Re: Fund raising

2015-03-26 Thread Eric Furman
I'm not going to give you any shit. I think you are well intentioned.
However the number of people who would pay for such a thing is
so small that it is not worth the time and effort to create it.
One of the worst side effects of Linux and the FSF is that now
their are millions of pricks who think *EVERYTHING* should
be free. This attitude screws projects like OpenBSD.
What is so much "trouble and bother" about buying a CD?
I have bought CD releases. Most of them, in fact.
Not once was it any "trouble" or "bother".
If you don't want the CD just give it away.

On Thu, Mar 26, 2015, at 01:40 AM, worik wrote:
> I got a lot of shit on this list for suggesting that the OpenBSD project
> sell documentation collections (that are freely available elsewhere) as
> a method of raising funds for the project as CD rom sales dry up.
> 
> A lot of shit on list and especially off list (one clown made up a gmail
> address especially to tell me to fuck off.  Way too much time some
> people have)
> 
> Today I spent $US5 on an ebook containing tutorials for software  I am
> considering using.  By exercising my mouse I could have got it for free.
> 
> I did not.
> 
> So I am bringing this up again.  I do not want CDROMs.  I have been to
> the trouble of paying for one and insisting they do not post it, but it
> was a lot of bother.
> 
> I would pay for a collection of release notes for each new release.
> 
> I support this project and I would like to support Theo directly - as CD
> sales do.
> 
> So once again (at the risk of infuriating idle clowns) I respectfully
> suggest that the project consider such a release beside and as well as
> CDROMs.
> 
> I do realise that I am proposing a "good idea for some one else to do".
>  I cannot lead such a task as I am a OpenBSD newbie.
> 
> W
> 
> PS For those who might care I bought "Backbone Tutorials" by Thomas
> Davis.  https://leanpub.com/backbonetutorials
> 
> -- 
> Why is the legal status of chardonnay different to that of cannabis?
>worik.stan...@gmail.com 021-1680650, (03) 4821804
>   Aotearoa (New Zealand)
>  I voted for love



Re: httpd tls - what am i missing?

2015-03-26 Thread mxb
> On 25 mar 2015, at 23:44, Theodore Wynnychenko  wrote:
>
> Thank you for the suggestion.  I was not aware of "pound."

I’d rather go for relayd. Which is out of the box. No need to install “yet
another port and make sure it is up2date”.

//mxb



Re: Fund raising

2015-03-26 Thread Theo de Raadt
>I got a lot of shit on this list for suggesting that the OpenBSD project
>sell documentation collections (that are freely available elsewhere) as
>a method of raising funds for the project as CD rom sales dry up.
>
>A lot of shit on list and especially off list (one clown made up a gmail
>address especially to tell me to fuck off.  Way too much time some
>people have)
>
>Today I spent $US5 on an ebook containing tutorials for software  I am
>considering using.  By exercising my mouse I could have got it for free.
>
>I did not.
>
>So I am bringing this up again.  I do not want CDROMs.  I have been to
>the trouble of paying for one and insisting they do not post it, but it
>was a lot of bother.
>
>I would pay for a collection of release notes for each new release.
>
>I support this project and I would like to support Theo directly - as CD
>sales do.
>
>So once again (at the risk of infuriating idle clowns) I respectfully
>suggest that the project consider such a release beside and as well as
>CDROMs.
>
>I do realise that I am proposing a "good idea for some one else to do".
> I cannot lead such a task as I am a OpenBSD newbie.
>
>W
>
>PS For those who might care I bought "Backbone Tutorials" by Thomas
>Davis.  https://leanpub.com/backbonetutorials

The release CDs contain documentation in a file called X.Y/*/manXY.tgz,
where X.X and XX are the release numbers.

So you can already buy the documentation, in a way which has been a
historical success for OpenBSD. (As opposed to your idea, which has no
track record anywhere).



Getting errors during security(8) maintenance

2015-03-26 Thread Denis Lapshin
Some time ago start getting errors after nightly Secutiry running:

What problem can be?

Running security(8):

Checking root sh paths, umask values:
/etc/profile /root/.profile
The root path includes .
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 356.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 356.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 369.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 369.
Use of uninitialized value $home in -d at /usr/libexec/security line 386.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.

Thank you.

Denis



Dell R630 with PERC H730

2015-03-26 Thread Or Elimelech
Hello Misc

I am trying to install OpenBSD 5.6 on the above machine.

1. While using Lifecycle controller and deploy OS I get weird disk layout with
MSDos partition which cannot be removed.
2. While trying to init the raid myself through the raid controller and init
the raid 1 I see  in the disks while trying to install

Has anyone encountered this issue?

Thanks

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]



Re: Dell R630 with PERC H730

2015-03-26 Thread Hrvoje Popovski
On 26.3.2015. 11:40, Or Elimelech wrote:
> Hello Misc
> 
> I am trying to install OpenBSD 5.6 on the above machine.
> 
> 1. While using Lifecycle controller and deploy OS I get weird disk layout with
> MSDos partition which cannot be removed.
> 2. While trying to init the raid myself through the raid controller and init
> the raid 1 I see  in the disks while trying to install
> 
> Has anyone encountered this issue?
> 
> Thanks
> 
> [demime 1.01d removed an attachment of type application/pgp-signature which 
> had a name of signature.asc]
> 


Hi,

wait for 5.7 or install current ...



Re: relayd crashes often

2015-03-26 Thread Felipe Scarel
On Thu, Mar 26, 2015 at 12:37 AM, Yonas Yanfa  wrote:
> On 15-03-24 03:26 AM, Claudio Jeker wrote:
>> On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote:
>>> Hi,
>>>
>>> I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd
>>> always crashes within a few hours of restarting it, but works properly
>>> before that.
>>
>> I guess you are talking about reloading relayd (as in relayctl reload)...
>>
>
> Killing all relayd processes and then running relayd.
>
>
>>> When relayd stops working, sometimes the relayd process is up but
>>> `relayctl
>>> show summary` says that /var/run/relayd.sock doesn't exist. Other times
>>> none
>>> of the relayd processes are running.
>>>
>>
>> I hit similar issues and came up with the following diff against -current.
>> It may apply to 5.6 but did not test that at all. I'm not 100% sure about
>> the ca.c change since OpenSSL is a black box.
>>
>
> Thanks for the patches.
>
> Before I try to apply the patches, I think the issue might be caused by
> having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT
> connections:
>
>
> $ netstat -n|grep CLOSE_WAIT|wc -l
> 2236
>
> And relayd seems to have 501 active connections:
>
> relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx -> :0, hard timeout
>
>
> How can I get relayd to close these connections?
>
>
> Cheers,
> Yonas
>

I can confirm this has also been observed on my end, using relayd as a
forward ssl-inspecting proxy on amd64 hardware. Runs without issue for
a few hours, next time I look all the (ca|hfe|pfe) processes are gone,
only relays and the parent process remains. Killing all of them and
restarting the daemon "solves" the problem.



Re: make build errors on me (perl does not install properly)

2015-03-26 Thread Gregory Edigarov
Ok, so if somebody interested in - h2ph is expecting files on its 
command line, not something  else. (that was an issue with a unix 
socket, sneaked in to the /usr/include as the the result of maybe a 
power loss issue I had. the system builds ok now.


the proposed patch, to eliminate the possibility of such problems in the 
future:


Index: Makefile.bsd-wrapper
===
RCS file: /cvs/src/gnu/usr.bin/perl/Makefile.bsd-wrapper,v
retrieving revision 1.99
diff -u -p -u -r1.99 Makefile.bsd-wrapper
--- Makefile.bsd-wrapper26 Nov 2014 18:27:21 -  1.99
+++ Makefile.bsd-wrapper26 Mar 2015 10:59:24 -
@@ -107,7 +107,7 @@ install: install.lib install.perl manins
-mkdir -p 
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd

(cd ${DESTDIR}/usr/include; ${H2PH} \
-d 
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd \

-   `find . -name '*.h'`; \
+   `find . -type f -name '*.h'`; \
pax -rw `find . -type l \! -name '*.h' | sed 's/^..//'` \
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd)
-chmod -R a+rX ${DESTDIR}/usr/libdata/perl5




On 03/18/2015 02:02 PM, Gregory Edigarov wrote:

On 03/18/2015 12:04 PM, Gregory Edigarov wrote:

On 03/17/2015 08:44 PM, patrick keshishian wrote:

On 3/17/15, Gregory Edigarov  wrote:

On 03/16/2015 10:21 PM, Stuart Henderson wrote:

On 2015-03-16, Gregory Edigarov  wrote:

Hello,

I know I am re-asking the same question again, but what are the 
possible

reasons of such behaviour?
Obviously the system builds ok, but perl doesn't install correctly.
I need my system to be correctly built from sources because i am 
going
to make some experimental changes. (I am starting from the most 
fresh

binary snapshot available).

