Re: when does a server need to use SSL_CTX_set_client_CA_list()?

[Alexander Leidinger]

Quoting Rick Macklem  (from Sun, 15 Mar 2020  
23:27:58 +):


As such, it stills seems to be a bit of a mystery to me, but it  
seems that putting
all the certificates in a CAfile and not using a CApath directory is  
the simpler

way to go.


If you have multiple CAs in the file, the code needs to search for one  
which matches. If you use the path, the code just needs to list the  
directory and check the filename which matches the id of the CA-cert.  
On a recent -current system have where you've never run "certctl  
rehash" have a look into /etc/ssl/certs, then run "certctl rehash",  
and then check /etc/ssl/certs again to see what I mean.


For a program which communicates with a lot of different systems which  
use different CAs (mailserver, browser), the path makes sense. For a  
NFS server I wouldn't configure all the Mozilla-accepted CAs. As such  
a CAfile may be enough, but having the possibility for both allows the  
user to chose which way he wants to configure his system (e.g. maybe  
he has just one CA in a directory, but for consistency reasons he  
prefers to specify the path to be able to use one way to configure  
things).


You can do it either way, technically it doesn't matter. It makes  
sense to have both possibilities (that would be my preference, to give  
the user the choice which way he wants to handle it). Having only the  
file-way would not be stupid (as you can see with wpa and unbound,  
which are used in a similar way in this regard than one would use  
NFS). Only the path-way would be less favorable in my opinion.


I haven't yet decided whether or not I'll specify a command option  
for setting

CApath. Sendmail does. wpa and unboud don't?


Sendmail needs to use more than one CA if it wants to validate  
connections from anyone, and it wants to do it in a performant way.  
WIFI and DNS typically only need one CA.


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


pgpE5Hsan8jlT.pgp
Description: Digitale PGP-Signatur

Re: when does a server need to use SSL_CTX_set_client_CA_list()?

[Rick Macklem]

Alexander Leidinger wrote:
>Quoting Rick Macklem  (from Sun, 15 Mar 2020  
>23:27:58 +):
>
>> As such, it stills seems to be a bit of a mystery to me, but it  
>> seems that putting
>> all the certificates in a CAfile and not using a CApath directory is  
>> the simpler
>> way to go.
>
>If you have multiple CAs in the file, the code needs to search for one  
>which matches. If you use the path, the code just needs to list the  
>directory and check the filename which matches the id of the CA-cert.  
>On a recent -current system have where you've never run "certctl  
>rehash" have a look into /etc/ssl/certs, then run "certctl rehash",  
>and then check /etc/ssl/certs again to see what I mean.
>
>For a program which communicates with a lot of different systems which  
>use different CAs (mailserver, browser), the path makes sense. For a  
>NFS server I wouldn't configure all the Mozilla-accepted CAs. As such  
>a CAfile may be enough, but having the possibility for both allows the  
>user to chose which way he wants to configure his system (e.g. maybe  
>he has just one CA in a directory, but for consistency reasons he  
>prefers to specify the path to be able to use one way to configure  
>things).
>
>You can do it either way, technically it doesn't matter. It makes  
>sense to have both possibilities (that would be my preference, to give  
>the user the choice which way he wants to handle it). Having only the  
>file-way would not be stupid (as you can see with wpa and unbound,  
>which are used in a similar way in this regard than one would use  
>NFS). Only the path-way would be less favorable in my opinion.
Well, I can easily provide command line options for both CAfile and CApath.
The part that confuses me is that only CAfile gets used for:
SSL_CTX_set_client_CA_list(SSL_load_CA_names(CAfile))
in the examples I've found, so the CA list that goes to the client doesn't seem
to get set for the CApath case?
As such, there does seem to be a technical difference between using CAfile and
CApath.

And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be 
done.

Note that NFS will often (not always, that's a decision for the NFS admin) want
certificates from clients (something that a web server doesn't normally do).

For now, I'll just provide both command line arguments, but note in the man
page that SSL_CTX_set_client_CA_list() is only done for CAfile.

Thanks for your comments, rick

> I haven't yet decided whether or not I'll specify a command option  
> for setting
> CApath. Sendmail does. wpa and unboud don't?

