Happy 25th Birthday OpenBSD!

2020-10-18 Thread Bob Beck
Yeah, it's just a number. But it's been a pretty wild ride. Thanks everyone for 25 years. -Bob

Re: [PATCH netcat] Only force fd's to -1 once

2020-09-27 Thread Bob Beck
On Sun, Sep 27, 2020 at 02:46:39PM +1000, Duncan Roe wrote: > The motivation for this is to make debug logs less confusing. What is this fixing and what behavior are you changing? > > All changed lines have previously demonstrated the problem. > > Signed-off-by: Duncan Roe > --- >

Re: agentx and clang static analyzer

2020-09-15 Thread Bob Beck
On Tue, Sep 15, 2020 at 11:08:04AM +0200, Martijn van Duren wrote: > There are 3 things that actually look like valid complaints when running > clang's static analyzer. > > 1) A dead store in agentx_recv. > 2) sizeof(ipaddress) intead of sizeof(*ipaddress). Since this is ipv4, >this is only a

Re: acme-client: improve account creation error message

2020-09-14 Thread Bob Beck
But what if I like json and I am already set up to be a hipster and feed all the untrusted inputs through jq.. (ok beck@) On Mon, Sep 14, 2020 at 03:37:25PM +0200, Florian Obser wrote: > not helpful: > $ doas acme-client $(hostname) > acme-client:

Re: dt: add static vfs probes

2020-09-14 Thread Bob Beck
ok beck@ On Mon, Sep 14, 2020 at 12:45:55PM +0200, Jasper Lievisse Adriaanse wrote: > Hi, > > Whilst analyzing the cleaner I added tracepoints called 'cleaner' and > 'bufcache_take' to > track its behaviour. > > For the sake of symmetry I've added one in bufcache_release() too and moved >

Re: rpki-client cleanup includes

2020-09-12 Thread Bob Beck
ok beck@ On Sat, Sep 12, 2020 at 05:42:39PM +0200, Claudio Jeker wrote: > extern.h uses stuff from openssl/x509.h so put that include in there > and remove all the various other openssl includes in other files that > actually don't need x509 functions. > > -- > :wq Claudio > > Index: as.c >

Re: tmpfs bug in reclaim

2020-07-14 Thread Bob Beck
In the spirit of be careful what sticks to you, this has ok beck@ On Mon, Jul 13, 2020 at 11:56:18AM +0200, Gerhard Roth wrote: > tmpfs_reclaim() has to make sure that the VFS cache has no more > locks held for the vnode. Else vclean() could panic because v_holdcnt > is non-zero. > > I know

Re: Stuck in Needbuf state, trying to understand (6.7)

2020-07-14 Thread Bob Beck
On Mon, Jun 29, 2020 at 03:56:43PM -0400, sven falempin wrote: > On Mon, Jun 29, 2020 at 12:58 PM sven falempin > wrote: > > It works in the original problematic setup. > > Will it go to base ? > Yes. revision 1.201 date: 2020/07/14 06:02:50; author: beck; state: Exp; lines: +9 -3;

Re: Stuck in Needbuf state, trying to understand (6.7)

2020-06-29 Thread Bob Beck
> Awesome, thanks! > > I will test that, ASAP, > do not hesitate to slay dragon, > i heard the bathing in the blood pool is good for the skin > > Little concern, I did the test without the MFS and ran into issues , > anyway i get back to you (or list ?) when i have test report with patched >

Re: Stuck in Needbuf state, trying to understand (6.7)

2020-06-29 Thread Bob Beck
On Sun, Jun 28, 2020 at 12:18:06PM -0400, sven falempin wrote: > On Sun, Jun 28, 2020 at 2:40 AM Bryan Linton wrote: > > > On 2020-06-27 19:29:31, Bob Beck wrote: > > > > > > No. > > > > > > I know *exactly* what needbuf is but to attempt to d

Re: Stuck in Needbuf state, trying to understand (6.7)

2020-06-27 Thread Bob Beck
No. I know *exactly* what needbuf is but to attempt to diagnose what your problem is we need exact details. especially: 1) The configuration of your system including all the details of the filesystems you have mounted, all options used, etc. 2) The script you are using to generate the

Re: drop addtrust from cert.pem?

2020-06-02 Thread Bob Beck
On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > OK to drop the expired AddTrust cert from cert.pem? yes, thanks. > > I checked against the firefox set, there are no new/removed certs that > work with libressl there. There are now two with GENERALIZEDTIME notAfter > dates

Re: drop addtrust from cert.pem?