# env make clean obj build
[skip many correct lines]

I don't know if it's implicated in this problem, but don't run the
multiple targets on one line like that, run them separately or do
"make clean && make obj && make build".

Also check you don't have any bogus files in your checkout ("cvs
up -Pd -I \! -I obj -I CVS") and it's a good idea to clean /usr/obj
if you're having problems.

Hi, Stuart.

I've tried your advice.
did
# cvs up -Pd -I \! -I obj -I CVS

Just a WAG, do you possible have a (or a few) file(s) with
a sticky Tag? If you are working off head of the CVS tree
use a -APd to clear out any possible Tags.

--patrick
hmmm, no. It was a clean checkout from a server. so I don't think 
that's a case.

well, I've tried cvs up -APd - still the same result.



# rm -rf  /usr/obj/*
# env make clean && env make obj && env make build

and it again errors on me:

./tls.h -> ./tls.ph
./siphash.h -> ./siphash.ph
*** Error 1 in gnu/usr.bin/perl (Makefile.bsd-wrapper:112 'install')
*** Error 1 in gnu/usr.bin (:48 'realinstall')
*** Error 1 in gnu (:48 'realinstall')
*** Error 1 in . (:48 'realinstall')
*** Error 1 in /usr/src (Makefile:82 'build')
# make clean && make obj && make build

what could be the reason?
--
With best regards,
Gregory Edigarov




Re: Dell R630 with PERC H730

2015-03-26 Thread Or Elimelech
Is this for sure will solve the problem?

Is it a known issue?

> On Mar 26, 2015, at 12:56 PM, Hrvoje Popovski  wrote:
> 
> On 26.3.2015. 11:40, Or Elimelech wrote:
>> Hello Misc
>> 
>> I am trying to install OpenBSD 5.6 on the above machine.
>> 
>> 1. While using Lifecycle controller and deploy OS I get weird disk layout 
>> with
>> MSDos partition which cannot be removed.
>> 2. While trying to init the raid myself through the raid controller and init
>> the raid 1 I see  in the disks while trying to install
>> 
>> Has anyone encountered this issue?
>> 
>> Thanks
>> 
>> [demime 1.01d removed an attachment of type application/pgp-signature which 
>> had a name of signature.asc]
>> 
> 
> 
> Hi,
> 
> wait for 5.7 or install current ...



Re: Getting errors during security(8) maintenance

2015-03-26 Thread Nick Holland
On 03/26/15 04:32, Denis Lapshin wrote:
> Some time ago start getting errors after nightly Secutiry running:
> 
> What problem can be?
> 
> Running security(8):
> 
> Checking root sh paths, umask values:
> /etc/profile /root/.profile
> The root path includes .

This would not be a bad thing to fix.

> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 356.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 356.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 369.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 369.
> Use of uninitialized value $home in -d at /usr/libexec/security line 386.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 406.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 434.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 434.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 434.
> Use of uninitialized value $home in concatenation (.) or string at 
> /usr/libexec/security line 434.

Stunning lack of information, but sounds like you botched an upgrade
somewhere.

Nick.



Re: Fund raising

2015-03-26 Thread Nick Holland
On 03/26/15 01:40, worik wrote:
...
> Today I spent $US5 on an ebook containing tutorials for software  I am
> considering using.  By exercising my mouse I could have got it for free.
> 
> I did not.
> 
> So I am bringing this up again.  I do not want CDROMs.  I have been to
> the trouble of paying for one and insisting they do not post it, but it
> was a lot of bother.
> 
> I would pay for a collection of release notes for each new release.
> 
> I support this project and I would like to support Theo directly - as CD
> sales do.
> 
> So once again (at the risk of infuriating idle clowns) I respectfully
> suggest that the project consider such a release beside and as well as
> CDROMs.
...

There's a major problem in the world...most people don't understand very
basic economics of running a business.

You are looking at it as $5 for something that costs nothing to
distribute -- so infinite profit margin ($5/$0), how can you go wrong?

Well...  composing such a document takes time.  Let's use the FAQ as an
example.  Well, it's rather short for a book, and realistically, if you
were to be expected to pay MONEY for it, it would have to be pretty
substantially reworked for better quality, better organization.  But
let's pretend that people would spend $5 for a neatened up version of
the FAQ in ebook format.

So, I quit my day job, and spend a month or so rewriting things.  No
major new content, just reorganizing and reworking what is there.
Understand that I love the OpenBSD project, a LOT of my income goes into
OpenBSD related expenses, and I'm glad and honored to do that, but I
really can't just quit getting income for a month without a huge hit to
the bank account.  So I'm going to need some pay.  It doesn't need to
meet my current job's income, but it would be nice if it were close AND
covers lots of taxes and costs that my employer pays.  Not only
that...when I'm done, I'll need to go get another job, as I suspect my
employer will fill my current position, so I'll have to find a job
elsewhere.  So, better add another month of pay to my costs.

Now, divide that cost by $5...can we sell that many copies of something
that can be got for free?  I doubt it.  And that's just to BREAK EVEN,
as if NOTHING ever happened.  To actually make it worth while, we would
have to sell many times that number of copies.

Oh, but wait! not done yet.  Now, we need a way to process $5 payments
fast and efficient enough so that the majority of the $5 actually goes
to the project, not to the time spent processing things.  And when
something goes wrong, customers will expect that someone answer the
phone or at least e-mail in a timely manner.

And every release, we need to do it all over again.

Realistically, the money that we get for this e-document is really just
an act of charity anyway.  Why not just give the project the money, and
not make us jump through hoops that cost lots of money and provide no
benefit to anyone?

Besides, the artwork and stickers in the CD sets are great.  Really.
I've been buying CDs since 2.6, and I look forward to getting every
single one.  And this is from someone who works with the project and
pays the same price everyone else does (and historically, usually got it
AFTER many of you guys are bragging about getting yours).

Nick.



Re: Dell R630 with PERC H730

2015-03-26 Thread Hrvoje Popovski
On 26.3.2015. 12:40, Or Elimelech wrote:
> Is this for sure will solve the problem?
> 
> Is it a known issue?

well, dell r630 is really new hardware and there was few issues with
h330 and h730 at the beginning of 2015

you could try current just to see will you be able to install openbsd on
it...



Re: Dell R630 with PERC H730

2015-03-26 Thread Or Elimelech
Thanks mate, current works like a charm.


> On Mar 26, 2015, at 2:23 PM, Hrvoje Popovski  wrote:
> 
> On 26.3.2015. 12:40, Or Elimelech wrote:
>> Is this for sure will solve the problem?
>> 
>> Is it a known issue?
> 
> well, dell r630 is really new hardware and there was few issues with
> h330 and h730 at the beginning of 2015
> 
> you could try current just to see will you be able to install openbsd on
> it...



httpd cgi (5.6-stable)

2015-03-26 Thread Alexei Malinin
Hello.

