Re: regarding OpenSSL License change
On Fri, Mar 24, 2017 at 02:37:58PM +0100, Sebastian Benoit wrote: > It's about "You cannot change the licence without consent of the author" and > "We just assume that you say yes to this because we dont care about your > rights", which is morally and legally wrong. It's very simple. Four words. "Silence is not consent." Not in contracts. Not in sex. And not in licensing. ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
-current relayd TLS interception and SNI?
Hi folks,
It *appears* that relayd doesn't speak SNI when used as a transparent
intercepting proxy ala
http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception
What did & what I saw:
Set up the proxy as per Reyk's article. Configs below. Running today's
amd64 snapshot on vmware.
# uname -a
OpenBSD r2.mwlucas.org 6.0 GENERIC#204 amd64
Call up wapo.st from a client with my private CA installed. There's a
cert error. The site identifies itself as bit.ly. https://bit.ly works
fine.
Hit my blog, https://blather.michaelwlucas.com. Works fine.
Call up any of my other TLS sites on that IP: https://mwl.io,
https://michaelwlucas.com, https://michaelwarrenlucas.com,
https://tiltedwindmillpress.com. All get identified as blather.
System setup:
# openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key
-out /etc/ssl/ca.crt
# openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout
/etc/ssl/private/127.0.0.1:8443.key -out /etc/ssl/127.0.0.1:8443.crt
relayd.conf:
--
log all
http protocol "intercept" {
tls ca cert "/etc/ssl/ca.crt"
tls ca key "/etc/ssl/private/ca.key" password "komodia"
pass url log
}
http protocol "wtf" {
return error
}
relay "tlsintercept" {
listen on 127.0.0.1 port 8443 tls
protocol intercept
forward with tls to destination
}
relay "proxy" {
listen on 127.0.0.1 port 8080
protocol wtf
forward to destination
}
--
Am I screwing up here? Or is it a real bug?
Thanks,
==ml
--
Michael W. LucasTwitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/
relayd man page example doesn't parse
Running 5 February amd64 snapshot on VMWare.
OpenBSD r1.mwlucas.org 6.0 GENERIC#162 amd64
Trying to use relayd's filtering on query strings.
According to the man page, I can block or pass specific query terms,
and values of those terms. Blocking the whole term works, but matching
the query value doesn't. I'm using the strings from relayd.conf(5):
query option [key [value value]]
Look up the entity as a query variable in the URL when using the
http protocol. This type is only available with the direction
request, for example:
# Will match /cgi-bin/example.pl?foo=bar=yes
request query expect "bar" from "foo"
Here's my relayd.conf:
table { 192.0.2.101 192.0.2.102 }
http protocol daft {
return error
block request query "foo"
pass request query expect "bar" from "foo"
}
relay www {
listen on 203.0.113.213 port 80
forward to port http check http "/" code 200
protocol daft
}
Checking the file gives:
relayd.mini.conf:15: syntax error
relayd.mini.conf:21: no such protocol: daft
no actions, nothing to do
Am I missing something obvious here? Or did something else break?
Thanks,
==ml
--
Michael W. LucasTwitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/
relayd crash using DNS-sanitizing protocol
Hi,
Running 6.0 snapshot from 5 Feb on amd64, and experimenting with
relayd.
I set up a DNS cluster using redirects, as per relayd.conf(5). Worked
fine, so I'm pretty sure the DNS servers behind my relayd box work.
The man page says that relayd has a relay protocol for DNS, that
randomizes query IDs. Cool idea, let's try it. My relayd.conf now
looks like so:
--
table { 192.0.2.101 192.0.2.102 }
dns protocol dnsfix
relay dns {
listen on 203.0.113.213 port 53
forward to port 53 check tcp
protocol dnsfix
}
--
With "protocol dnsfix" present, relayd listens on UDP only. I'm
guessing using relayd's DNS protocol makes this happen. Which would
make sense, you don't need it for TCP queries.
So let's try to run this critter.