2020-06-02 Thread Bob Beck
On Mon, Jun 01, 2020 at 07:17:28PM +0200, Theo Buehler wrote: > On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > > OK to drop the expired AddTrust cert from cert.pem? > > Thanks for taking care of this (and for checking the firefox set). I see > no reason to keep it. > > ok >

Re: smtpd: make smarthost to use SNI when relaying

2020-05-31 Thread Bob Beck
looks good to me ok beck@ On Sun, May 31, 2020 at 03:38:00PM +0200, Sebastien Marie wrote: > Hi, > > updated diff after millert@ and beck@ remarks: > - use union to collapse in_addr + in6_addr > - doesn't allocate buffer and directly use s->relay->domain->name > > Thanks. > -- > Sebastien

Re: smtpd: make smarthost to use SNI when relaying

2020-05-30 Thread Bob Beck
On Sat, May 30, 2020 at 05:40:43PM +0200, Sebastien Marie wrote: > Hi, > > I am looking to make smtpd to set SNI (SSL_set_tlsext_host_name) when > connecting > to smarthost when relaying mail. > > After digging a bit in libtls (to stole the right code) and smtpd (to see > where > to put the

Re: official ports vs DEBUG_PACKAGES

2020-05-29 Thread Bob Beck
> (iirc python does something strange) Inconcievable!

Re: official ports vs DEBUG_PACKAGES

2020-05-29 Thread Bob Beck
On Fri, May 29, 2020 at 06:14:44PM +0200, Marc Espie wrote: > In a trace: > > > > > #3 0x15e48c95459e in WebVfx::shutdown () > > > > at /usr/obj/ports/webvfx-1.2.0/webvfx-1.2.0/webvfx/webvfx.cpp:193 > > Now, this is NOT the default location for WRKOBJDIR, but we are shipping > packages

Re: nsd 4.3.1

2020-05-08 Thread Bob Beck
> On May 8, 2020, at 03:00, Stuart Henderson wrote: > > On 2020/05/08 06:58, Florian Obser wrote: >> I'm running this for about 2 weeks or so. >> Tests, OKs? > > Just off to look at a radio link in a church tower that I suspect a pigeon > may have knocked out of alignment, This is

Recent 'ftplist' changes visible in the installer

2020-04-28 Thread Bob Beck
So, as some of you know the installer hits ftp.openbsd.org during the install process to query a CGI to provide you with a list of nearby mirrors and some other useful things. I've recently made some changes to modernize and improve this after the retirement of the GEO:IP

Re: suggest to run rpki-client hourly

2020-04-13 Thread Bob Beck
On Mon, Apr 13, 2020 at 09:23:23PM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 20:27:30 -0600, Bob Beck wrote: > > > In my hearts desire I'd love for "R" to be chosen for each line once at > > start > > up. (so in > > the above example the things

Re: suggest to run rpki-client hourly

2020-04-13 Thread Bob Beck
ally think this is only useful for hours and minutes On Mon, Apr 13, 2020 at 12:54:34PM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 10:00:52 -0600, Bob Beck wrote: > > > +1000. a new random time chosen at cron start. > > > > We see this all the time, and it wo

Re: suggest to run rpki-client hourly

2020-04-13 Thread Bob Beck
On Mon, Apr 13, 2020 at 09:56:52AM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 09:37:14 -0600, "Theo de Raadt" wrote: > > > While I understand what RANDOM is trying to do, I am not a fan. I've > > thought often of an improvement, where the minute marker in a crontab > > file could be a

Re: fts and unveil issue

2019-02-03 Thread Bob Beck
yes you are seeing the limitation of 6.4 unveil as mentioned at the bottom of the man page. this should be fixed in current On Sun, Feb 3, 2019 at 03:29 Kristaps Dzonsons wrote: > When I unveil(2), fts doesn't behave well. But only in a subtle way. > Enclosed is a demonstration. I found

Re: unveil spamlogd

2018-10-24 Thread Bob Beck
ok beck@ as well On Wed, Oct 24, 2018 at 06:13 Todd C. Miller wrote: > On Wed, 24 Oct 2018 08:05:11 +0100, Ricardo Mestre wrote: > > > The only file that spamlogd needs to access after calling pledge is > > PATH_SPAMD_DB, so unveil it with O_RDWR permissions. > > Looks good. OK millert@ > > -

Re: Reuse VM ids.