I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default 
/var/www but without success:

# cat /var/www/logs/httpd-access.log 
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] "GET / HTTP/1.1" 
200 376 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) Gecko/20100101 
Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] "GET 
/favicon.ico HTTP/1.1" 404 0 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) 
Gecko/20100101 Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] "GET 
/favicon.ico HTTP/1.1" 404 0 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) 
Gecko/20100101 Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:27 +0300] "GET 
/cgi-bin/bgplg HTTP/1.1" 500 0 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) 
Gecko/20100101 Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:22 +0300] "GET / HTTP/1.1" 
200 376 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) Gecko/20100101 
Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:24 +0300] "GET 
/cgi-bin/bgplg HTTP/1.1" 500 0 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) 
Gecko/20100101 Firefox/22.0"
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:26 +0300] "GET 
/cgi-bin/bgplg HTTP/1.1" 500 0 "" "Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) 
Gecko/20100101 Firefox/22.0"


Please tell me what I'm doing wrong?


My environment:

# cat /etc/httpd.conf
#
# Macros
#
listen_address="10.0.0.1"

#
# Global Options
#
prefork 3
chroot "/var/www"

#
# Servers
#

# The HTTPS server
server "stats.example.com" {
log {   \
access "httpd-access.log"   \
error "httpd-errors.log"\
style combined  \
no syslog   \
}
listen on $listen_address port 80
location "/cgi-bin/*" {
fastcgi
root "/"
directory { \
no auto index   \
no index\
}
}
location "/*" {
root "/htdocs/bgplg"
directory { \
no auto index   \
index index.html\
}
}
}


# ps -axwwu | egrep "^USER|httpd" | fgrep -v grep
USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
www  27370  0.0  0.0  1012  1716 ??  I  3:29PM0:00.02 httpd: logger 
(httpd)
www  18968  0.0  0.0   884  1620 ??  I  3:29PM0:00.01 httpd: server 
(httpd)
root  6872  0.0  0.0  1116  1892 ??  Is 3:29PM0:00.03 httpd: parent 
(httpd)
www   8008  0.0  0.0   884  1632 ??  I  3:29PM0:00.02 httpd: server 
(httpd)
www  22607  0.0  0.0   984  1832 ??  I  3:29PM0:00.02 httpd: server 
(httpd)


# cd /var/www
# # ls -laR .
total 1
drwxr-xr-x   9 root  daemon  512 Mar 23 14:08 .
drwxr-xr-x  29 root  wheel   512 Mar 26 15:26 ..
drwxr-xr-x   2 root  daemon  512 Aug  8  2014 bin
drwx-T   2 www   daemon  512 Aug  8  2014 cache
drwxr-xr-x   2 root  daemon  512 Aug  8  2014 cgi-bin
drwxr-xr-x   2 root  daemon  512 Mar 13 18:21 conf
drwxr-xr-x   3 root  daemon  512 Jan 16 15:27 htdocs
drwxr-x---   2 root  www 512 Mar 13 16:29 logs
drwxr-xr-x   2 root  daemon  512 Aug  8  2014 run

./bin:
total 2
drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
--  1 root  bin 259280 Aug  8  2014 bgpctl
--  1 root  bin 210128 Aug  8  2014 ping
--  1 root  bin 238800 Aug  8  2014 ping6
--  1 root  bin 197840 Aug  8  2014 traceroute
--  1 root  bin 197840 Aug  8  2014 traceroute6

./cache:
total 1
drwx-T  2 www   daemon  512 Aug  8  2014 .
drwxr-xr-x  9 root  daemon  512 Mar 23 14:08 ..

./cgi-bin:
total 1
drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
--  1 root  bin 144592 Aug  8  2014 bgplg

./conf:
total 1
drwxr-xr-x  2 root  daemon  512 Mar 13 18:21 .
drwxr-xr-x  9 root  daemon  512 Mar 23 14:08 ..
-rw-r--r--  1 root  wheel88 Aug  8  2014 bgplg.css
-rw-r--r--  1 root  wheel13 Aug  8  2014 bgplg.foot
-rw-r--r--  1 root  wheel   194 Aug  8  2014 bgplg.head

./htdocs:
total 1
drwxr-xr-x  3 root  daemon  512 Jan 16 15:27 .
drwxr-xr-x  9 root  daemon  512 Mar 23 14:08 ..
-r--r--r--  1 root  bin 537 Aug  8  2014 50x.html
drwxr-xr-x  2 root  wheel   512 Jan 16 15:27 bgplg

./htdocs/bgplg:
total 1
drwxr-xr-x  2 root  wheel 512 Jan 16 15:27 .
drwxr-xr-x  3 root  daemon512 Jan 16 15:27 ..
-rw-r--r--  1 root  wheel 376 Aug  8  2014 index.html
-rw-r--r--  1 root  wheel   75238 Aug  8  2014 openbgpd.gif

./logs:
total 1
drwxr-x---  2 root  www  512 Mar 13 16:29 .
drwxr-xr-x  9 root  daemon   512 Mar 23 14

Re: httpd tls - what am i missing?

2015-03-26 Thread Raf Czlonka
On Wed, Mar 25, 2015 at 05:40:11PM GMT, Theodore Wynnychenko wrote:

Hi Theodore,

> So, I checked the certificate:
> openssl x509 -text -noout -in /etc/ssl/server.crt
> 
> and I get:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> 
> 
> All seems fine.

It may seem fine to you but most likely it isn't.

> I took the server.key and server.crt files to an older machine
> (actually, the one I am trying to replace) that is running 4.9 (I
> think) and apache.  Put the "new" certificate and key in the proper
> places, and was able to open an https connection to that machine, and
> was able to confirm that the new certificate was the one being
> presented and works.

That's probably where the problem lies - the key and/or the certificate.

I've just tested your configuration with a new key and cert and it works
absolutely fine.

Have you run any tests using 's_client'?

Regards,

Raf



Re: Getting errors during security(8) maintenance

2015-03-26 Thread Ingo Schwarze
Hi Andrew (or any other developer),

OK to commit the following fix?

Note that chomping after splitting is important because split
drops trailing empty fields.


Hi Denis,

Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300:

> Some time ago start getting errors after nightly Secutiry running:
> What problem can be?

Your file /etc/passwd contains two incomplete entries.
Never edit it by hand.  Always use vipw(8) to change
user account information.

Please apply the following patch to the file /usr/libexec/security,
run "sh /etc/daily" (both as root) and report back whether the
error messages you get then make more sense to you.

After that, to repair the damage, run vipw(8), do some trivial
change - like adding a letter to the full name field of some entry
- and try to save and exit vipw(8).  If it works, great (and if you
want, revert the trivial change, using vipw(8) again).  If it denies
saving, your master.passwd(5) file is corrupt, too.  In that case,
choose "re-edit" and fix whatever problems it reports.

Btw., Nick is right that in general, you should note in problem reports
which version of OpenBSD you are running, it's mere luck that it doesn't
matters in the case at hand.

Yours,
  Ingo

> Use of uninitialized value $home in concatenation (.) or string
> at /usr/libexec/security line 356.


Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.32
diff -u -p -r1.32 security
--- security4 Dec 2014 00:07:21 -   1.32
+++ security26 Mar 2015 14:23:53 -
@@ -336,7 +336,16 @@ sub find_homes {
nag !(open my $fh, '<', $filename),
"open: $filename: $!"
and return [];
-   my $homes = [ map [ @{[split /:/]}[0,2,5] ], <$fh> ];
+   my $homes = [];
+   while (<$fh>) {
+   my $entry = [ @{[split /:/]}[0,2,5] ];
+   chomp;
+   nag !defined $entry->[2],
+   "Incomplete line \"$_\" in $filename."
+   and next;
+   chomp $entry->[2];
+   push @$homes, $entry;
+   }
close $fh;
return $homes;
 }



Re: httpd cgi (5.6-stable)

2015-03-26 Thread Carlin Bingham
On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote:
> Hello.
> 
> I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on
> default /var/www but without success:
> 
> [...]
> 
> 
> Please tell me what I'm doing wrong?
> 
> [...]
>
> ./cgi-bin:
> total 1
> drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
> drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
> --  1 root  bin 144592 Aug  8  2014 bgplg
   

Check the man page for bgplg(8); you need to set the permissions to make
it executable.