# relayd -d
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relayd_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay dns
protocol 1: name dnsfix
flags: used, relay flags:
tls session tickets: enabled
type: dns
hce_notify_done: 192.0.2.101 (tcp connect ok)
host 192.0.2.101, check tcp (4ms,tcp connect ok), state unknown -> up,
availability 100.00%
hce_notify_done: 192.0.2.102 (tcp connect ok)
host 192.0.2.102, check tcp (6ms,tcp connect ok), state unknown -> up,
availability 100.00%
pfe_dispatch_hce: state 1 for host 1 192.0.2.101
pfe_dispatch_hce: state 1 for host 2 192.0.2.102
adding 2 hosts from table dns:53
adding 2 hosts from table dns:53
relay_launch: running relay dns
relay_launch: running relay dns
adding 2 hosts from table dns:53
relay_launch: running relay dns
I make a DNS query from a client, say to google.com or my site or
whatever, and get:
lost child: pid 779 terminated; signal 11
hce exiting, pid 61465
pfe exiting, pid 93428
ca exiting, pid 1166
ca exiting, pid 11360
ca exiting, pid 57827
lost child: pid 38872 terminated; signal 11
lost child: pid 57998 terminated; signal 11
parent terminating, pid 76339
Am I abusing this program? Or is this a real crash?
Thanks,
==ml
--
Michael W. LucasTwitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote:
>On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas
> Or a misconfiguration. ? show configs
Configs follow.
# cat /etc/httpd.conf
include "/etc/sites/www3.conf"
include "/etc/sites/www4.conf"
www3.conf:
server "www3.mwlucas.org" {
listen on * port 80
block return 302 "https://$SERVER_NAME$REQUEST_URI;
}
server "www3.mwlucas.org" {
alias tarpit.mwlucas.org
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/www3/www3.fullchain.pem"
tls key "/etc/ssl/acme/www3/www3.key"
tls ocsp "/etc/ssl/acme/www3/www3.der"
tcp nodelay
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
www4:
server "www4.mwlucas.org" {
alias bill.mwlucas.org
alias auction.mwlucas.org
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
block return 301 "https://$DOCUMENT_URI;
}
server "www4.mwlucas.org" {
alias bill.mwlucas.org
alias auction.mwlucas.org
root "/www4"
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/www4/www4.fullchain.pem"
tls key "/etc/ssl/acme/www4/www4.key"
# tls ocsp "/etc/ssl/acme/www4/www4.der"
tcp nodelay
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
--
Michael W. LucasTwitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > That looks like a web server bug, it shouldn't return a staple > > in that case. What software are you using for that? > > > > OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from > ftp3.usa.openbsd.org. To be clear, that's a "How the hell could I forget to include that?" facepalm, not anything about Stuart asking the question... -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > That looks like a web server bug, it shouldn't return a staple > in that case. What software are you using for that? OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from ftp3.usa.openbsd.org. ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
err with multiple TLS sites but one OCSP?
Hi, Not sure if this is an expected part of OCSP or a bug. I've configured two TLS sites on one host, one with OCSP stapling (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site works fine, but the non-OCSP site generates an err. It *appears* that queries to the non-OCSP site return the OCSP site's OCSP cert. Following please find openssl queries on both. Feel free to check the sites yourself, I'm FAR from a TLS guru. # openssl s_client -connect www4.mwlucas.org:443 -status -servername www4.mwlucas.org ... verify return:1 OCSP response: == OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Jan 26 23:02:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 Cert Status: good This Update: Jan 26 23:00:00 2017 GMT Next Update: Feb 2 23:00:00 2017 GMT Signature Algorithm: sha256WithRSAEncryption 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: 69:40:6f:46 # openssl s_client -connect www3.mwlucas.org:443 -status -servername www3.mwlucas.org CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www3.mwlucas.org verify return:1 OCSP response: == OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Jan 26 23:02:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 Cert Status: good This Update: Jan 26 23:00:00 2017 GMT Next Update: Feb 2 23:00:00 2017 GMT Signature Algorithm: sha256WithRSAEncryption 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: 69:40:6f:46 == ... ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
tls_config_parse_protocols vs httpd in snapshot
Hi,
Something doesn't seem right between httpd.conf and
tls_config_parse_protocols. Running today's snapshot, but was first
attempted in the 15 Dec snapshot.
httpd.conf(5) says to get TLS protocols from
tls_config_parse_protocols(3). That page says:
The tls_config_parse_protocols() function parses a protocol string and
returns the corresponding value via the protocols argument. This value
can then be passed to the tls_config_set_protocols() function. The
protocol string is a comma or colon separated list of keywords.
