.9
===
RCS file: /cvs/src/share/man/man9/bpf_mtap.9,v
retrieving revision 1.14
diff -u -p -r1.14 bpf_mtap.9
--- share/man/man9/bpf_mtap.9 2 Feb 2018 10:52:44 - 1.14
+++ share/man/man9/bpf_mtap.9 10 Sep 2019 23:59:14 -
@@ -66,7 +66,7 @@
.Ft int
.Fo bpf_mtap_hdr
.Fa "caddr_t bpf"
-.Fa "caddr_t hdr"
+.Fa "const void *hdr"
.Fa "u_int hdrlen"
.Fa "const struct mbuf *m"
.Fa "u_int direction"
Re: call if_input only once per Rx interrupt from net80211
Hi Stefan, * Stefan Sperling wrote: > > I think I see why. I forgot to convert some existing ieee80211_input() > calls to ieee80211_inputm(), in ieee80211_input.c. > These calls are related to buffered aggregated frames, so aggregated > frames triggered multiple if_input() calls per interrupt again. > > In the first diff ieee80211_input() was putting aggregated frames > onto the global mbuf list. With this new diff they get added to the > mbuf list which the driver's rx interrupt handler passed in. > > Does this fix the issue? Yes, indeed. Download test files from a leaseweb mirror is now so fast that my CPU fan starts spinning :) This time, only tested on iwm. Kudos for the quick fix! Matthias
Re: call if_input only once per Rx interrupt from net80211
On Tue, Sep 10, 2019 at 07:08:14PM +0200, Matthias Schmidt wrote:
> Hi Stefan,
>
> * Stefan Sperling wrote:
> >
> > New diff with above changes:
>
> I tested your new diff with two different systems:
>
> * Thinkpad T450s with iwm (8265, same as yesterday)
> * Thinkpad X220 with iwn (6205)
>
> and on both systems I see a drastic regression compared to yesterday's
> patch. The download speeds is around 400-700K/s on both systems. As
> soon as I switch back to the kernel with yesterday's patch, I end up
> having 4M/s in average, again.
I think I see why. I forgot to convert some existing ieee80211_input()
calls to ieee80211_inputm(), in ieee80211_input.c.
These calls are related to buffered aggregated frames, so aggregated
frames triggered multiple if_input() calls per interrupt again.
In the first diff ieee80211_input() was putting aggregated frames
onto the global mbuf list. With this new diff they get added to the
mbuf list which the driver's rx interrupt handler passed in.
Does this fix the issue?
diff refs/heads/master refs/heads/ifqdrop
blob - d72e8edceada8a680744a6b8478bb91ac9e15e6e
blob + a3203d7eb1a67d478bf280a551a43f2dc66c0965
--- sys/dev/ic/ar5008.c
+++ sys/dev/ic/ar5008.c
@@ -789,7 +789,7 @@ ar5008_rx_radiotap(struct athn_softc *sc, struct mbuf
#endif
static __inline int
-ar5008_rx_process(struct athn_softc *sc)
+ar5008_rx_process(struct athn_softc *sc, struct mbuf_list *ml)
{
struct ieee80211com *ic = >sc_ic;
struct ifnet *ifp = >ic_if;
@@ -931,7 +931,7 @@ ar5008_rx_process(struct athn_softc *sc)
rxi.rxi_rssi = MS(ds->ds_status4, AR_RXS4_RSSI_COMBINED);
rxi.rxi_rssi += AR_DEFAULT_NOISE_FLOOR;
rxi.rxi_tstamp = ds->ds_status2;
- ieee80211_input(ifp, m, ni, );
+ ieee80211_inputm(ifp, m, ni, , ml);
/* Node is no longer needed. */
ieee80211_release_node(ic, ni);
@@ -960,7 +960,13 @@ ar5008_rx_process(struct athn_softc *sc)
void
ar5008_rx_intr(struct athn_softc *sc)
{
- while (ar5008_rx_process(sc) == 0);
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+ struct ieee80211com *ic = >sc_ic;
+ struct ifnet *ifp = >ic_if;
+
+ while (ar5008_rx_process(sc, ) == 0);
+
+ if_input(ifp, );
}
int
blob - 69ade5ade5a35e632a025db327668d695a0edd2d
blob + dafa3bd1f0b4ca2124c6d963c82e289594e88b27
--- sys/dev/ic/ar9003.c
+++ sys/dev/ic/ar9003.c