--
Carlin

> 
> [...]
> 
> 
> --
> Alexei Malinin



Re: httpd cgi (5.6-stable)

2015-03-26 Thread Carlin Bingham
On Fri, 27 Mar 2015, at 05:41 AM, Alexei Malinin wrote:
> On 03/26/15 18:33, Carlin Bingham wrote:
> > On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote:
> >> Hello.
> >>
> >> I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on
> >> default /var/www but without success:
> >>
> >> [...]
> >>
> >>
> >> Please tell me what I'm doing wrong?
> >>
> >> [...]
> >>
> >> ./cgi-bin:
> >> total 1
> >> drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
> >> drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
> >> --  1 root  bin 144592 Aug  8  2014 bgplg
> >
> >
> > Check the man page for bgplg(8); you need to set the permissions to make
> > it executable.
> 
> I set the permissions to 0555 - result was the same as before.
> 
> 

Have you started slowcgi(8)?


-- 
Carlin



Re: httpd cgi (5.6-stable)

2015-03-26 Thread Alexei Malinin
On 03/26/15 18:33, Carlin Bingham wrote:
> On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote:
>> Hello.
>>
>> I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on
>> default /var/www but without success:
>>
>> [...]
>>
>>
>> Please tell me what I'm doing wrong?
>>
>> [...]
>>
>> ./cgi-bin:
>> total 1
>> drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
>> drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
>> --  1 root  bin 144592 Aug  8  2014 bgplg
>
>
> Check the man page for bgplg(8); you need to set the permissions to make
> it executable.

I set the permissions to 0555 - result was the same as before.


--
Alexei



Re: SNMP and PID file

2015-03-26 Thread Alex Naumov
# /etc/rc.d/snmpd restart
httpd2 (pid 29518) already running

# uname -a
OpenBSD name 5.2 GENERIC#278 i386

# ps aux | grep snmpd
root 23284  0.0  0.1   556   980 ??  IsWed04PM0:00.00
snmpd: parent (snmpd)
_snmpd   28300  0.0  0.1   676  1380 ??  I Wed04PM0:00.55
snmpd: snmp engine (snmpd)
root 23789  0.0  0.0   592 4 p0  R+ 6:06PM0:00.00 grep
snmpd (ksh)

# ls -la /var/run/
total 192
drwxr-xr-x   3 root  wheel512 Mar 25 16:59 .
drwxr-xr-x  25 root  wheel512 Mar 29  2014 ..
-rw-r--r--   1 root  wheel  6 Nov 13 08:17 cron.pid
-rw-r--r--   1 root  wheel  49152 Nov 13 08:17 dev.db
-rw-r--r--   1 root  wheel   9124 Nov 13 08:17 dmesg.boot
-rw-r--r--   1 root  wheel  5 Nov 13 08:17 inetd.pid
-r--r--r--   1 root  wheel  12460 Nov 13 08:17 ld.so.hints
drwxr-xr-x   2 root  wheel512 Nov 13 08:17 rc.d
-rw---   1 root  wheel 70 Nov 13 08:17 sendmail.pid
srw-rw   1 root  wheel  0 Mar 25 16:59 snmpd.sock
-rw-r--r--   1 root  wheel  5 Nov 13 08:17 sshd.pid
-rw-r--r--   1 root  wheel  6 Nov 13 08:17 syslog.pid
-rw-rw-r--   1 root  utmp7200 Mar 26 18:04 utmp



Please look at first command's output. It looks like a bug or
something like this.
Of course I can find a pid and than kill this process, but...


On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith  wrote:
> /etc/rc.d/snmpd restart always worked
>
> for me to restart snmpd.
> On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote:
>> Hello,
>>
>> I just want to ask about snmpd(8). As I can see, snmpd don't create
>> pid file in /var/run directory.
>> Is it correct?
>> How to reboot this daemon? There is just sock-file.
>>
>> Thank you,
>> Alex
>
> --
> Joshua Smith
>
> Montani Semper Liberi



L2TP using Npppd and IPsec

2015-03-26 Thread Predrag Punosevac
Hi Misc,

I need to provide secure access to a web application running on my
servers to handful typical desktop users. I am thinking of requiring
them to have L2TP/IPSec VPN tunnel before they can browse my
application. HTTPS is not good enough due to the nature of the
application. 

Why L2TP? I am not a Windows uses but it seems that it should be trivial
to setup client side

https://www.hideipvpn.com/2010/03/howto-windows-7-ipsecl2tp-vpn-setup-tutorial/
and avoid customer service requests, on another hand I am reading man
pages for npppd and ipsec on 5.7 and Giovanni's slides from two years
ago

http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd

for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a
local authentication database. It is in the base and it seems very easy
to configure. 

Is anybody running similar setup in production? Any caveats? Any other
advises before I take a plunge.

Predrag

P.S. I have quite a bit experience with OpenVPN server on OpenBSD but  
in my experience getting credentials to a Windows client is pain because
a typical user knows only to double click and I don't know now to
properly make Windows packages. 



Re: httpd cgi (5.6-stable) - solved

2015-03-26 Thread Alexei Malinin
On 03/26/15 19:55, Carlin Bingham wrote:
> On Fri, 27 Mar 2015, at 05:41 AM, Alexei Malinin wrote:
>> On 03/26/15 18:33, Carlin Bingham wrote:
>>> On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote:
 Hello.

 I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on
 default /var/www but without success:

 [...]


 Please tell me what I'm doing wrong?

 [...]

 ./cgi-bin:
 total 1
 drwxr-xr-x  2 root  daemon 512 Aug  8  2014 .
 drwxr-xr-x  9 root  daemon 512 Mar 23 14:08 ..
 --  1 root  bin 144592 Aug  8  2014 bgplg
>>>
>>>
>>> Check the man page for bgplg(8); you need to set the permissions to make
>>> it executable.
>> I set the permissions to 0555 - result was the same as before.
> Have you started slowcgi(8)?

Thank you! Starting slowcgi resolved the problem.


PS. Patches for httpd(8) & httpd.conf(5):

--- httpd.conf.5.orig   Wed Jan 28 21:17:23 2015
+++ httpd.conf.5Thu Mar 26 20:09:03 2015
@@ -397,7 +397,8 @@
 include "/etc/nginx/mime.types"
 .Ed
 .Sh SEE ALSO
-.Xr httpd 8
+.Xr httpd 8 ,
+.Xr slowcgi 8
 .Sh AUTHORS
 .An -nosplit
 The
--- httpd.8.origWed Jan 28 21:17:23 2015
+++ httpd.8 Thu Mar 26 20:08:52 2015
@@ -81,7 +81,8 @@
 Default error log file.
 .El
 .Sh SEE ALSO
-.Xr httpd.conf 5
+.Xr httpd.conf 5 ,
+.Xr slowcgi 8
 .Sh HISTORY
 The
 .Nm


--
Alexei



Re: SNMP and PID file

2015-03-26 Thread Joshua Smith
You are running a pretty old (> 2 years) old version of openBSD.
Perhaps it is a bug that has been fixed in a later release?