Sendmail needs to use more than one CA if it wants to validate  
connections from anyone, and it wants to do it in a performant way.  
WIFI and DNS typically only need one CA.

Bye,
Alexander.

-- 
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Build failed compiling ittnotify_static.pico

[Mark Millard]

On 2020-Mar-13, at 16:01, Mark Millard  wrote:

> Bob Willcox bob at immure.com wrote on
> Fri Mar 13 21:08:16 UTC 2020 :
> 
>> My 13.0-current system (just updated about 2 hours ago) that is failing with 
>> this
>> error when trying to do a 'make makeworld'
>> 
>> --- ittnotify_static.pico ---
>> cc -target x86_64-unknown-freebsd13.0 
>> --sysroot=/usr/obj/usr/src/amd64.amd64/tmp 
>> -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC  -O2 -pipe   
>> -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS 
>> -I/usr/src/lib/libomp -I/usr/src/contrib/llvm-project/openmp/runtime/src 
>> -I/usr/src/contrib/llvm-project/openmp/runtime/src/thirdparty/ittnotify 
>> -ffunction-sections -fdata-sections -g -MD  -MF.depend.ittnotify_static.pico 
>> -MTittnotify_static.pico -std=gnu99 -Wno-format-zero-length 
>> -fstack-protector-strong -Wno-atomic-alignment -Wsystem-headers -Werror 
>> -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int 
>> -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value 
>> -Wno-parentheses-equality -Wno-unused-function -Wno-enum-conversion 
>> -Wno-unused-local-typedef -Wno-address-of-packed-member -Wno-switch 
>> -Wno-switch-enum -Wno-knr-promoted-parameter -Wno-parentheses  
>> -Qunused-arguments-c 
>> /usr/src/contrib/llvm-project/openmp/runtime/src/thirdparty/ittnotify/ittnotify_static.c
>>  -o ittnotify_static.pico
>> cc: error: no such file or directory: 
>> '/usr/src/contrib/llvm-project/openmp/runtime/src/thirdparty/ittnotify/ittnotify_static.c'
>> cc: error: no input files
>> *** [ittnotify_static.pico] Error code 1
>> 
>> 
>> Anyone else seeing this? Any suggestions for a fix?
> 
> 
> The problem introduced in head -r358851 was supposed
> to be fixed by head -r358907:
> 
> QUOTE
> 
> Dimitry Andric dim at FreeBSD.org 
> Thu Mar 12 11:39:07 UTC 2020
>   • Previous message (by thread): svn commit: r358906 - 
> head/stand/i386/libi386
>   • Next message (by thread): svn commit: r358908 - in head/sys: conf 
> modules powerpc/conf
>   • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Author: dim
> Date: Thu Mar 12 11:39:04 2020
> New Revision: 358907
> URL: 
> https://svnweb.freebsd.org/changeset/base/358907
> 
> 
> Log:
>  Allow -DNO_CLEAN build across r358851.
> 
>  The openmp 10.0.0 import renamed one .c file to .cpp, and this is
>  something our dependency system does not handle correctly.  Add another
>  ad-hoc cleanup to get rid of the stale dependency.
> 
>  PR:  244251
>  MFC after:   6 weeks
>  X-MFC-With:  358851
> 
> Modified:
>  head/Makefile.inc1
> 
> Modified: head/Makefile.inc1
> ==
> --- head/Makefile.inc1Thu Mar 12 06:45:08 2020(r358906)
> +++ head/Makefile.inc1Thu Mar 12 11:39:04 2020(r358907)
> @@ -924,6 +924,15 @@ _sanity_check: .PHONY .MAKE
> _cleanobj_fast_depend_hack: .PHONY
> # Syscall stubs rewritten in C and obsolete MD assembly implementations
> # Date  SVN Rev  Syscalls/Changes
> +# 20200310  r358851  rename of openmp's ittnotify_static.c to .cpp
> +.for f in ittnotify_static
> + @if [ -e "${OBJTOP}/lib/libomp/.depend.${f}.pico" ] && \
> + egrep -qw '${f}\.c' ${OBJTOP}/lib/libomp/.depend.${f}.pico; then \
> + echo "Removing stale dependencies for ${f}"; \
> + rm -f ${OBJTOP}/lib/libomp/.depend.${f}.* \
> +${LIBCOMPAT:D${LIBCOMPAT_OBJTOP}/lib/libomp/.depend.${f}.*}; 
> \
> + fi
> +.endfor
> # 20191009  r353340  removal of opensolaris_atomic.S (also r353381)
> .if ${MACHINE} != i386
> .for f in opensolaris_atomic
> 
> END QUOTE
> 
> I've not upgraded to a lvm10 based vintage yet. I found
> the above while looking into if updating looked reasonable.
> So I've no direct evidence of if the change served its
> purpose or not.
> 
> But it does suggest that removing any stale files
> from the build area that have names matching:
> 
> .depend.ittnotify_static.*
> 
> is supposed to be sufficient to get rid of old
> ittnotify_static.c file references for the following
> build attempts.
> 
> It looks like two separate lib/libomp/ areas may have
> such files.
> 