2018-10-08 Thread Bob Beck
works here and I like it. but probably for after unlock On Sun, Oct 7, 2018 at 22:11 Mischa Peters wrote: > No idea if the code works yet. > Hopefully I can try later. But love the idea. > > Mischa > > > On 8 Oct 2018, at 04:31, Ori Bernstein wrote: > > > > Keep a list of known vms, and reuse

Re: openssl s_time: different tally marks for different TLS versions

2018-09-15 Thread Bob Beck
I'm generally opposed to breaking stdout compatibility with the "openssl" command tools because we have no clue what shell scripts and other applications this will break. with a *very good reason* I think it's ok, but this (I think this looks better) isn't one of them. the "openssl" command is

Nuke PLEDGE_STAT for further pledge/unveil disentaglement.

2018-08-05 Thread Bob Beck
So this gets rid of unveil's PLEDGE_STAT. Instead we use UNVEIL_INSPECT which is set by the stat and access opeerations that are needed for realpath() type traversals that effectively call stat/access for each component of a pathname before doing a final operation on the end. The intended

Re: unveil: incomplete unveil_flagmatch semantic

2018-08-04 Thread Bob Beck
> Some examples that will need consideration for unveil(2): > - mount(2) > - unmount(2) > - quotactl(2) > - chroot(2) > - getfh(2) > - acct(2) > - coredump() > - loadfirmware() - I think ifconfig(1) could make the kernel loading a > firmware for some network card > > so having ni_unveil

Re: unveil: incomplete unveil_flagmatch semantic

2018-08-04 Thread Bob Beck
> On Sat, Aug 04, 2018 at 10:40:11AM -0600, Bob Beck wrote: > > On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote: > > > On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote: > > > > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wr

Re: unveil: incomplete unveil_flagmatch semantic

2018-08-04 Thread Bob Beck
> > + nd.ni_unveil = 0; /* XXX No flags == allow it */ > > see my comment about ni_unveil != 0. > > as you still have check on (ni_pledge & PLEDGE_STAT), it should be still > ok. > It doesn't actually do this yt.. this comment was a reminder for me and should have had allow it? for my

Re: unveil: incomplete unveil_flagmatch semantic

2018-08-04 Thread Bob Beck
On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote: > On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote: > > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wrote: > > > yeah the latter will be the way to go > > > > > >

Re: unveil: incomplete unveil_flagmatch semantic

2018-07-30 Thread Bob Beck
yeah the latter will be the way to go On Mon, Jul 30, 2018 at 06:02 Sebastien Marie wrote: > Hi, > > I think unveil_flagmatch() isn't complete and/or has not the right > semantic. > > A bit of internals for starting (I will speak about ni_pledge, people > that know what it is and how it works

Re: unveil: incorrect type flags on unvname_new()

2018-07-16 Thread Bob Beck
ok beck@ On Mon, Jul 16, 2018 at 15:53 Sebastien Marie wrote: > Hi, > > While reviewing unveil(2) code, I found an incorrect type on > unvname_new() function: flags argument should be uint64_t. > > It is called by unveil_add_name() which uses uint64_t for flags, and > store the value in struct

Re: const qualifiers for EVP_*

2018-05-12 Thread Bob Beck
ok On Sat, May 12, 2018 at 13:14 Theo Buehler wrote: > Here's another straightforward batch. As usual, it's been tested in a > bulk by sthen and there was no fallout. > > Index: lib/libcrypto/asn1/ameth_lib.c >

Re: Anyone can suggest a BitCoin processor to the OpenBSD Foundation? BitPay has become terrible

2018-03-28 Thread Bob Beck
So, related to this topic, Apparently BitPay has now fixed us up again. I have put the button back on the web site, if anyone wants to try a bitcoin donation is is supposed to be possible again

Anyone can suggest a BitCoin processor to the OpenBSD Foundation? BitPay has become terrible

2018-02-16 Thread Bob Beck
So, as some of you may know, the OpenBSD Foundation has accepted BitCoin donations for some time via BitPay.com BitPay was convenient for us since they will sell the BTC donations immediately, and convert to Canadian Dollars. We then periodically get bank transfers of the balance, and this works

Re: libressl: crash in DES_fcrypt

2017-12-13 Thread Bob Beck
why AA? why not just choose two random ascii salt chars at that point? or since this is effectively a failure case encrypt a random ascii salt and random string? using AA will produce a usable result based on the original string. encrypting a random string with a random salt means the failure

Re: iked, don't return NULL in print_host

2017-11-28 Thread Bob Beck
ok beck@ On Wed, Nov 29, 2017 at 02:17:21AM +0100, Claudio Jeker wrote: > On Wed, Nov 29, 2017 at 01:59:06AM +0100, Claudio Jeker wrote: > > Seen in my log file: > > Nov 28 17:47:22 dramaqueen iked: vfprintf %s NULL in "%s: %s %s from %s to > > %s ms gid %u, %ld bytes%s" > > > > and > > > > Nov