@@ -83,7 +83,7 @@ void ar9003_reset_txsring(struct athn_softc *);
void ar9003_rx_enable(struct athn_softc *);
void ar9003_rx_radiotap(struct athn_softc *, struct mbuf *,
struct ar_rx_status *);
-intar9003_rx_process(struct athn_softc *, int);
+intar9003_rx_process(struct athn_softc *, int, struct mbuf_list *);
void ar9003_rx_intr(struct athn_softc *, int);
intar9003_tx_process(struct athn_softc *);
void ar9003_tx_intr(struct athn_softc *);
@@ -916,7 +916,7 @@ ar9003_rx_radiotap(struct athn_softc *sc, struct mbuf
#endif
int
-ar9003_rx_process(struct athn_softc *sc, int qid)
+ar9003_rx_process(struct athn_softc *sc, int qid, struct mbuf_list *ml)
{
struct ieee80211com *ic = >sc_ic;
struct ifnet *ifp = >ic_if;
@@ -1036,7 +1036,7 @@ ar9003_rx_process(struct athn_softc *sc, int qid)
rxi.rxi_flags = 0; /* XXX */
rxi.rxi_rssi = MS(ds->ds_status5, AR_RXS5_RSSI_COMBINED);
rxi.rxi_tstamp = ds->ds_status3;
- ieee80211_input(ifp, m, ni, );
+ ieee80211_inputm(ifp, m, ni, , ml);
/* Node is no longer needed. */
ieee80211_release_node(ic, ni);
@@ -1066,7 +1066,13 @@ ar9003_rx_process(struct athn_softc *sc, int qid)
void
ar9003_rx_intr(struct athn_softc *sc, int qid)
{
- while (ar9003_rx_process(sc, qid) == 0);
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+ struct ieee80211com *ic = >sc_ic;
+ struct ifnet *ifp = >ic_if;
+
+ while (ar9003_rx_process(sc, qid, ) == 0);
+
+ if_input(ifp, );
}
int
blob - c0c5f4241b010c5c38a557d97963fbdbc884336d
blob + c4414e5113134012edaf4ce4557bb7e25987e9ef
--- sys/dev/ic/ath.c
+++ sys/dev/ic/ath.c
@@ -1795,6 +1795,7 @@ ath_rxbuf_init(struct ath_softc *sc, struct ath_buf *b
void
ath_rx_proc(void *arg, int npending)
{
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
#definePA2DESC(_sc, _pa) \
((struct ath_desc *)((caddr_t)(_sc)->sc_desc + \
((_pa) - (_sc)->sc_desc_paddr)))
@@ -1946,7 +1947,7 @@ ath_rx_proc(void *arg, int npending)
if (!ath_softcrypto && (wh->i_fc[1] & IEEE80211_FC1_WEP)) {
/*
* WEP is decrypted by hardware. Clear WEP bit
-* and trim WEP header for ieee80211_input().
+* and trim WEP header for ieee80211_inputm().
*/
wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
bcopy(wh, , sizeof(whbuf));
@@ -1988,7 +1989,7 @@ ath_rx_proc(void *arg, int npending)
Re: smtp(1) certificate validation
On Tue, Sep 10, 2019 at 06:12:12PM +0100, Stuart Henderson wrote: > > + if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL)) > > shouldn't that use X509_get_default_cert_file()? Yes, that looks better. Updated locally. Eric.
Re: smtp(1) certificate validation
> + if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL)) shouldn't that use X509_get_default_cert_file()?
Re: call if_input only once per Rx interrupt from net80211
Hi Stefan, * Stefan Sperling wrote: > > New diff with above changes: I tested your new diff with two different systems: * Thinkpad T450s with iwm (8265, same as yesterday) * Thinkpad X220 with iwn (6205) and on both systems I see a drastic regression compared to yesterday's patch. The download speeds is around 400-700K/s on both systems. As soon as I switch back to the kernel with yesterday's patch, I end up having 4M/s in average, again. Cheers Matthias
Re: smtp(1) certificate validation
On Fri, Sep 06, 2019 at 08:41:21AM +0200, Eric Faurot wrote:
> Hi,
>
> This patch adds the missing bits for verifying the server certificate
> in smtp(1).
Take two: now check the name(s) of the server certificate.
I borrowed code from libtls for now. This will be cleaned up when the
daemon is ported to libtls.
Eric.