Another kind of path that I've run into the issue with is:

/usr/obj/usr/src/amd64.amd64/nxb/*/lib/libomp/.depend.ittnotify_static.pico

where * was sometimes arm.armv7 and sometimes arm64.aarch64 in
my context.

I simply deleted such files and retried the builds.

===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

what 3rd party boot mgr is required to boot multiple freebsd versions?

[Chris]

I'm attempting to boot multiple versions of FreeBSD.
I started with an install of older 11 with a (u)efi
boot partition installed. I then grabbed an current 11
usbstick, and installed that. Which stated it needed to
install a (u)efi boot partition. I let it do it. But the
new (additional) install doesn't show up at boot. Altho
my UEFI BIOS sees it.
I guess there are just too many uefi bios versions,
and too many changes in the FreeBSD uefi boot code
to expect consistent results over the long haul.
Should I just convert the 1st efi (GPT) boot partition
to a PMBR, and delete the second efi partition. Or is
there a recommended bootmanager I can use to boot multiple
versions of FreeBSD? Windows?

Thank you!

--Chris


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: what 3rd party boot mgr is required to boot multiple freebsd versions?

[Karl Denninger]

On 3/16/2020 17:23, Chris wrote:
> I'm attempting to boot multiple versions of FreeBSD.
> I started with an install of older 11 with a (u)efi
> boot partition installed. I then grabbed an current 11
> usbstick, and installed that. Which stated it needed to
> install a (u)efi boot partition. I let it do it. But the
> new (additional) install doesn't show up at boot. Altho
> my UEFI BIOS sees it.
> I guess there are just too many uefi bios versions,
> and too many changes in the FreeBSD uefi boot code
> to expect consistent results over the long haul.
> Should I just convert the 1st efi (GPT) boot partition
> to a PMBR, and delete the second efi partition. Or is
> there a recommended bootmanager I can use to boot multiple
> versions of FreeBSD? Windows?
>
> Thank you!
>
> --Chris
>
Refind perhaps?


-- 
Karl Denninger
k...@denninger.net 
/The Market Ticker/
/[S/MIME encrypted email preferred]/


smime.p7s
Description: S/MIME Cryptographic Signature

Re: what 3rd party boot mgr is required to boot multiple freebsd versions?

[Andrey Fesenko]

On Tue, Mar 17, 2020 at 1:24 AM Chris  wrote:
>
> I'm attempting to boot multiple versions of FreeBSD.
> I started with an install of older 11 with a (u)efi
> boot partition installed. I then grabbed an current 11
> usbstick, and installed that. Which stated it needed to
> install a (u)efi boot partition. I let it do it. But the
> new (additional) install doesn't show up at boot. Altho
> my UEFI BIOS sees it.
> I guess there are just too many uefi bios versions,
> and too many changes in the FreeBSD uefi boot code
> to expect consistent results over the long haul.
> Should I just convert the 1st efi (GPT) boot partition
> to a PMBR, and delete the second efi partition. Or is
> there a recommended bootmanager I can use to boot multiple
> versions of FreeBSD? Windows?
>

upgrade system and use
https://www.freebsd.org/cgi/man.cgi?query=efibootmgr&sektion=8&manpath=freebsd-release-ports
;)
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: what 3rd party boot mgr is required to boot multiple freebsd versions?