Official OpenBSD 6.2 CD set up for auction on Ebay

2017-11-18 Thread Bob Beck
So, the only 6.2 set to be produced is up for auction, featuring hand-drawn artwork by Theo. Artisanally Made in Canada! All proceeds of the sale to fund OpenBSD development. Go have a look at http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

2017-09-06 Thread Bob Beck
effectivelyu providing a limitless OCSP staple is kind of stupid - you may as well simply *not staple* On Wed, Sep 6, 2017 at 8:23 AM, Bob Beck <b...@obtuse.com> wrote: > I'm not super inclined to make this "flexible" unless we see this used int > the wild, which I

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

2017-09-06 Thread Bob Beck
I'm not super inclined to make this "flexible" unless we see this used int the wild, which I have not. We are more restrictive than OpenSSL in many areas. On Wed, Sep 6, 2017 at 1:31 AM, Andreas Bartelt <o...@bartula.de> wrote: > On 09/06/17 04:40, Bob Beck wrote: > &g

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

2017-09-05 Thread Bob Beck
Andreas where are you seeing this as being a real issue - who is shipping out OCSP responses without a next update field? On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt wrote: > ocspcheck effectively treats a missing nextUpdate like an error, i.e., it > always provides a

Re: [PATCH 0/2] SMALL_TIME_T follow-ups (was Re: [PATCH] allow notAfter after 2038 with 32-bit time_t)

2017-08-26 Thread Bob Beck
> > With the new define (SMALL_TIME_T) enabled, a 32-bit time_t build > using "openssl s_client -connect" can successfully connect to a server > and verify its certificate chain when one or more notAfter dates after > 2038 are present. > > However, using "nc -c" fails to connect to the

Re: [PATCH] allow notAfter after 2038 with 32-bit time_t

2017-08-13 Thread Bob Beck
https://github.com/openbsd/src/commit/b943944faeecf3a978bf3f57df1b35335ffecbec On Tue, Jul 11, 2017 at 4:23 AM, Stuart Henderson wrote: > On 2017/07/11 01:55, Kyle J. McKay wrote: > > 2) 32-bit systems are going to be around for many years still; 32-bit ARM > > platforms

Re: [PATCH] allow notAfter after 2038 with 32-bit time_t

2017-07-05 Thread Bob Beck
On Thu, May 18, 2017 at 7:31 AM, Kyle J. McKay wrote: > RFC 5280 section 4.1.2.5 states: > > To indicate that a certificate has no well-defined expiration date, > the notAfter SHOULD be assigned the GeneralizedTime value of > 1231235959Z. > > True enough. >

Re: Better handling of short reads

2017-06-14 Thread Bob Beck
> As you all might have gathered by now Amit has jumped the gun > but was wrong to do so. His setup is not affected by this change. > That was expected so please don't get distracted by this as I'm > still looking forward to replies to the original set of changes. > beck@? > > > diff --git

Re: Better handling of short reads

2017-06-14 Thread Bob Beck
- ok mike, I'm looking at it.. Allow me a short while to beat my head against a wall for a bit to get it into readahead mode... On Wed, Jun 14, 2017 at 3:56 AM, Mike Belopuhov wrote: > On Thu, Jun 08, 2017 at 11:55 +0200, Mike Belopuhov wrote: > > On Wed, Jun 07, 2017 at

Re: ocspcheck size_t printing

2017-05-08 Thread Bob Beck
You are correct. Patch committed. Thanks! -Bob On Mon, May 08, 2017 at 08:20:57PM +0200, Jonas 'Sortie' Termansen wrote: > Hi, > > When upgrading to libressl-2.5.4 I noticed a couple -Wformat errors due > to this code assuming size_t is of type long when it was actually int on > this 32-bit

Official OpenBSD 6.1 CD !

2017-05-03 Thread Bob Beck
So. There *Is* an official OpenBSD 6.1 CD Just One. If you are interested, please bid on ebay : http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452?hash=item3ae2a74df4:g:SJQAAOSwrhBZBqkd (It's a pretty cool little CD set!)

