Andreas Thulin | 1 Sep 15:14 2015
Picon

How to create "paranoid" cipher list in httpd.conf

Hi misc readers!

This is my first attempt to ask for help using misc <at> openbsd.org, so please
bear with me if I'm making mistakes. Also, apologies if I'm asking about
something recently discussed.

I want to limit the number of tls ciphers​ in httpd.conf so that only
strong (>128 bit) ciphers with Forward Secrecy capabilities (ECDHE) are
accepted. I'm also only using TLSv1.2.

My current httpd.conf contains a line saying

tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3: <at> STRENGTH"

which renders out "Configuration OK" with '# /usr/sbin/httpd -n'.
Also, when testing that string using

# openssl ciphers -v 'STRONG:ECDHE:!aNULL:!SSLv3: <at> STRENGTH'

I get a nice, acceptable list of the ciphers. However, when running a
server test
(https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se),
there's a much longer list of ciphers, including both non-FS and medium
strength ciphers.

I'm thinking that either

   1. my assumption that my httpd.conf is all dandy is wrong (highly
   probable),
   2. SSL Labs is lying to me (improbable), or
(Continue reading)

Quartz | 1 Sep 04:38 2015

pf vs mp

Quick question: I need to make a decision between a faster single core 
and a slower multicore. The faq currently states that pf gets no 
improvement from mp. Is this still correct/current information? 
Presumably it would see no benefit from hyperthreading either, right?

For an OpenBSD machine acting as a gateway/firewall/router with a 
handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Gabriel Kuri | 1 Sep 02:04 2015
Picon

Multiple Instances of NSD

In migrating from bind to nsd, I currently have split views in bind and
need to run multiple instances of nsd to accomplish the same thing. What's
the best way to start multiple instances of nsd? I tried copying
/etc/rc.d/nsd to /etc/rc.d/nsd-internal and in the rc script I changed
daemon_flags to "-c /var/nsd/etc/nsd-internal.conf" to reflect the new
config name, but it doesn't work, that instance of nsd doesn't start and
there's no errors in /var/log/daemon and I have no idea why it's not
starting. I also updated nsd-internal.conf to use a different port,
different PID file and DB name, so they wouldn't conflict with the primary
instance of nsd, but no luck.

Anyone else running multiple instances of nsd, if so, what did you do to
get it to work?

sven falempin | 31 Aug 22:04 2015
Picon

Dmesg

"eeprom" at iic0 addr 0x50 not configured : huh ?

"Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured :
what ?

OpenBSD 5.8 (GENERIC) #254: Fri Aug 14 04:59:16 EDT 2015
real mem = 4152320000 (3959MB)
avail mem = 4022620160 (3836MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8  <at>  0xe9570 (14 entries)
bios0: vendor American Megatrends Inc. version "BAR3NA01" date 08/11/2015
bios0: NF533 NF533
acpi0 at bios0Entering acpi matching devices!!!: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices XHC1(S4) EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4)
BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900  <at>  1.99GHz, 2000.45 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,
LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
(Continue reading)

Atanas Vladimirov | 31 Aug 20:35 2015
Picon

ddb.html typo

Index: ddb.html
===================================================================
RCS file: /home/vlado/cvsync/cvsroot/www/ddb.html,v
retrieving revision 1.3
diff -u -p -r1.3 ddb.html
--- ddb.html	30 Aug 2015 17:32:13 -0000	1.3
+++ ddb.html	31 Aug 2015 07:50:13 -0000
 <at>  <at>  -16,7 +16,7  <at>  <at> 

 <h3><font color="#0000e0">Minimum information for kernel problems</font></h3>

-Familiarize yourself with <a href="reports.html">the general bug reporting 
procedures</a>
+Familiarize yourself with <a href="report.html">the general bug reporting 
procedures</a>
  first. All of that will apply.

 When reporting a kernel panic or crash, please remember:

Sent with AquaMail for Android
http://www.aqua-mail.com

Craig Skinner | 31 Aug 11:52 2015
Picon

[DIFF] user & group delete named in upgrade57.html

Hi there,

BIND is binned.