On Thu, Mar 26, 2015 at 06:11:37PM +0100, Alex Naumov wrote:
> # /etc/rc.d/snmpd restart
> httpd2 (pid 29518) already running
> 
> # uname -a
> OpenBSD name 5.2 GENERIC#278 i386
> 
> # ps aux | grep snmpd
> root 23284  0.0  0.1   556   980 ??  IsWed04PM0:00.00
> snmpd: parent (snmpd)
> _snmpd   28300  0.0  0.1   676  1380 ??  I Wed04PM0:00.55
> snmpd: snmp engine (snmpd)
> root 23789  0.0  0.0   592 4 p0  R+ 6:06PM0:00.00 grep
> snmpd (ksh)
> 
> # ls -la /var/run/
> total 192
> drwxr-xr-x   3 root  wheel512 Mar 25 16:59 .
> drwxr-xr-x  25 root  wheel512 Mar 29  2014 ..
> -rw-r--r--   1 root  wheel  6 Nov 13 08:17 cron.pid
> -rw-r--r--   1 root  wheel  49152 Nov 13 08:17 dev.db
> -rw-r--r--   1 root  wheel   9124 Nov 13 08:17 dmesg.boot
> -rw-r--r--   1 root  wheel  5 Nov 13 08:17 inetd.pid
> -r--r--r--   1 root  wheel  12460 Nov 13 08:17 ld.so.hints
> drwxr-xr-x   2 root  wheel512 Nov 13 08:17 rc.d
> -rw---   1 root  wheel 70 Nov 13 08:17 sendmail.pid
> srw-rw   1 root  wheel  0 Mar 25 16:59 snmpd.sock
> -rw-r--r--   1 root  wheel  5 Nov 13 08:17 sshd.pid
> -rw-r--r--   1 root  wheel  6 Nov 13 08:17 syslog.pid
> -rw-rw-r--   1 root  utmp7200 Mar 26 18:04 utmp
> 
> 
> 
> Please look at first command's output. It looks like a bug or
> something like this.
> Of course I can find a pid and than kill this process, but...
> 
> 
> On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith  wrote:
> > /etc/rc.d/snmpd restart always worked
> >
> > for me to restart snmpd.
> > On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote:
> >> Hello,
> >>
> >> I just want to ask about snmpd(8). As I can see, snmpd don't create
> >> pid file in /var/run directory.
> >> Is it correct?
> >> How to reboot this daemon? There is just sock-file.
> >>
> >> Thank you,
> >> Alex
> >
> > --
> > Joshua Smith
> >
> > Montani Semper Liberi

-- 
Joshua Smith

Montani Semper Liberi



Change routes with multipath?

2015-03-26 Thread rizz2pro .
Hello everyone,

I hope I posted this in the right area, I don't usually join mailing lists
so I am still a bit of a noob.

Anyways, hoping someone could help me out. I am coming up empty on my
searches figuring this out.

If I have 2 default gateways configured with priorities, how would I modify
the priorities using "route change"? I would prefer not to have to delete
the route and re-add them.

$ sudo route add -mpath default 64.4.4.4 -priority 1
$ sudo route add -mpath default 129.2.2.2 -priority 15
$ sudo netstat -rn | grep default
~
# default   64.4.4.4   UGS3 3308 - 1 em0
# default129.2.2.2   UGS00 -15 em1

If I try to change priorities:

$ sudo route change -mpath default 129.2.2.2 -priority 1
~
# route: writing to routing socket: No such process
# change net default: gateway 129.2.2.2: not in table

Any hints as to how I can change priority on a default multipath route? I
would appreciate it greatly.

Thanks for reading.



Re: httpd tls - what am i missing?

2015-03-26 Thread Kevin Chadwick
On Thu, 26 Mar 2015 08:30:23 +0100
mxb wrote:

> >
> > Thank you for the suggestion.  I was not aware of "pound."  
> 
> I’d rather go for relayd. Which is out of the box. No need to install “yet
> another port and make sure it is up2date”.

httpd is based on relayd code which would reduce the scope of the test
(a cluestick).

>> When I try "https://10.0.128.67/index.html"; - I get a nice message from
>> firefox asking me to accept a problem certificate (this was expected,
>> the certificate is the "correct" one), and when I do accept the
>> certificate, I get the index page.

>> So, I am not sure what is wrong, but it appears httpd is not responding
>> to https requests, even with the "listen on tls" line in the
>> configuration file.

>> Is there anything for me to look at/consider in trying to correct this?

I don't understand what you are saying by '"correct" one' but to me this
suggests you have issues even with pound and perhaps I would try
another browser or firefox on another client and try another
certificate perhaps from another CA or install a newer snapshot or
re-install a release before wondering if there is an issue with httpd
or libressl whilst monitoring the list to see if anyone else has an
issue?

Thankfully re-install on OpenBSD is super quick but you do have to
follow www.openbsd.org/current.html for snapshots and I think
www.openbsd.org/plus.html for release upgrades (4.5 -> 4.6 etc.)



Set PKG_PATH using Time Zone?

2015-03-26 Thread L.R. D.S.
Is really boring write the package repository everytime we install. 
Why not set the repository using the Time Zone as a reference?
For example, if you set Japan as your zone, then run
export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/



Re: httpd cgi (5.6-stable) - solved

2015-03-26 Thread Jason McIntyre
On Thu, Mar 26, 2015 at 08:12:27PM +0300, Alexei Malinin wrote:
> 
> PS. Patches for httpd(8) & httpd.conf(5):
> 

committed, thanks.
jmc

> --- httpd.conf.5.orig   Wed Jan 28 21:17:23 2015
> +++ httpd.conf.5Thu Mar 26 20:09:03 2015
> @@ -397,7 +397,8 @@
>  include "/etc/nginx/mime.types"
>  .Ed
>  .Sh SEE ALSO
> -.Xr httpd 8
> +.Xr httpd 8 ,
> +.Xr slowcgi 8
>  .Sh AUTHORS
>  .An -nosplit
>  The
> --- httpd.8.origWed Jan 28 21:17:23 2015
> +++ httpd.8 Thu Mar 26 20:08:52 2015
> @@ -81,7 +81,8 @@
>  Default error log file.
>  .El
>  .Sh SEE ALSO
> -.Xr httpd.conf 5
> +.Xr httpd.conf 5 ,
> +.Xr slowcgi 8
>  .Sh HISTORY
>  The
>  .Nm
> 
> 
> --
> Alexei



Re: Set PKG_PATH using Time Zone?

2015-03-26 Thread Joshua Smith
On Thu, Mar 26, 2015 at 06:55:50PM +, L.R. D.S. wrote:
> Is really boring write the package repository everytime we install. 
> Why not set the repository using the Time Zone as a reference?
> For example, if you set Japan as your zone, then run
> export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/

What about regions which contain multiple mirrors?

-- 
Joshua Smith

Montani Semper Liberi



Re: Set PKG_PATH using Time Zone?

2015-03-26 Thread Felipe Scarel
Routing from certain countries can also be funny sometimes (for
example, I'm pretty sure users in Peru would get better speeds
downloading from US servers rather than from Brazil, despite the
geographical proximity).

On Thu, Mar 26, 2015 at 4:18 PM, Joshua Smith  wrote:
> On Thu, Mar 26, 2015 at 06:55:50PM +, L.R. D.S. wrote:
>> Is really boring write the package repository everytime we install.
>> Why not set the repository using the Time Zone as a reference?
>> For example, if you set Japan as your zone, then run
>> export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
>
> What about regions which contain multiple mirrors?
>
> --
> Joshua Smith
>
> Montani Semper Liberi



Re: SNMP and PID file

2015-03-26 Thread Alex Naumov
It will be interesting to find information about this bug, if it's really bug.
I can't update this system... but it will be interesting to figure out
why it happen ;)

On Thu, Mar 26, 2015 at 7:04 PM, Joshua Smith  wrote:
> You are running a pretty old (> 2 years) old version of openBSD.
> Perhaps it is a bug that has been fixed in a later release?
>
>
> On Thu, Mar 26, 2015 at 06:11:37PM +0100, Alex Naumov wrote:
>> # /etc/rc.d/snmpd restart
>> httpd2 (pid 29518) already running
>>
>> # uname -a
>> OpenBSD name 5.2 GENERIC#278 i386
>>
>> # ps aux | grep snmpd
>> root 23284  0.0  0.1   556   980 ??  IsWed04PM0:00.00
>> snmpd: parent (snmpd)
>> _snmpd   28300  0.0  0.1   676  1380 ??  I Wed04PM0:00.55
>> snmpd: snmp engine (snmpd)
>> root 23789  0.0  0.0   592 4 p0  R+ 6:06PM0:00.00 grep
>> snmpd (ksh)
>>
>> # ls -la /var/run/
>> total 192
>> drwxr-xr-x   3 root  wheel512 Mar 25 16:59 .
>> drwxr-xr-x  25 root  wheel512 Mar 29  2014 ..
>> -rw-r--r--   1 root  wheel  6 Nov 13 08:17 cron.pid
>> -rw-r--r--   1 root  wheel  49152 Nov 13 08:17 dev.db
>> -rw-r--r--   1 root  wheel   9124 Nov 13 08:17 dmesg.boot
>> -rw-r--r--   1 root  wheel  5 Nov 13 08:17 inetd.pid
>> -r--r--r--   1 root  wheel  12460 Nov 13 08:17 ld.so.hints
>> drwxr-xr-x   2 root  wheel512 Nov 13 08:17 rc.d
>> -rw---   1 root  wheel 70 Nov 13 08:17 sendmail.pid
>> srw-rw   1 root  wheel  0 Mar 25 16:59 snmpd.sock
>> -rw-r--r--   1 root  wheel  5 Nov 13 08:17 sshd.pid
>> -rw-r--r--   1 root  wheel  6 Nov 13 08:17 syslog.pid
>> -rw-rw-r--   1 root  utmp7200 Mar 26 18:04 utmp
>>
>>
>>
>> Please look at first command's output. It looks like a bug or
>> something like this.
>> Of course I can find a pid and than kill this process, but...
>>
>>
>> On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith  wrote:
>> > /etc/rc.d/snmpd restart always worked
>> >
>> > for me to restart snmpd.
>> > On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote:
>> >> Hello,
>> >>
>> >> I just want to ask about snmpd(8). As I can see, snmpd don't create
>> >> pid file in /var/run directory.
>> >> Is it correct?
>> >> How to reboot this daemon? There is just sock-file.
>> >>
>> >> Thank you,
>> >> Alex
>> >
>> > --
>> > Joshua Smith
>> >
>> > Montani Semper Liberi
>
> --
> Joshua Smith
>
> Montani Semper Liberi