Re: explicit_bzero after readpassphrase

2017-05-01 Thread Bob Beck
On Mon, May 01, 2017 at 04:07:27PM -0600, Theo de Raadt wrote: > > Let me stop here and ask if the pattern is: "always explicit_bzero > a password field once it is used"? It might make sense, but some > of these are heading straight to exit immediately. Is it too much > to do it then, or is the

Re: patch: mv(1): Add -p flag to preserve time stamps for moved directories

2017-04-11 Thread Bob Beck
> Note that I have noatime on this FS. then turn that off, or understand that things will not behave as you expect them to with it on.

Re: httpd/libtls: TLS client certificate revocation checking

2017-04-01 Thread Bob Beck
There will be some libtls api additions post 6.1 to get the peer cert in PEM format In the meantime, testing snaps prior to 6.1 should be the priority. not a talkathon. On Sat, Apr 1, 2017 at 10:49 Joerg Sonnenberger wrote: > On Sat, Apr 01, 2017 at 07:53:05PM +1030, Jack Burton

Re: regarding OpenSSL License change

2017-03-23 Thread Bob Beck
On Thu, Mar 23, 2017 at 17:48 Bob Beck <b...@obtuse.com> wrote: > Honestly, anyone who gets one of these should say no > > what would you all think if people quietly took derived works of software > licensed under one license and took silence as assent to relicense

Re: regarding OpenSSL License change

2017-03-23 Thread Bob Beck
Honestly, anyone who gets one of these should say no what would you all think if people quietly took derived works of software licensed under one license and took silence as assent to relicense Does this mean that with an unanswered email i can now release my re licensed as ISC version of gcc?

Re: tlsv1 alert decrypt error

2017-03-06 Thread Bob Beck
And as joel mentioned, a fix is already arriving for this - there was a bug in SSLv2 compatible handshake initiation, and Paypal still has it enabled... (yeeuch) On Mon, Mar 6, 2017 at 3:48 PM, Bob Beck <b...@obtuse.com> wrote: > > Move it to tech@ from misc.. not libress

Re: tlsv1 alert decrypt error

2017-03-06 Thread Bob Beck
Move it to tech@ from misc.. not libressl.. libressl is not special ;) On Mon, Mar 6, 2017 at 3:21 PM, Kirill Miazine wrote: > Moving to libressl@ from misc@, as it's a LibreSSL issue. > > * Joel Sing [2017-03-05 23:01]: > > On Thursday 02 March 2017 13:28:08 Kirill Miazine

Re: Scheduler ping-pong with preempt()

2017-02-06 Thread Bob Beck
Go for it mpi.. move forward. ok beck@ On Mon, Feb 6, 2017 at 7:48 AM, Martin Pieuchot wrote: > On 24/01/17(Tue) 13:35, Martin Pieuchot wrote: > > Userland threads are preempt()'d when hogging a CPU or when processing > > an AST. Currently when such a thread is preempted the

Re: Password corruption in adduser

2017-02-05 Thread Bob Beck
ok beck@ On Sun, Feb 5, 2017 at 22:53 Theo Buehler wrote: > On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote: > > On Sun, 5 Feb 2017, John McGuigan wrote: > > > I've noticed something strange in adduser -- when attempting to add a > > > user completely though

Re: netcat: IPv6 address support for proxy

2017-02-04 Thread Bob Beck
ok beck@ On Sun, Feb 05, 2017 at 12:27:19AM +0100, Jeremie Courreges-Anglas wrote: > > The colons used in IPv6 addresses conflicts with the proxy port > specification. Do the right thing for -x ::1:8080, [::1] and > [::1]:8080. > > ok? > > > Index: netcat.c >

Re: Update for US Holidays.

2017-02-04 Thread Bob Beck
On Sat, Feb 04, 2017 at 01:52:14PM -0700, Bob Beck wrote: > > Presented without further comment. > > ok? > Or maybe this is more appropriate: Index: calendar.history === RCS file: /cvs/src/usr.bin/cal

Re: Update for US Holidays.

2017-02-04 Thread Bob Beck
On Sat, Feb 04, 2017 at 12:59:53PM -0800, Philip Guenther wrote: > On Sat, Feb 4, 2017 at 12:52 PM, Bob Beck <b...@obtuse.com> wrote: > > > > Presented without further comment. > > > > ok? > > NACK. Obsolete 32bit time_t OSes can track their own

Update for US Holidays.