Index: smtpc.c
===
RCS file: /cvs/src/usr.sbin/smtpd/smtpc.c,v
retrieving revision 1.8
diff -u -p -r1.8 smtpc.c
--- smtpc.c 2 Sep 2019 20:05:21 - 1.8
+++ smtpc.c 10 Sep 2019 14:40:25 -
@@ -20,6 +20,7 @@
#include
#include
+#include
#include
#include
#include
@@ -30,12 +31,12 @@
#include
#include
+#include
+
#include "smtp.h"
+#include "ssl.h"
#include "log.h"
-void ssl_init(void);
-void *ssl_mta_init(void *, char *, off_t, const char *);
-
static void parse_server(char *);
static void parse_message(FILE *);
static void resume(void);
@@ -46,6 +47,9 @@ static int noaction = 0;
static struct addrinfo *res0, *ai;
static struct smtp_params params;
static struct smtp_mail mail;
+static const char *servname = NULL;
+
+static SSL_CTX *ssl_ctx;
static void
usage(void)
@@ -53,7 +57,7 @@ usage(void)
extern char *__progname;
fprintf(stderr,
- "usage: %s [-Chnv] [-F from] [-H helo] [-s server] rcpt ...\n",
+ "usage: %s [-Chnv] [-F from] [-H helo] [-s server] [-S name] rcpt
...\n",
__progname);
exit(1);
}
@@ -87,7 +91,7 @@ main(int argc, char **argv)
memset(, 0, sizeof(mail));
mail.from = pw->pw_name;
- while ((ch = getopt(argc, argv, "CF:H:hns:v")) != -1) {
+ while ((ch = getopt(argc, argv, "CF:H:S:hns:v")) != -1) {
switch (ch) {
case 'C':
params.tls_verify = 0;
@@ -98,6 +102,9 @@ main(int argc, char **argv)
case 'H':
params.helo = optarg;
break;
+ case 'S':
+ servname = optarg;
+ break;
case 'h':
usage();
break;
@@ -132,6 +139,13 @@ main(int argc, char **argv)
ssl_init();
event_init();
+ ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL);
+ if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL))
+ fatal("SSL_CTX_load_verify_locations");
+ if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()))
+ fatal("SSL_CTX_set_ssl_version");
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL);
+
if (pledge("stdio inet dns tmppath", NULL) == -1)
fatal("pledge");
@@ -245,6 +259,9 @@ parse_server(char *server)
if (port == NULL)
port = "smtp";
+ if (servname == NULL)
+ servname = host;
+
memset(, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
@@ -330,20 +347,42 @@ log_trace(int lvl, const char *emsg, ...
void
smtp_verify_server_cert(void *tag, struct smtp_client *proto, void *ctx)
{
- log_debug("validating server certificate...");
+ SSL *ssl = ctx;
+ X509 *cert;
+ long res;
+ int r, match;
+
+ if ((cert = SSL_get_peer_certificate(ssl))) {
+ r = ssl_check_name(cert, servname, );
+ X509_free(cert);
+ res = SSL_get_verify_result(ssl);
+ if (res == X509_V_OK) {
+ if (match) {
+ log_debug("valid certificate");
+ smtp_cert_verified(proto, CERT_OK);
+ }
+ else {
+ log_debug("certificate does not match
hostname");
+ smtp_cert_verified(proto, CERT_INVALID);
+ }
+ return;
+ }
+ log_debug("certificate validation error %ld", res);
+ }
+ else
+ log_debug("no certificate provided");
- /* Not implemented for now. */
- smtp_cert_verified(proto, CERT_UNKNOWN);
+ smtp_cert_verified(proto, CERT_INVALID);
}
void
smtp_require_tls(void *tag, struct smtp_client *proto)
{
- void *ctx;
-
- ctx = ssl_mta_init(NULL, NULL, 0, NULL);
+ SSL *ssl = NULL;
- smtp_set_tls(proto, ctx);
+ if ((ssl = SSL_new(ssl_ctx)) == NULL)
+ fatal("SSL_new");
+ smtp_set_tls(proto, ssl);
}
void
Index: ssl.h
===
RCS file: /cvs/src/usr.sbin/smtpd/ssl.h,v
retrieving revision 1.20
diff -u -p -r1.20 ssl.h
--- ssl.h 21 Apr 2016 14:27:41 - 1.20
+++ ssl.h 10 Sep 2019 14:37:36 -
@@ -65,3 +65,6 @@ int ssl_ctx_fake_private_key(SSL_CTX *,
/* ssl_privsep.c */
int
Re: /etc/examples/sysctl.conf wrong Xref + key lacking information
On Tue, 10 Sep 2019 12:59:51 +0200, Solene Rapenne wrote: > I looked at /etc/examples/sysctl.conf on an amd64 system and found 2 > things: > > - file refers to sysctl(3) and sysctl(8). sysctl(3) doesn't exists but > sysctl(2) exists, I think we want a 2 Yes, sysctl(3) was renamed to sysctl(2) some time ago. OK millert@ > - the default value 1 for key machdep.pwraction=1 is not documented, > comment says # ACPI power button action: 0=none, 2=suspend > > this is defined in etc/etc.amd64/sysctl.conf, I guess the default is > 1=shutdown We usually document the non-default settings in the comments, not the default ones. I'm not sure we need to change this especially since it increases the length of the comment past 80 columns. I don't feel too strongly about this though. - todd
Re: call if_input only once per Rx interrupt from net80211
On Mon, Sep 09, 2019 at 06:17:34PM -0300, Martin Pieuchot wrote:
> On 09/09/19(Mon) 16:37, Stefan Sperling wrote:
> > On Mon, Sep 09, 2019 at 03:10:04PM +0200, Stefan Sperling wrote:
> > > The wifi stack currently calls if_input once per packet instead of once
> > > per interrupt. To make the wifi layer play nicely with the network stack
> > > we can split ieee80211_input() into two parts:
> >
> > Updated diff which avoids purging the input queue at every state
> > change, e.g. even during SCAN->SCAN. With this we only purge the
> > queue if we're leaving RUN state or going back to INIT state.