Re: Getting errors during security(8) maintenance

2015-03-26 Thread Andrew Fresh
On Thu, Mar 26, 2015 at 03:42:07PM +0100, Ingo Schwarze wrote:
> Hi Andrew (or any other developer),
> 
> OK to commit the following fix?
> 
> Note that chomping after splitting is important because split
> drops trailing empty fields.

A blank home_dir is valid?  I will defer to others on that but seems
surprising to me.

Although I haven't had time to apply the patch and try it, the
implementation looks sane given that above is as expected.

OK afresh1@ 


> Index: security
> ===
> RCS file: /cvs/src/libexec/security/security,v
> retrieving revision 1.32
> diff -u -p -r1.32 security
> --- security  4 Dec 2014 00:07:21 -   1.32
> +++ security  26 Mar 2015 14:23:53 -
> @@ -336,7 +336,16 @@ sub find_homes {
>   nag !(open my $fh, '<', $filename),
>   "open: $filename: $!"
>   and return [];
> - my $homes = [ map [ @{[split /:/]}[0,2,5] ], <$fh> ];
> + my $homes = [];
> + while (<$fh>) {
> + my $entry = [ @{[split /:/]}[0,2,5] ];
> + chomp;
> + nag !defined $entry->[2],
> + "Incomplete line \"$_\" in $filename."
> + and next;
> + chomp $entry->[2];
> + push @$homes, $entry;
> + }
>   close $fh;
>   return $homes;
>  }

-- 
andrew - http://afresh1.com

Unix is very simple,
but it takes a genius to understand the simplicity.
  -- Dennis Ritchie



Leap seconds

2015-03-26 Thread
As you know, the leap second issue will occour on 29th. June. I saw
articles on some Linux distro's web page. It looks like there is a bug on
the Linux kernel and it was effected on 2012.

I would like to ask, is there anything which i should do on my OpenBSD 5.6 ?

Sorry for my English



Re: Set PKG_PATH using Time Zone?

2015-03-26 Thread Dale Lindskog
On Thu, 26 Mar 2015, L.R. D.S. wrote:

> Is really boring write the package repository everytime we install. 
> Why not set the repository using the Time Zone as a reference?
> For example, if you set Japan as your zone, then run
> export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/

#!/usr/bin/perl -w
use strict;

chomp( my( $uname_r, $uname_m ) = ( `uname -r`, `uname -m` ) );
chomp( my $zone = join( '/', ( split('/', `ls -l /etc/localtime`) )[-2,-1] ) );

my %mirror = (
  "Canada/Mountain" => "ftp://ftp.openbsd.org/pub/OpenBSD";,
  # okay, I'm bored now... hopefully "L.R. D.S." will help
);

print "$mirror{$zone}/$uname_r/packages/$uname_m/";



Re: Getting errors during security(8) maintenance

2015-03-26 Thread Ingo Schwarze
Hi Andrew,

Andrew Fresh wrote on Thu, Mar 26, 2015 at 01:12:39PM -0700:
> On Thu, Mar 26, 2015 at 03:42:07PM +0100, Ingo Schwarze wrote:

>> Hi Andrew (or any other developer),
>> 
>> OK to commit the following fix?
>> 
>> Note that chomping after splitting is important because split
>> drops trailing empty fields.

> A blank home_dir is valid?

Certainly not in general, but it does occur in the "+:*:0:0:::"
YP entry.

> I will defer to others on that but seems surprising to me.

In case we want security(8) to catch that, the right function
to do so would be check_passwd(), not find_homes().
But i would consider that a separate matter.

> Although I haven't had time to apply the patch and try it, the
> implementation looks sane given that above is as expected.
> 
> OK afresh1@ 

Thanks for checking!
  Ingo

>> Index: security
>> ===
>> RCS file: /cvs/src/libexec/security/security,v
>> retrieving revision 1.32
>> diff -u -p -r1.32 security
>> --- security 4 Dec 2014 00:07:21 -   1.32
>> +++ security 26 Mar 2015 14:23:53 -
>> @@ -336,7 +336,16 @@ sub find_homes {
>>  nag !(open my $fh, '<', $filename),
>>  "open: $filename: $!"
>>  and return [];
>> -my $homes = [ map [ @{[split /:/]}[0,2,5] ], <$fh> ];
>> +my $homes = [];
>> +while (<$fh>) {
>> +my $entry = [ @{[split /:/]}[0,2,5] ];
>> +chomp;
>> +nag !defined $entry->[2],
>> +"Incomplete line \"$_\" in $filename."
>> +and next;
>> +chomp $entry->[2];
>> +push @$homes, $entry;
>> +}
>>  close $fh;
>>  return $homes;
>>  }



Re: httpd tls - what am i missing?

2015-03-26 Thread Theodore Wynnychenko

Quoting Kevin Chadwick :


On Thu, 26 Mar 2015 08:30:23 +0100
mxb wrote:


>
> Thank you for the suggestion.  I was not aware of "pound."

I?d rather go for relayd. Which is out of the box. No need to install ?yet
another port and make sure it is up2date?.


httpd is based on relayd code which would reduce the scope of the test
(a cluestick).


When I try "https://10.0.128.67/index.html"; - I get a nice message from
firefox asking me to accept a problem certificate (this was expected,
the certificate is the "correct" one), and when I do accept the
certificate, I get the index page.



So, I am not sure what is wrong, but it appears httpd is not responding
to https requests, even with the "listen on tls" line in the
configuration file.



Is there anything for me to look at/consider in trying to correct this?


I don't understand what you are saying by '"correct" one' but to me this
suggests you have issues even with pound and perhaps I would try
another browser or firefox on another client and try another
certificate perhaps from another CA or install a newer snapshot or
re-install a release before wondering if there is an issue with httpd
or libressl whilst monitoring the list to see if anyone else has an
issue?

Thankfully re-install on OpenBSD is super quick but you do have to
follow www.openbsd.org/current.html for snapshots and I think
www.openbsd.org/plus.html for release upgrades (4.5 -> 4.6 etc.)




Hello:
I am sorry, I have been unable to try some of the suggestions today as
of yet.  I am a bit busy at work, and probably won't be able to look
at this until tomorrow.
However, I wanted to clarify my comment.
When I said "correct" one in regards to the certificate working with
https and pound, my comment was intended only to imply that any
"issues" were purposefully induced ones.

As I said, the new machine with the httpd issue is going to replace
another machine.  To make my like easy going forward, I installed a
certificate for the machine as it will be in the future, not as it is
now.
So, when firefox connects with https to the machine, it is connecting
to 10.0.128.67, but gets a certificate back saying 10.0.128.100; and
warns me of the inconsistency.  This is a completely expected issue,
and I do verify that the "10.0.128.100" certificate is being presented
form the "10.0.128.67" machine.