2017-02-04 Thread Bob Beck
Presented without further comment. ok? Index: calendar.usholiday === RCS file: /cvs/src/usr.bin/calendar/calendars/calendar.usholiday,v retrieving revision 1.9 diff -u -p -u -p -r1.9 calendar.usholiday --- calendar.usholiday 19

Re: specify curves via ecdhe statement in httpd.conf

2017-02-04 Thread Bob Beck
try connecting with openbsd nc rather than s-client On Sat, Feb 4, 2017 at 09:13 Bob Beck <b...@obtuse.com> wrote: > > On Sat, Feb 4, 2017 at 07:51 Andreas Bartelt <o...@bartula.de> wrote: > > On 02/04/17 05:26, Joel Sing wrote: > > On Wednesday 01 February 2017

OpenBSD errata, Jan 31, 2017

2017-02-01 Thread Bob Beck
An issue has been identified whereby httpd(8) could be subject to a denial of service attack. Repeated crafted requests could be made from a client using file-range requests, making the server consume excessive amounts of memory. This issue has been fixed in current. For 5.9 and 6.0 the following

err with multiple TLS sites but one OCSP?

2017-01-28 Thread Bob Beck
Sooo.. Pretty sure mlucas has uncovered a problem with the ocsp interface. Basically I didn't attach it to the keypair, (yes Joel, I think you told me so) so it only works with the master keypair.. OK, but the problem is that it also returns the staple for other keypairs which is wrong.

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
On Fri, Jan 27, 2017 at 15:23 Stuart Henderson <s...@spacehopper.org> wrote: > On 2017/01/27 22:09, Bob Beck wrote: > > > I think you have more issues than ocsp. if thats the same host you can't > > > have two different tls certs on the same ip. and you h

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
27, 2017 at 09:53:25PM +0000, Bob Beck wrote: > > >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas > > > Or a misconfiguration. Â show configs > > > > > > Configs follow. > > > > # cat /etc/httpd.conf > > include "/etc/sites/www3.conf&q

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > > > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > > > That looks like a web server bug, it shouldn't return a staple >

Re: Allow install from https server w/ self signed cert

2017-01-07 Thread Bob Beck
On Sat, Jan 07, 2017 at 03:52:04PM -0700, Theo de Raadt wrote: > > What workarounds would be reasonable and approriate? and does it > > make sense for OpenBSD to support such scenarios out-of-the-box to > > promote wider adoption of better software? > > If you want buy the

Re: Allow install from https server w/ self signed cert

2017-01-07 Thread Bob Beck
On Sat, Jan 07, 2017 at 05:42:24PM -0500, Jacob L. Leifman wrote: > Most of the time I agree with this particular attitude and it is indeed > appropriate for the OP case. However, there some major networks such as > various governments (or for example .mil) that do not participate in > the

Re: Allow install from https server w/ self signed cert

2017-01-07 Thread Bob Beck
On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote: > On 01/06/17 06:28, Stuart Henderson wrote: > > Related to this (and particularly thinking about autoinstalls), > > would it make sense to allow explicit protocols in the hostname? > > > > some.host -> https with http fallback > >

Re: acme-client use configuration file [1 of 5]

2017-01-02 Thread Bob Beck
No objection in principle.. although since some of us depend on this we might either need warning and/or a small period of overlap where the old stuff works and then we can move to the new stuff without things blowing up. On Sun, Jan 1, 2017 at 1:59 PM, Sebastian Benoit wrote:

Re: libtls syslogd pledge abort

2016-12-29 Thread Bob Beck
> Or do not call tls_configure_ssl_verify() if verification is turned > off. This makes sense to me. > > Index: lib/libtls/tls_client.c > === > RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v > retrieving

Re: httpd(8)/proc.c: use less fds on startup

2016-10-07 Thread Bob Beck
This is now working on www.openbsd.org. I upgraded my 6.0 system to current today off the latest snap and httpd would not start, same problem. This diff lets current httpd start again. ok beck@ On Tue, Oct 04, 2016 at 11:54:37PM +0200, Rafael Zalamena wrote: > On Tue, Oct 04, 2016 at

Re: rebound quantum entanglement

2016-09-14 Thread Bob Beck
BTW I'm not picking on you.. my DNS setup blew up this week for local resolution and I've been dealing with the fallout - so the topic is relatively near and dear to my heart. On Wed, Sep 14, 2016 at 10:07 PM, Bob Beck <b...@obtuse.com> wrote: > > Yep. and now you need to solve

Re: rebound quantum entanglement

2016-09-14 Thread Bob Beck
y then nothing changes at *all* when it's not there. On Wed, Sep 14, 2016 at 8:39 PM, Ted Unangst <t...@tedunangst.com> wrote: > Ted Unangst wrote: > > Bob Beck wrote: > > > how is rebound going to handle a change in resolv.conf? thats still a > > > problem h