Comma or colon delimited. Seems fine.
My httpd.conf is this:
server "www3.mwlucas.org" {
listen on * port 80
block return 302 "https://$SERVER_NAME$REQUEST_URI;
}
server "www3.mwlucas.org" {
alias tarpit.mwlucas.org
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
tls ocsp "/etc/ssl/acme/ocsp.der"
tls protocols tlsv1.0,tlsv1.1
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
The man page says I can use a comma instead of a colon, so I change it
like so.
tls protocols tlsv1.0,tlsv1.1
This gives me
# httpd -n
/etc/httpd.conf:16: syntax error
Looks like something doesn't match.
The man page also says:
If a value has a negative prefix (in the form
of a leading exclamation mark) then it is removed from the list of
available protocols, rather than being added to it.
I read this as the following should work.
tls protocols all:!tlsv1.0
Instead, I get:
httpd -n
/etc/httpd.conf:16: invalid tls protocols
==ml
--
Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: Do you need/prefer the non-DUID option in the installer?
On Sun, Mar 15, 2015 at 01:06:37PM -0600, Theo de Raadt wrote: Look, if people keep being unspecific on how DUIDs interfere with their usage patterns, then the non-DUID configuration mode is going to go away. WHY must be use the non-DUID option in the installer??!?!?! As someone who recently had several OpenBSD boxes in production, in a variety of roles: I can't imagine why DUIDs wouldn't work. We defaulted to DUIDs the moment they became available. They worked fine. Even for the Linux guys. If someone has a particular dislike of DUIDs, they can easily change them back. Anyone who has a whole bunch of OpenBSD boxes probably has uses a post-install script, and a couple lines of sed/awk/perl/whatever will make them happy. If you have one OpenBSD box, and you just don't like DUIDs, again, it's really easy to revert. ==ml PS: Yes, I still have OpenBSD hosts. But I'm no longer a pro sysadmin, so I can't claim to be running a server farm or anything like that. -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: 27 Mar 2014 amd64 snapshot
On Fri, Mar 28, 2014 at 07:07:42PM +, Stuart Henderson wrote: On 2014/03/28 13:53, Michael W. Lucas wrote: Yep. Lots of users going through proxy. Ran tcpdump on the proxy. The only packets that arrived from the OpenBSD host were my pings. It appeared that the installer wasn't even trying to reach the proxy. Note appeared that, there could be something else going on. Earlier upgrades were over FTP, but tried http this time. I would try ^Z'ing to isolate the script. Make sure network is up, then try ftp -d -o- http://proxyhost:3128/ and see if you get packets (obviously won't get a good page, expect a 400 or similar error, but enough to see if it can reach it). Then try http_proxy=http://proxyhost:3128/ ftp -d -o- http://ftp3.usa.openbsd.org/, etc. Basically try a few things to see if you can isolate exactly what's working and what's failing. Thanks for the suggestion. Trying the 31 March snapshot now, because it's there. Once again, the installer doesn't send any packets to the proxy. I ^Z out to a shell, then did: # ftp -d -o- http://proxy:8080 Packets arrived at the proxy, and ftp showed an error. I set http_proxy in the shell and do: # cd /mnt/tmp # ftp http://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd Packet sniffing on the network shows that the host is trying to reach ftp3.usa directly, without using the proxy. I booted back into the January snapshot and ran the same command: # env | grep -i http FTP_PROXY=http://concrete.lodden.com:8080 ftp_proxy=http://concrete.lodden.com:8080 HTTP_PROXY=http://concrete.lodden.com:8080 http_proxy=http://concrete.lodden.com:8080 ftp http://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd Trying 139.171.199.21... Requesting http://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd (via http://concrete.lodden.com) 100% |**| 8810 KB00:06 9021473 bytes received in 6.32 seconds (1.36 MB/s) (Yes, OpenBSD doesn't need HTTP_PROXY or FTP_PROXY, but I copy my .cshrc everywhere.) So, to my eyes, it appears that ftp on the new snapshot installer isn't respecting http_proxy. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: 27 Mar 2014 amd64 snapshot