>
> Thanks a lot! I must say I looked at this in the past but got lost in
> ieee80211_input().
>
> Why not keep ieee80211_input() as a wrapper around your new mechanism?
> This way you don't need to touch all drivers at once.
We can keep ieee80211_input() for use by drivers that really only deliver
one frame per interrupt. Now we don't need to touch some drivers at all.
> I'd also suggest using a queue on-stack like we do for Ethernet drivers,
> this would get rid of the cleanup of `ic_ml' when the state change. It
> would also help developers familiar with Ethernet drivers to understand
> what's happening ;o)
Yes, thanks for this suggestion! Things make a lot more sense this way.
> What about:
>
> ieee80211_enqueue(ifp, m, ni, , );
> ieee80211_inputm(ifp, );
I don't like the name ieee80211_enqueue() because while data frames are
being enqueued, management frames are not enqueued. Instead, they cause
immediate state changes in the net80211 stack such as allocation of a
new node when a beacon is received state changes, e.g. RUN -> AUTH when
a deauth frame is received.
When drivers have the mbuf list on the stack we do not need a wrapper
for if_input() since drivers can just call it directly.
So I have chosen to use the following instead:
ieee80211_inputm(ifp, m, ni, , );
if_input(ifp, );
With ieee80211_input() being a wrapper around these two calls.
> Are you sure if_input() needs to be called at splnet()? I don't think
> so because many pseudo-drivers call it at a different IPL.
I did this only because I was afraid the global ic_ml might be accessed
by hardware interrupts while we're running newstate() in a task as some
drivers will do. This becomes a non-issue with mbuf lists on the stack.
New diff with above changes:
diff refs/heads/master refs/heads/ifqdrop
blob - d72e8edceada8a680744a6b8478bb91ac9e15e6e
blob + a3203d7eb1a67d478bf280a551a43f2dc66c0965
--- sys/dev/ic/ar5008.c
+++ sys/dev/ic/ar5008.c
@@ -789,7 +789,7 @@ ar5008_rx_radiotap(struct athn_softc *sc, struct mbuf
#endif
static __inline int
-ar5008_rx_process(struct athn_softc *sc)
+ar5008_rx_process(struct athn_softc *sc, struct mbuf_list *ml)
{
struct ieee80211com *ic = >sc_ic;
struct ifnet *ifp = >ic_if;
@@ -931,7 +931,7 @@ ar5008_rx_process(struct athn_softc *sc)
rxi.rxi_rssi = MS(ds->ds_status4, AR_RXS4_RSSI_COMBINED);
rxi.rxi_rssi += AR_DEFAULT_NOISE_FLOOR;
rxi.rxi_tstamp = ds->ds_status2;
- ieee80211_input(ifp, m, ni, );
+ ieee80211_inputm(ifp, m, ni, , ml);
/* Node is no longer needed. */
ieee80211_release_node(ic, ni);
@@ -960,7 +960,13 @@ ar5008_rx_process(struct athn_softc *sc)
void
ar5008_rx_intr(struct athn_softc *sc)
{
- while (ar5008_rx_process(sc) == 0);
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+ struct ieee80211com *ic = >sc_ic;
+ struct ifnet *ifp = >ic_if;
+
+ while (ar5008_rx_process(sc, ) == 0);
+
+ if_input(ifp, );
}
int
blob - 69ade5ade5a35e632a025db327668d695a0edd2d
blob + dafa3bd1f0b4ca2124c6d963c82e289594e88b27
--- sys/dev/ic/ar9003.c
+++ sys/dev/ic/ar9003.c
@@ -83,7 +83,7 @@ void ar9003_reset_txsring(struct athn_softc *);
void ar9003_rx_enable(struct athn_softc *);
void ar9003_rx_radiotap(struct athn_softc *, struct mbuf *,