There was NO other problem using pound.  With pound, as well as a
https connection to the "old" machine with the "new" certificate, the
browser opens the https connection with no problems.  Also, as I noted
yesterday, the browser's hanging behaivor stops the second afer I kill
the httpd process.

I have also tried to connect with IE from a windows machine, and get
the same results (http is ok, https hangs).

I missed the "-d -v" flags for httpd (i feel a bit stupid, it's right
there in the man page), and was going to fire up httpd and see what
happens when the secure connection is initiated.  Hopefully, tomorrow.

Thanks
Ted



Re: Change routes with multipath?

2015-03-26 Thread Martin Pieuchot
On 26/03/15(Thu) 14:07, rizz2pro . wrote:
> Hello everyone,
> 
> I hope I posted this in the right area, I don't usually join mailing lists
> so I am still a bit of a noob.
> 
> Anyways, hoping someone could help me out. I am coming up empty on my
> searches figuring this out.
> 
> If I have 2 default gateways configured with priorities, how would I modify
> the priorities using "route change"? I would prefer not to have to delete
> the route and re-add them.
> 
> $ sudo route add -mpath default 64.4.4.4 -priority 1
> $ sudo route add -mpath default 129.2.2.2 -priority 15
> $ sudo netstat -rn | grep default
> ~
> # default   64.4.4.4   UGS3 3308 - 1 em0
> # default129.2.2.2   UGS00 -15 em1
> 
> If I try to change priorities:
> 
> $ sudo route change -mpath default 129.2.2.2 -priority 1
> ~
> # route: writing to routing socket: No such process
> # change net default: gateway 129.2.2.2: not in table
> 
> Any hints as to how I can change priority on a default multipath route? I
> would appreciate it greatly.

Does it work with "-priority 2"?  The number "1" is special and reserved
for routes representing local (your own) addresses.  I just realized
that this is not (and should) be documented.



Re: Fund raising

2015-03-26 Thread jungle Boogie
On 26 March 2015 at 05:20, Nick Holland  wrote:
> Realistically, the money that we get for this e-document is really just
> an act of charity anyway.  Why not just give the project the money, and
> not make us jump through hoops that cost lots of money and provide no
> benefit to anyone?
>

Yes, donate on release day. I plan to do that in May and then in
November. I'll probably donate again for the use of openntpd, openssh,
libressl and all the other small wonderful projects everyone forgets
about.

> Besides, the artwork and stickers in the CD sets are great.  Really.
> I've been buying CDs since 2.6, and I look forward to getting every
> single one.  And this is from someone who works with the project and
> pays the same price everyone else does (and historically, usually got it
> AFTER many of you guys are bragging about getting yours).

The artwork and songs are great! I've annoyed my family by playing
almost all the songs on more than one occasion. I can't say I'll buy
the CD set but I ordered the 5.7 poster the moment I found out it was
available. I'll get the 5.7, if it's made.

I'm actually wearing an openbsd shirt now with an openssh poster
behind me on the wall.

What's the URL to the legacy store? I want to see what remains in
their inventory.

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si



Re: httpd tls - what am i missing?

2015-03-26 Thread Ruslanas Gžibovskis
Also i would try something like tcpdump while connecting to a new machine
with https.

On Thu, 26 Mar 2015 23:55 Theodore Wynnychenko  wrote:

> Quoting Kevin Chadwick :
>
> > On Thu, 26 Mar 2015 08:30:23 +0100
> > mxb wrote:
> >
> >> >
> >> > Thank you for the suggestion.  I was not aware of "pound."
> >>
> >> I?d rather go for relayd. Which is out of the box. No need to install
> ?yet
> >> another port and make sure it is up2date?.
> >
> > httpd is based on relayd code which would reduce the scope of the test
> > (a cluestick).
> >
> >>> When I try "https://10.0.128.67/index.html"; - I get a nice message
> from
> >>> firefox asking me to accept a problem certificate (this was expected,
> >>> the certificate is the "correct" one), and when I do accept the
> >>> certificate, I get the index page.
> >
> >>> So, I am not sure what is wrong, but it appears httpd is not responding
> >>> to https requests, even with the "listen on tls" line in the
> >>> configuration file.
> >
> >>> Is there anything for me to look at/consider in trying to correct this?
> >
> > I don't understand what you are saying by '"correct" one' but to me this
> > suggests you have issues even with pound and perhaps I would try
> > another browser or firefox on another client and try another
> > certificate perhaps from another CA or install a newer snapshot or
> > re-install a release before wondering if there is an issue with httpd
> > or libressl whilst monitoring the list to see if anyone else has an
> > issue?
> >
> > Thankfully re-install on OpenBSD is super quick but you do have to
> > follow www.openbsd.org/current.html for snapshots and I think
> > www.openbsd.org/plus.html for release upgrades (4.5 -> 4.6 etc.)
> >
> >
>
> Hello:
> I am sorry, I have been unable to try some of the suggestions today as
> of yet.  I am a bit busy at work, and probably won't be able to look
> at this until tomorrow.
> However, I wanted to clarify my comment.
> When I said "correct" one in regards to the certificate working with
> https and pound, my comment was intended only to imply that any
> "issues" were purposefully induced ones.
>
> As I said, the new machine with the httpd issue is going to replace
> another machine.  To make my like easy going forward, I installed a
> certificate for the machine as it will be in the future, not as it is
> now.
> So, when firefox connects with https to the machine, it is connecting
> to 10.0.128.67, but gets a certificate back saying 10.0.128.100; and
> warns me of the inconsistency.  This is a completely expected issue,
> and I do verify that the "10.0.128.100" certificate is being presented
> form the "10.0.128.67" machine.
>
> There was NO other problem using pound.  With pound, as well as a
> https connection to the "old" machine with the "new" certificate, the
> browser opens the https connection with no problems.  Also, as I noted
> yesterday, the browser's hanging behaivor stops the second afer I kill
> the httpd process.
>
> I have also tried to connect with IE from a windows machine, and get
> the same results (http is ok, https hangs).
>
> I missed the "-d -v" flags for httpd (i feel a bit stupid, it's right
> there in the man page), and was going to fire up httpd and see what
> happens when the secure connection is initiated.  Hopefully, tomorrow.
>
> Thanks
> Ted



Re: Set PKG_PATH using Time Zone?

2015-03-26 Thread Sean Kamath
On Mar 26, 2015, at 1:39 PM, Dale Lindskog  wrote:

> On Thu, 26 Mar 2015, L.R. D.S. wrote:
> 
>> Is really boring write the package repository everytime we install. 
>> Why not set the repository using the Time Zone as a reference?
>> For example, if you set Japan as your zone, then run
>> export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
> 
> #!/usr/bin/perl -w
> use strict;
> 
> chomp( my( $uname_r, $uname_m ) = ( `uname -r`, `uname -m` ) );
> chomp( my $zone = join( '/', ( split('/', `ls -l /etc/localtime`) )[-2,-1] ) 
> );
> 
> my %mirror = (
>  "Canada/Mountain" => "ftp://ftp.openbsd.org/pub/OpenBSD";,
>  # okay, I'm bored now... hopefully "L.R. D.S." will help
> );
> 
> print "$mirror{$zone}/$uname_r/packages/$uname_m/";
> 

Why not go whole hog and traceroute -I  and see which is faster? :-P

BTW: ftp5.usa.openbsd.org seems to not be responding on HTTP, so I dropped them 
a note.  But then I found sonic has a mirror, that, though geographically 
further, is about 1/2 a ms faster (and two fewer hops).  So, it's not just 
going to other countries where this happens.

Sean



Gource

2015-03-26 Thread R0me0 ***
http://www.echothrust.com/blogs/monitoring-pf-logs-gource



Re: httpd tls - what am i missing?

2015-03-26 Thread Edgar Pettijohn III
Is the certificate and key PEM encoded?