--- upgrade57.html	Mon Aug 31 10:44:41 2015
+++ upgrade57-del-named.html	Mon Aug 31 10:46:46 2015
 <at>  <at>  -495,6 +495,8  <at>  <at>  rm -r /var/tmp
 ln -s /tmp /var/tmp

 groupdel _lkm
+userdel named
+groupdel named
 userdel smmsp
 groupdel smmsp
 </b></pre></blockquote>

Adam Jeanguenat | 31 Aug 15:54 2015

doas(1) and $PATH inheritance...

I'm not sure where I'm going wrong here, but I've been giving doas(1)
a whirl and ran into something that's left be a bit puzzled.

I have some scripts in ~/bin, and my user account has PATH set
as desired. I can run things out of that dir as expected without
invoking doas, but attempting to prefix the command with doas in the
same manner I previously did with sudo doesn't seem to work.

Without doas:

   $ ls -lA ~/bin
   total 8
   -rwxr-xr-x  1 avj  avj  22 Aug 26 11:31 testes
   $ cat ~/bin/testes
   #!/bin/sh
   echo testes, testes, 123
   $ echo $PATH
   /home/avj/bin:/bin:/sbin:/usr/bin:/usr/sbin
   $ which testes
   /home/avj/bin/testes
   $ testes
   testes, testes, 123

With doas:

   $ cat /etc/doas.conf
   permit nopass keepenv { PATH PS1 SSH_AUTH_SOCK } :wheel
   $ id
   uid=1001(avj) gid=1001(avj) groups=1001(avj), 0(wheel)
   $ doas which testes
(Continue reading)

Patrick | 30 Aug 23:29 2015
Picon

Re: OpenBSD on Fiber

Met vriendelijke groet,

*Patrick Koreneef*

T: +316-40951631
E: patrick <at> natpnk.nl

On 30 August 2015 at 23:28, Patrick <patrick <at> natpnk.nl> wrote:

> "So upgrade righ now."
> I am currently runnig 5.8
>
> "What does "download a test bin" mean, exactly?"
> A 1000mb.bin with zero's to test the download speed for a DC
>
> "Meaning what, exactly?"
> After removing OpenBSD and install FreeBSD the speeds where normal for my
> internet connection
>
> "What problem?"
> I willing to know what can cause this network speed lag
>
> What i mean with the hardware version is the hardware version in ESXI.
>
> PS: I am a system engineer in daily life.
>
>
>
> Met vriendelijke groet,
>
(Continue reading)

Patrick | 30 Aug 20:08 2015
Picon

OpenBSD on Fiber

Hello,

I have a fiber internet connection with 500Mbs download and 500Mbs upload.
I installed a long time ago a firewall with OpenBSD 5.5 with routing and
PF. But after a speedtest the line is stuck at around 200Mbs. Even when i
download a test bin the speed is around 17Mbs. After this experience i had
FreeBSD installed which doing fine with my fiber network. I have tested 5.6
and 5.7 and even 5.8 for testing any improvements in the network speed.
Does anybody now what can cause this problem? Below i have my specs posted:

*Hardware / OS*
HP DL380 G6
vSphere ESXI 6 (Updated to last patches)

*VM*
Virtual Machine 11 (Also tried 8)
Type: Other 32Bit / Other 64Bit And FreeBSD 64bit same results
1 CPU & 1 core
4GB

*What i have tried (This all had no results)*
Upgrade the virtual machine hardware.
Forward the network cards from pci slots to the VM
Different ethernet adapters, VMXNET3 is still the best which is getting the
highest speeds.
Add system tweaks in sysctl.conf & disabling PF
Use other versions of OpenBSD 32Bit / 64Bit.

Best Regards,

(Continue reading)

Alessandro DE LAURENZIS | 30 Aug 13:12 2015
Picon

disklabel(8) "disk" and "label" fields

Dead misc <at>  readers,

This is the output of disklabel(8) for a USB key with 2 partitions (one
FAT32 and one OpenBSD):

[....................snip....................]
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: USB 2.0 FD      
duid: 55c000a328c876de
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 487
total sectors: 7831552
boundstart: 5242880
boundend: 7340032
drivedata: 0 

16 partitions:
#                size           offset  fstype [fsize bsize  cpg]
  a:          2097152          5242880  4.2BSD   2048 16384    1 
  c:          7831552                0  unused                   
  i:          4194304               64   MSDOS                   
[....................snip....................]

