Re: OpenIKED and Windows 10 Client

[Markus Rosjat]

As I stated befor I did all the cert installing for the local machine 
store I will try to create some more certs with diffrent "names" just to 
see if this makes a diffrence. I might be wrong what the real FQDN is or 
better what windows believe it should be :)


regards

Markus

Am 12.04.2017 um 17:21 schrieb Bobby Johnson:

If you're doing pure certificate auth, not eap I think you need both
certs.  They do need to be installed under the local computer account.
Install the CA cert in the trusted root CA store, put the machine cert in
the personal store.  I also think it may be necessary to put the full
asn1_dn of the server and client certs in the src_id and dst_id lines of
the iked config.


On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
wrote:


On 2017-04-12, Markus Rosjat  wrote:

Am 12.04.2017 um 11:49 schrieb Martijn van Duren:

On 04/12/17 11:42, Stuart Henderson wrote:

On 2017-04-11, Markus Rosjat  wrote:

I think the problem is with the windows site because it tells me there
is no certificate to be found. I added the certificate to local

machine

store -> own certificates (at least in the german UI is no personal

folder)


I think you're adding this cert to the wrong one of the many cert

stores

on Windows. It worked for me in trusted CAs, though there may be a

better

option that also works.


One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.



well I put the CA certs in the trusted CA Folder and the cert for the
machine in "Eigene Zertifikate" in the local machine store

it seems to be a problem on the windows site thought


You only want the CA certificate, not the machine certificate.




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Free firmware for AR9285

[Stefan Sperling]

On Wed, Apr 12, 2017 at 06:14:36PM -0400, thinkpad-e535-user wrote:
> I'm wondering why does Atheros AR9285 need binary firmware on OpenBSD?
> According to this wikipedia article [1] it works on Linux and FreeBSD
> with some free firmware. Is that in theory possible for OpenBSD to use
> it too?
> 
> [1] https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
> 

I would like this, too.

Please send a working diff to ports@ which makes the sysutils/firmware/athn
compile this source code into a package for fw_update(1).
Unfortunately this firmware cannot be included in the base system because
the source contains GPL components.

I have already looked at this firmware code a bit. Using this firmware
would be great. It seems there even is a possibility of getting a serial
console on the USB device which would be awesome for debugging.

I suspect our driver will require some changes to work with this
firmware (e.g. some command codes seem to have changed in the open
version vs the version we currently use). I will take a stab at the
driver parts if somebody else deals with the firmware package. Deal?

Re: OpenIKED and Windows 10 Client

[Markus Rosjat]

just to be clear I don't need to install the client cert on the openbsd 
machine?


And since this is eating up my time I might switch back to ikev1 and 
isakmpd. At least there I know I get it done


regards

markus

Am 13.04.2017 um 10:13 schrieb Markus Rosjat:

As I stated befor I did all the cert installing for the local machine
store I will try to create some more certs with diffrent "names" just to
see if this makes a diffrence. I might be wrong what the real FQDN is or
better what windows believe it should be :)

regards

Markus

Am 12.04.2017 um 17:21 schrieb Bobby Johnson:

If you're doing pure certificate auth, not eap I think you need both
certs.  They do need to be installed under the local computer account.
Install the CA cert in the trusted root CA store, put the machine cert in
the personal store.  I also think it may be necessary to put the full
asn1_dn of the server and client certs in the src_id and dst_id lines of
the iked config.


On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
wrote:


On 2017-04-12, Markus Rosjat  wrote:

Am 12.04.2017 um 11:49 schrieb Martijn van Duren:

On 04/12/17 11:42, Stuart Henderson wrote:

On 2017-04-11, Markus Rosjat  wrote:

I think the problem is with the windows site because it tells me
there
is no certificate to be found. I added the certificate to local

machine

store -> own certificates (at least in the german UI is no personal

folder)


I think you're adding this cert to the wrong one of the many cert

stores

on Windows. It worked for me in trusted CAs, though there may be a

better

option that also works.


One thing that also bit me was that I had to put them in the
system-wide
store and not in the personal store.



well I put the CA certs in the trusted CA Folder and the cert for the
machine in "Eigene Zertifikate" in the local machine store

it seems to be a problem on the windows site thought


You only want the CA certificate, not the machine certificate.