Re: relayd crashes often

2015-03-26 Thread Yonas Yanfa

On 15-03-26 07:26 AM, Felipe Scarel wrote:

On Thu, Mar 26, 2015 at 12:37 AM, Yonas Yanfa  wrote:

On 15-03-24 03:26 AM, Claudio Jeker wrote:

On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote:

Hi,

I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd
always crashes within a few hours of restarting it, but works properly
before that.


I guess you are talking about reloading relayd (as in relayctl reload)...



Killing all relayd processes and then running relayd.



When relayd stops working, sometimes the relayd process is up but
`relayctl
show summary` says that /var/run/relayd.sock doesn't exist. Other times
none
of the relayd processes are running.



I hit similar issues and came up with the following diff against -current.
It may apply to 5.6 but did not test that at all. I'm not 100% sure about
the ca.c change since OpenSSL is a black box.



Thanks for the patches.

Before I try to apply the patches, I think the issue might be caused by
having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT
connections:


$ netstat -n|grep CLOSE_WAIT|wc -l
 2236

And relayd seems to have 501 active connections:

relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx -> :0, hard timeout


How can I get relayd to close these connections?


Cheers,
Yonas



I can confirm this has also been observed on my end, using relayd as a
forward ssl-inspecting proxy on amd64 hardware. Runs without issue for
a few hours, next time I look all the (ca|hfe|pfe) processes are gone,
only relays and the parent process remains. Killing all of them and
restarting the daemon "solves" the problem.




From what I understand, relayd is suppose to send an ACK packet when 
the connection is in the CLOSE_WAIT state. There must be a bug in relayd 
that prevents this from happening.


If this happened, the connection would be in LAST_ACK instead of 
CLOSE_WAIT. The connection could be also be closed if it receiving the 
following ACK.



Yonas



Re: Getting errors during security(8) maintenance

2015-03-26 Thread Denis Lapshin

I forgot to say, this happens on OpenBSD 5.4.

Where is no any changes has been made in the system before. No upgrade etc.

Please ask for more information if its help.

What I have to check to fix this?

Thanks

Denis

On 26.03.2015 14:40, Nick Holland wrote:

On 03/26/15 04:32, Denis Lapshin wrote:

Some time ago start getting errors after nightly Secutiry running:

What problem can be?

Running security(8):

Checking root sh paths, umask values:
/etc/profile /root/.profile
The root path includes .

This would not be a bad thing to fix.


Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 356.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 356.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 369.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 369.
Use of uninitialized value $home in -d at /usr/libexec/security line 386.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 406.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.
Use of uninitialized value $home in concatenation (.) or string at 
/usr/libexec/security line 434.

Stunning lack of information, but sounds like you botched an upgrade
somewhere.

Nick.



--
Denis Lapshin
mailto: den...@mindall.org



Re: httpd tls - what am i missing?

2015-03-26 Thread Theodore Wynnychenko
> On Thu, 26 Mar 2015 08:30:23 +0100
> mxb wrote:
>
>> >
>> > Thank you for the suggestion.  I was not aware of "pound."
>>
>> I?d rather go for relayd. Which is out of the box. No need to install ?yet
>> another port and make sure it is up2date?.
>
> httpd is based on relayd code which would reduce the scope of the test
> (a cluestick).
>
>>> When I try "https://10.0.128.67/index.html"; - I get a nice message from
>>> firefox asking me to accept a problem certificate (this was expected,
>>> the certificate is the "correct" one), and when I do accept the
>>> certificate, I get the index page.
>
>>> So, I am not sure what is wrong, but it appears httpd is not responding
>>> to https requests, even with the "listen on tls" line in the
>>> configuration file.
>
>>> Is there anything for me to look at/consider in trying to correct this?
>
> I don't understand what you are saying by '"correct" one' but to me this
> suggests you have issues even with pound and perhaps I would try
> another browser or firefox on another client and try another
> certificate perhaps from another CA or install a newer snapshot or
> re-install a release before wondering if there is an issue with httpd
> or libressl whilst monitoring the list to see if anyone else has an
> issue?
>
> Thankfully re-install on OpenBSD is super quick but you do have to
> follow www.openbsd.org/current.html for snapshots and I think
> www.openbsd.org/plus.html for release upgrades (4.5 -> 4.6 etc.)
>
>

Hello:

I started httpd as:  httpd -d -v -v -v -v -v -v -v
And I see:

startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/ssl/server.crt
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
server_launch: running server default
server_launch: running server default
server_launch: running server default

but, if I try to connect using https, there is no output on the terminal 
indicating that httpd is doing anything at all.
Ctrl-c to kill the server gives:

^C
logger exiting, pid 28447
server exiting, pid 23445
server exiting, pid 20653
server exiting, pid 12690
parent terminating, pid 29581


So, it seems that httpd does, in fact, see the cert and key, but does nothing 
with them.
(the cert is PEM encoded)

So, I also tried:

openssl s_server -accept 443 -www -cert /etc/ssl/server.crt -key 
/etc/ssl/private/server.key

and then connected to the machine with a browser.

This connection works without an issue.

The output to the browser from openssl s_server is:


s_server -accept 443 -www -cert /etc/ssl/server.crt -key 
/etc/ssl/private/server.key 
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1/SSLv3:ECDHE-ECDSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-CHACHA20-POLY1305
TLSv1/SSLv3:DHE-RSA-CHACHA20-POLY1305TLSv1/SSLv3:ECDHE-RSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDHE-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA384  
TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA384TLSv1/SSLv3:ECDHE-RSA-AES256-SHA 
TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA   TLSv1/SSLv3:DHE-DSS-AES256-GCM-SHA384
TLSv1/SSLv3:DHE-RSA-AES256-GCM-SHA384TLSv1/SSLv3:DHE-RSA-AES256-SHA256
TLSv1/SSLv3:DHE-DSS-AES256-SHA256TLSv1/SSLv3:DHE-RSA-AES256-SHA   
TLSv1/SSLv3:DHE-DSS-AES256-SHA   TLSv1/SSLv3:GOST2012256-GOST89-GOST89
TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA256
TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA  TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA  
TLSv1/SSLv3:GOST2001-GOST89-GOST89   TLSv1/SSLv3:ECDH-RSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDH-ECDSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDH-RSA-AES256-SHA384   
TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA384 TLSv1/SSLv3:ECDH-RSA-AES256-SHA  
TLSv1/SSLv3:ECDH-ECDSA-AES256-SHATLSv1/SSLv3:AES256-GCM-SHA384
TLSv1/SSLv3:AES256-SHA256TLSv1/SSLv3:AES256-SHA   
TLSv1/SSLv3:CAMELLIA256-SHA256   TLSv1/SSLv3:CAMELLIA256-SHA  
TLSv1/SSLv3:ECDHE-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDHE-RSA-AES128-SHA256  TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA256
TLSv1/SSLv3:ECDHE-RSA-AES128-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA   
TLSv1/SSLv3:DHE-DSS-AES128-GCM-SHA256TLSv1/SSLv3:DHE-RSA-AES128-GCM-SHA256
TLSv1/SSLv3:DHE-RSA-AES128-SHA256TLSv1/SSLv3:DHE-DSS-AES128-SHA256
TLSv1/SSLv3:DHE-RSA-AES128-SHA   TLSv1/SSLv3:DHE-DSS-AES128-SHA   
TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA256TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA256
TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA  TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA  
TLSv1/SSLv3:ECDH-RSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDH-ECDSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDH-RSA-AES128-SHA256   TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA256 
TLSv1/SSLv3:ECDH-RSA-AES128-SHA  TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA
TLSv1/SSLv3:AES128-GCM-SHA256TLSv1/SSLv3:AES128-SHA256
TLSv1/SSLv3:AES128-SHA   TLSv1/SSLv3:

Re: Fund raising

2015-03-26 Thread Theo de Raadt
>I'm actually wearing an openbsd shirt now with an openssh poster
>behind me on the wall.
>
>What's the URL to the legacy store? I want to see what remains in
>their inventory.

Note:

Recent difficulties have resulted in zero (Z E R O) of the proceeds
from Austin's shop going towards OpenBSD.  And it may have been
happening for a while before that.

(history repeats itself)