Just curious: how to change "disk" (SCSI disk) and "label" (USB 2.0 FD)
(Continue reading)

textodroit | 30 Aug 04:36 2015
Picon

TEXTODROIT SERVICES

           Textodroit Services toujours au service de la communauté /
Textodroit Services always helping the community: textodroit <at> gmail.com Vous
ne voyez pas ce message ? *Ouvrir dans un navigateur*
<http://mandrillapp.com/track/click/30119679/shoutout.wix.com?p=eyJzIjoic1RuO
TFMSzYzSnI0YXdWYndEbVhFQllTVFNNIiwidiI6MSwicCI6IntcInVcIjozMDExOTY3OSxcInZcIj
oxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvc2hvdXRvdXQud2l4LmNvbVxcXC9zb1xcXC9iS3p5Q2R
oaj9jaWQ9OWFmY2I0M2MtZmNiZS00NDY0LTlkMjQtM2YwYTFkYjA5N2FkXCIsXCJpZFwiOlwiNWNl
NGQ5ZDhlNWM4NDkxODhkZGQ4ZmFhNmI0YzVkYTFcIixcInVybF9pZHNcIjpbXCI1MWNkZjgwNzNmM
GEyZGVjMTNiNGJiMmVlOWYzOWIxYjdmZjBkMjJkXCJdfSJ9>

 Si vous pensez avoir reçu cet email par erreur ou si vous souhaitez vous
désabonner, *cliquez ici*
<http://www.wix.com/my-account/contacts/unsubscribe?siteName=services&metaSit
eId=4e31a250-aa39-4fa4-8e51-9ffedd470929&unsubscribeToken=abcefd4d5885911e7f4
ea863ecce180388e169a39e4c714f1a99cb3376c2b70663c308c9336dafbde2ad01c272b57041
dcf02a87a476eb573755c89b02580efdcb1bd56dc6b0ddedd5dee2bdd5b1b673445fe65559299
dd1ed48d4aea7087f2677f395b597a653316c1f7dfb3692a91c0cce4c70c8a13fd7c8cacbbf60
49b5fb8d3bfa2652b1c5bda4d73fd0cb75a57511dcd8ea6f9d27b06f71eb34ca341aff0906d4c
afcf6afba90cc5633835242cb318e36b3c788f5ededf0f1de59c69a013d0f6f284c2d7d157c05
79a8491962a710201ffd2008951f6d3906f45d49645955e0e188cc775f0afd3db771cde8ca0ce
a9c99370bff4aff29a43d53c2a56e58defa3f13e78a4d939860dfa2df6c8719c89d6656648415
f206edfa29971ec731f99325b6aa7b13fbff3a4bda960a94e96f8bf047b4271652f8c79d22b48
bb22def22736052832001af4afe6b1f565c17d722561e187dd34a0200232bfece253ae6b54d2e
9c8871fce70db23753a7c82149d4fd62bcc3af18f668f6978b134e2f>
<http://mandrillapp.com/track/click/30119679/shoutout.wix.com?p=eyJzIjoiT0Rjc
URnMHBGV2dyWml4aVJZSkhUY2Q0ejY0IiwidiI6MSwicCI6IntcInVcIjozMDExOTY3OSxcInZcIj
oxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvc2hvdXRvdXQud2l4LmNvbVxcXC9zb1xcXC9iMzRjOGZ
kYS01MWIwLTRlNDgtYTJjMy1iMjBmMWJjMTZkMzZcIixcImlkXCI6XCI1Y2U0ZDlkOGU1Yzg0OTE4
OGRkZDhmYWE2YjRjNWRhMVwiLFwidXJsX2lkc1wiOltcIjUxY2RmODA3M2YwYTJkZWMxM2I0YmIyZ
WU5ZjM5YjFiN2ZmMGQyMmRcIl19In0>
(Continue reading)


Gmane