Re: rebound quantum entanglement

2016-09-14 Thread Bob Beck
into rebound to make it useful and then look at libc which might need slightly more cleverness than just adding localhost unconditionally. On Wednesday, 14 September 2016, Ted Unangst <t...@tedunangst.com> wrote: > Bob Beck wrote: > > how is rebound going to handle a change in resolv.co

Re: rebound quantum entanglement

2016-09-14 Thread Bob Beck
how is rebound going to handle a change in resolv.conf? thats still a problem here On Wednesday, 14 September 2016, Ted Unangst wrote: > So the plan is for rebound to be the 'system' resolver, with libc talking > to > rbeound and rebound talking to the cloud. The main

Re: reduce double caching in mfs

2016-09-09 Thread Bob Beck
I really dislike "CHEAP". and it almost seems like these should actually be NOCACHE.. why the heck can't they be? On Thu, Sep 8, 2016 at 7:49 PM, Ted Unangst wrote: > Currently, the bufcache doesn't know that mfs is backed by memory. All i/o > to > mfs ends up being

Re: [PATCH] Callback-based interface to libtls

2016-09-05 Thread Bob Beck
I am in agreement in principle, but please coordinate with bcook@ and/or jsing@ who were possibly doing some related adjustments. On Mon, Sep 5, 2016 at 4:44 AM, Ted Unangst <t...@tedunangst.com> wrote: > Bob Beck wrote: > > > > > > Agreed, I was also a bit unclear

Re: hexdump(1): strlen + calloc + snprintf == asprintf

2016-09-04 Thread Bob Beck
ok beck@ On Sun, Sep 4, 2016 at 9:54 AM, Theo Buehler wrote: > use the libc interface instead of rolling it by hand. > > Index: parse.c > === > RCS file: /var/cvs/src/usr.bin/hexdump/parse.c,v > retrieving

Re: [PATCH] Callback-based interface to libtls

2016-09-04 Thread Bob Beck
On Sun, Sep 04, 2016 at 05:26:24AM -0500, Brent Cook wrote: > On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote: > > Brent Cook wrote: > > > @@ -246,14 +252,18 @@ An already existing socket can be upgrad > > > .Fn tls_connect_socket . > > > Alternatively, a secure connection can be

Re: [PATCH] Callback-based interface to libtls

2016-09-04 Thread Bob Beck
On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote: > Brent Cook wrote: > > @@ -246,14 +252,18 @@ An already existing socket can be upgrad > > .Fn tls_connect_socket . > > Alternatively, a secure connection can be established over a pair of > > existing > > file descriptors by

Re: minor diff for faq15.html

2016-09-03 Thread Bob Beck
committed. thanks Rob On Sat, Sep 03, 2016 at 02:30:17PM -0400, Rob Pierce wrote: > There is only one result mentioned: ready-to-install binary packages. > > Rob > > Index: faq15.html > === > RCS file: /cvs/www/faq/faq15.html,v >

Re: remove ntfs write code

2016-08-31 Thread Bob Beck
Yes, ok beck@ to be shortly followed by the ntfs code - don't we have a fuse version of this? On Wed, Aug 31, 2016 at 3:34 PM, Martin Natano wrote: > mount_ntfs forces the mount point to be MNT_RDONLY, so the write parts > in ntfs are never used. OK to remove? > > natano >

Re: relayd TLS ticket and session support accross processes

2016-08-30 Thread Bob Beck
Quite Frankly, we're happy to support what's needed in relayd, But first relayd needs to actually convert to use libtls instead of bare knuckles shit Until then we're just making the problem worse. IMO, we should convert relayd to use libtls - (add what we need to libtls to support it) before

Re: cwm(1): Enable numpad Enter on menus

2016-08-27 Thread Bob Beck
I have no objections.. If I hear none by monday I can commit it for you On Sat, Aug 27, 2016 at 11:53:14PM -0300, Henrique N. Lengler wrote: > > Hi, > > > > This is a tiny patch to enable the use of numpad Enter key on cwm menus. > > > > Regards, > > > > Henrique N. Lengler > > No intention

Re: Enable Camellia ciphers with SHA-2 family HMAC

2016-08-25 Thread Bob Beck
On Thursday, 25 August 2016, Ted Unangst wrote: > Andreas Bartelt wrote: > > On 08/25/16 15:58, Brent Cook wrote: > > > No objection here. Anyone else? > > > > > > > in general, I personally would only add further cryptographic primitives > > to a TLS configuration in case