On Tue, Apr 01, 2014 at 11:34:35AM -0600, Theo de Raadt wrote: So, to my eyes, it appears that ftp on the new snapshot installer isn't respecting http_proxy. The ftp program has not changed in any way. And as nobody else has reported problems by now, it's clearly something weird that only triggers in my environment. I have tried specifying proxy as hostname and as IP in the upgrade script. The host doesn't try to contact the proxy at all. I'll poke at it some more, see if I can identify the edge case I'm hitting. Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
27 Mar 2014 amd64 snapshot
Hi, Trying to upgrade to $SUBJECT. Have done so on this same host many times before. Boot bsd.rd. Type U, enter x 5. Select http. Enter proxy server -- proxy is necessary. Type in ftp3.usa.openbsd.org, take default path Wait... ftp: connect: Operation timed out Escape to command prompt. Can ping proxy by hostname. Host currently running: OpenBSD gepetto.lodden.com 5.5 GENERIC#224 amd64 # ls -la /bsd -rw-r--r-- 1 root wheel 11259291 Jan 17 11:18 /bsd tcpdump on proxy shows no packets arriving from host during install process. Proxy error? -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me.
Re: 27 Mar 2014 amd64 snapshot
Yep. Lots of users going through proxy. Ran tcpdump on the proxy. The only packets that arrived from the OpenBSD host were my pings. It appeared that the installer wasn't even trying to reach the proxy. Note appeared that, there could be something else going on. Earlier upgrades were over FTP, but tried http this time. On Fri, Mar 28, 2014 at 11:28:50AM -0600, Bob Beck wrote: Does your proxy do http? no ftp protocol in new installers - we're killing it with fire. On Fri, Mar 28, 2014 at 9:30 AM, Michael W. Lucas mwlu...@michaelwlucas.com wrote: Hi, Trying to upgrade to $SUBJECT. Have done so on this same host many times before. Boot bsd.rd. Type U, enter x 5. Select http. Enter proxy server -- proxy is necessary. Type in ftp3.usa.openbsd.org, take default path Wait... ftp: connect: Operation timed out Escape to command prompt. Can ping proxy by hostname. Host currently running: OpenBSD gepetto.lodden.com 5.5 GENERIC#224 amd64 # ls -la /bsd -rw-r--r-- 1 root wheel 11259291 Jan 17 11:18 /bsd tcpdump on proxy shows no packets arriving from host during install process. Proxy error? -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me.
Re: Do you want to do any manual network configuration?
On Thu, Apr 19, 2012 at 07:59:06PM +0200, Henning Brauer wrote: * Loganaden Velvindron logana...@gmail.com [2012-04-19 15:48]: Now Michael will need to write the third edition :-) you'll have to buy the 2nd edition to know wether the question is in the install chapter or not (hah! I apparently DO have some very limited marketing skills! doesn't make _me_ money tho :)) I've inspired making the installer even more lean. *sniff* I'm so proud. I definitely want to do a 1st-copy auction of AO2e, like we did for the FreeBSD book. I'm confident that OpenBSD fans can run it up over the $600 the FF got. Perhaps Theo will use part of the proceeds to buy Henning a beer. Shutting up now. ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@blackhelicopters.org, Twitter @mwlauthor
Re: Making time_t deal with the coming epoch
/syslog.h
#include sys/systm.h
+#include sys/time.h
#include sys/timetc.h
#include sys/malloc.h
#include dev/rndvar.h
@@ -381,6 +382,14 @@ tc_windup(void)
i = 2;
for (; i 0; i--)
ntp_update_second(th-th_adjustment, bt.sec);
+
+ if (emulatemayanprophecy) {
+ struct timeval tv;
+
+ bintime2timeval(bt, tv);
+ if (tv.tv_sec = END_13BAKTUN)
+ return;
+ }
/* Update the UTC timestamps used by the get*() functions. */
/* XXX shouldn't do this here. Should force non-`get' versions. */
--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlu...@blackhelicopters.org, Twitter @mwlauthor