struct ar_rx_status *);
-intar9003_rx_process(struct athn_softc *, int);
+intar9003_rx_process(struct athn_softc *, int, struct mbuf_list *);
void ar9003_rx_intr(struct athn_softc *, int);
intar9003_tx_process(struct athn_softc *);
void ar9003_tx_intr(struct athn_softc *);
@@ -916,7 +916,7 @@ ar9003_rx_radiotap(struct athn_softc *sc, struct mbuf
#endif
int
-ar9003_rx_process(struct athn_softc *sc, int qid)
+ar9003_rx_process(struct athn_softc *sc, int qid, struct mbuf_list *ml)
{
struct ieee80211com *ic = >sc_ic;
struct ifnet *ifp = >ic_if;
@@ -1036,7 +1036,7 @@ ar9003_rx_process(struct athn_softc *sc, int qid)
rxi.rxi_flags = 0; /* XXX */
rxi.rxi_rssi = MS(ds->ds_status5, AR_RXS5_RSSI_COMBINED);
rxi.rxi_tstamp = ds->ds_status3;
- ieee80211_input(ifp, m, ni, );
+ ieee80211_inputm(ifp, m, ni, , ml);
/* Node is no longer needed. */
ieee80211_release_node(ic, ni);
@@ -1066,7 +1066,13 @@ ar9003_rx_process(struct
/etc/examples/sysctl.conf wrong Xref + key lacking information
Hi I looked at /etc/examples/sysctl.conf on an amd64 system and found 2 things: - file refers to sysctl(3) and sysctl(8). sysctl(3) doesn't exists but sysctl(2) exists, I think we want a 2 Index: sysctl.conf === RCS file: /data/cvs/src/etc/examples/sysctl.conf,v retrieving revision 1.4 diff -u -p -r1.4 sysctl.conf --- sysctl.conf 3 Apr 2015 15:50:28 - 1.4 +++ sysctl.conf 10 Sep 2019 10:50:13 - @@ -1,7 +1,7 @@ # $OpenBSD: sysctl.conf,v 1.4 2015/04/03 15:50:28 millert Exp $ # # This file contains a list of sysctl options the user wants set at -# boot time. See sysctl(3) and sysctl(8) for more information on +# boot time. See sysctl(2) and sysctl(8) for more information on # the many available variables. # #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets - the default value 1 for key machdep.pwraction=1 is not documented, comment says # ACPI power button action: 0=none, 2=suspend this is defined in etc/etc.amd64/sysctl.conf, I guess the default is 1=shutdown Index: etc/etc.amd64/sysctl.conf === RCS file: /data/cvs/src/etc/etc.amd64/sysctl.conf,v retrieving revision 1.8 diff -u -p -r1.8 sysctl.conf --- etc/etc.amd64/sysctl.conf 19 Jan 2019 20:50:38 - 1.8 +++ etc/etc.amd64/sysctl.conf 10 Sep 2019 10:58:36 - @@ -1,4 +1,4 @@ #machdep.allowaperture=2 # See xf86(4) #machdep.kbdreset=1# permit console CTRL-ALT-DEL to do a nice halt #machdep.lidaction=0 # 1=suspend, 2=hibernate laptop upon lid closing -#machdep.pwraction=1 # ACPI power button action: 0=none, 2=suspend +#machdep.pwraction=1 # ACPI power button action: 0=none, 1=shutdown, 2=suspend
Re: unbound qname-minimisation
On 2019/09/10 10:21, Renaud Allard wrote: > Hello, > > I saw the subject over disabling by default DoH on firefox, which is a great > idea. > But in the same vein, shouldn't we enable qname-minimisation in unbound by > default? > > Regards > That has been the default since unbound 1.7.3 in Sept 2018.
unbound qname-minimisation
Hello, I saw the subject over disabling by default DoH on firefox, which is a great idea. But in the same vein, shouldn't we enable qname-minimisation in unbound by default? Regards smime.p7s Description: S/MIME Cryptographic Signature