Add libtls functionality for OCSP, and OCSP stapling support - take 2

2016-08-22 Thread Bob Beck
On Tue, Jul 05, 2016 at 09:11:37PM -0600, Bob Beck wrote: > Ok, so this work was done by Marko Kreen, all as the result of a very long > discussion in: > > https://github.com/libressl-portable/openbsd/pull/47 > > In a nutshell, I threw down a glove that libtls could have funct

Re: fuse cache shenanigans

2016-08-15 Thread Bob Beck
Yeah, ok in that context, sure.. since this is userspace shit the caching if any should probably happen there. On Mon, Aug 15, 2016 at 2:20 PM, Ted Unangst <t...@tedunangst.com> wrote: > Bob Beck wrote: > > Note - NFS has similar behaviour ;) > > > > at leas

Re: fuse cache shenanigans

2016-08-15 Thread Bob Beck
Note - NFS has similar behaviour ;) at least within a directory. - so this isn't tht "unusual" for non-local I'm wondering if this isn't a bit premature Have you looked for other side effects of this removal? On Mon, Aug 15, 2016 at 1:52 PM, Ted Unangst wrote: > Martin

Re: [Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

2016-08-01 Thread Bob Beck
And just to confirm tim, we're sorting out the nature of a minimal patch for a possible errata, and we'll need to get the errata signed. I don't anticipate this will be more than a day or two if you can wait that long. On Mon, Aug 1, 2016 at 1:09 PM, Mark Kettenis

Re: [Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

2016-08-01 Thread Bob Beck
Hi Tim, Yes, a fix is being discussed ATM.. we'll let you know shortly I believe. On Mon, Aug 1, 2016 at 12:38 PM, Jesse Hertz wrote: > Hi All, > > Is a fix for this in the works? We’d like to be able to point to a fix > before posting to oss-sec :) > > Best, > -jh

Re: nc getaddrinfo cleanup

2016-08-01 Thread Bob Beck
look ok to me.. go for it On Fri, Jul 29, 2016 at 6:00 PM, Alexander Hall wrote: > Use the style from the man page examples for getaddrinfo, which makes a > bit more sense. > > No functional change intended, and prior to the do/while => for > transition, no .o files were

Re: libtls: ALPN support

2016-07-28 Thread Bob Beck
Adds no new files, and I've seen it before.. ok beck@ - get it in and we'll sort it out in tree if anything further is needed. On Wed, Jul 27, 2016 at 10:59 AM, Joel Sing wrote: > The following diff adds ALPN support to libtls via: > > tls_config_set_alpn() - set the ALPN

Re: tcpbench(4) support for AF_UNIX

2016-07-20 Thread Bob Beck
On Wednesday, 20 July 2016, Bob Beck <b...@obtuse.com> wrote: > > > On Wednesday, 20 July 2016, Henning Brauer <hb-openbsdt...@ml.bsws.de > <javascript:_e(%7B%7D,'cvml','hb-openbsdt...@ml.bsws.de');>> wrote: > >> * Sebastian Benoit <be...@openbsd.org&g

Re: tcpbench(4) support for AF_UNIX

2016-07-20 Thread Bob Beck
On Wednesday, 20 July 2016, Henning Brauer wrote: > * Sebastian Benoit > [2016-07-20 21:42]: > > Claudio Jeker(cje...@diehard.n-r-g.com ) on 2016.07.20 > 19:08:51 +0200: > > > On Wed, Jul 20, 2016 at 04:09:48PM +0200,

Re: [PATCH] Callback-based interface to libtls

2016-07-17 Thread Bob Beck
Excellent. Im currently travelling but I think you will be hearing from Joel Aside from any minor changes i will say i basically like your diff, we may need to wait for after OpenBSD 6.0 to put it in (few weeks) as we are close to release and api changes now can hurt ports but thank you very

Re: initialize variables patch for bn_nist.c

2016-07-14 Thread Bob Beck
I'm ok with this. On Thu, Jul 14, 2016 at 4:57 AM, Kinichiro Inoguchi < kinichiro.inogu...@gmail.com> wrote: > Hi, > > When I build LibreSSL portable on HP-UX 11.3 with HP C/aC++ compiler, > this warning is detected. > > ... > "bn/bn_nist.c", line 611: warning #2549-D: variable "buf" is used

Re: Add libtls functionality for OCSP, and OCSP stapling support

2016-07-08 Thread Bob Beck
One thing I am considering here (and for y'all to know, this is a major API addition and won't go in until after the soon upcoming openbsd release cycle happens). is that the way we have done this in the past with libtls is to just - do the thing in the handshake and keep the data hidden in the

  1   2   3   4   5   >