[Chris]

On Mon, 16 Mar 2020 17:24:24 -0500 Karl Denninger k...@denninger.net said


On 3/16/2020 17:23, Chris wrote:
> I'm attempting to boot multiple versions of FreeBSD.
> I started with an install of older 11 with a (u)efi
> boot partition installed. I then grabbed an current 11
> usbstick, and installed that. Which stated it needed to
> install a (u)efi boot partition. I let it do it. But the
> new (additional) install doesn't show up at boot. Altho
> my UEFI BIOS sees it.
> I guess there are just too many uefi bios versions,
> and too many changes in the FreeBSD uefi boot code
> to expect consistent results over the long haul.
> Should I just convert the 1st efi (GPT) boot partition
> to a PMBR, and delete the second efi partition. Or is
> there a recommended bootmanager I can use to boot multiple
> versions of FreeBSD? Windows?
>
> Thank you!
>
> --Chris
>
Refind perhaps?

Thanks for the reply, Karl! :)
I've used that before for FreeBSD/MacOS combos. I'll look at it again.

For the record. I'm *only* using FreeBSD in this situation. I
only mentioned Windows above, for the use of it's boot manager.

Thanks again!

--Chris



--
Karl Denninger
k...@denninger.net 
/The Market Ticker/
/[S/MIME encrypted email preferred]/



___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

link_elf_obj: symbol bcmp undefined

[John D Groenveld]

# uname -U
1300084
# pkg info | grep virtualbox
virtualbox-ose-additions-5.2.34_2 VirtualBox additions for FreeBSD guests
# kldload vboxvfs
kldload: an error occurred while loading module vboxvfs. Please check dmesg(8) 
for more details.
# dmesg | tail -2
link_elf_obj: symbol bcmp undefined
linker_load_file: /boot/modules/vboxvfs.ko - unsupported file type

Unsure if this is compiler/linker or kernel bug.
John
groenv...@acm.org
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: what 3rd party boot mgr is required to boot multiple freebsd versions?

[Karl Denninger]

On 3/16/2020 17:33, Chris wrote:
> On Mon, 16 Mar 2020 17:24:24 -0500 Karl Denninger k...@denninger.net said
>
>> On 3/16/2020 17:23, Chris wrote:
>> > I'm attempting to boot multiple versions of FreeBSD.
>> > I started with an install of older 11 with a (u)efi
>> > boot partition installed. I then grabbed an current 11
>> > usbstick, and installed that. Which stated it needed to
>> > install a (u)efi boot partition. I let it do it. But the
>> > new (additional) install doesn't show up at boot. Altho
>> > my UEFI BIOS sees it.
>> > I guess there are just too many uefi bios versions,
>> > and too many changes in the FreeBSD uefi boot code
>> > to expect consistent results over the long haul.
>> > Should I just convert the 1st efi (GPT) boot partition
>> > to a PMBR, and delete the second efi partition. Or is
>> > there a recommended bootmanager I can use to boot multiple
>> > versions of FreeBSD? Windows?
>> >
>> > Thank you!
>> >
>> > --Chris
>> >
>> Refind perhaps?
> Thanks for the reply, Karl! :)
> I've used that before for FreeBSD/MacOS combos. I'll look at it again.
>
> For the record. I'm *only* using FreeBSD in this situation. I
> only mentioned Windows above, for the use of it's boot manager.
>
> Thanks again!
>
Refind will find all the bootable EFI "elements" in the EFI partition
and menu them.  The question then becomes whether multiple efi loaders
can be told to each use a *different* partition to load the kernel from
(and thus the loader file, which in turn can tell it where the root
filesystem is.)

Reading through the man page it appears they may not be.  You could of
course interrupt it and manually select that, but I suspect that's not
what you want to have to do.

I use refind on a dual-boot (win10/FreeBSD) system but not with multiple
independent FreeBSD versions.

-- 
Karl Denninger
k...@denninger.net 
/The Market Ticker/
/[S/MIME encrypted email preferred]/


smime.p7s
Description: S/MIME Cryptographic Signature