--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Free firmware for AR9285

[Stefan Sperling]

On Thu, Apr 13, 2017 at 11:08:56AM +0200, Stefan Sperling wrote:
> On Wed, Apr 12, 2017 at 06:14:36PM -0400, thinkpad-e535-user wrote:
> > I'm wondering why does Atheros AR9285 need binary firmware on OpenBSD?
> > According to this wikipedia article [1] it works on Linux and FreeBSD
> > with some free firmware. Is that in theory possible for OpenBSD to use
> > it too?
> > 
> > [1] https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
> > 
> 
> I would like this, too.
> 
> Please send a working diff to ports@ which makes the sysutils/firmware/athn
> compile this source code into a package for fw_update(1).
> Unfortunately this firmware cannot be included in the base system because
> the source contains GPL components.
> 
> I have already looked at this firmware code a bit. Using this firmware
> would be great. It seems there even is a possibility of getting a serial
> console on the USB device which would be awesome for debugging.
> 
> I suspect our driver will require some changes to work with this
> firmware (e.g. some command codes seem to have changed in the open
> version vs the version we currently use). I will take a stab at the
> driver parts if somebody else deals with the firmware package. Deal?

And in case this wasn't clear, note that athn firmware is needed for USB
devices only! The PCI devices supported by our athn(4) driver do not
require firmware.

Direct URL to firmware code: https://github.com/qca/open-ath9k-htc-firmware

Re: Free firmware for AR9285

[thinkpad-e535-user]

>And in case this wasn't clear, note that athn firmware is needed for USB
>devices only! The PCI devices supported by our athn(4) driver do not
>require firmware.
Ah, yes, athn(4) man page states it pretty clear. I'm sorry.

Re: OpenBSD as a non-routing access point

[Stuart Henderson]

On 2017-04-12, Jordon  wrote:
> When one buys a linksys/netgear/whatever “Wireless Access Point”, it is
> often intended to be a full Internet gateway (router, NAT, DHCP, etc) that
> also does wifi.

Those tend to get called "router" or "wireless gateway" or similar,
AP usually denotes something which only bridges.

>   I am guessing that OpenBSD does not forward broadcasts over a
> bridged connection.

Nope.. IPv4 relies on broadcasts for ARP, those are required.

Re: OpenBSD as a non-routing access point

[Stuart Henderson]

On 2017-04-12, trondd  wrote:
>
> I have this problem as well.  DHCP requests go out over the bridge to the
> main interface.  The response comes back to the main interface but never
> goes to the bridge.
>
> I'm trying to use vmm VMs on a bridge.  I've tried set skip on {bridge
> tap}, and pass quick on {egress bridge tap} proto {tcp udp} from any to
> any port {67 68}
> Also disabling pf altogether.

Bridging vmm to wired or wifi?

Bridging to wifi requires hostap (or WDS, or L2 NAT, neither of which we
support).

Re: DHCP over bridge(4) was: OpenBSD as a non-routing access point

[trondd]

On Thu, April 13, 2017 9:00 am, Stuart Henderson wrote:
> On 2017-04-12, trondd  wrote:
>>
>> I have this problem as well.  DHCP requests go out over the bridge to
>> the
>> main interface.  The response comes back to the main interface but never
>> goes to the bridge.
>>
>> I'm trying to use vmm VMs on a bridge.  I've tried set skip on {bridge
>> tap}, and pass quick on {egress bridge tap} proto {tcp udp} from any to
>> any port {67 68}
>> Also disabling pf altogether.
>
> Bridging vmm to wired or wifi?
>
> Bridging to wifi requires hostap (or WDS, or L2 NAT, neither of which we
> support).
>

Wired.  An em NIC and tap and bridge set up by vmm.

upgrading on vultr.com: make sure to select the bsd.mp set

[Peter N. M. Hansteen]

Upgrading a couple of virtual machines hosted at vultr.com from 6.0 to
6.1 just now, we were a bit suprprised that after the upgrade the system
booted the 6.0 bsd kernel, and of course during startup pfctl gave an
error message that I correctly assumed came from kernel/userland mismatch.

The fix was actually quite simple: the installer does not select the
bsd.mp kernel automatically, but do select it. Then it will get
installed and the system will boot the correct mp kernel.

I'm sure we can supply more detail if needed.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: upgrading on vultr.com: make sure to select the bsd.mp set

[Jiri B]

On Thu, Apr 13, 2017 at 04:32:25PM +0200, Peter N. M. Hansteen wrote:
> Upgrading a couple of virtual machines hosted at vultr.com from 6.0 to
> 6.1 just now, we were a bit suprprised that after the upgrade the system
> booted the 6.0 bsd kernel, and of course during startup pfctl gave an
> error message that I correctly assumed came from kernel/userland mismatch.
> 
> The fix was actually quite simple: the installer does not select the
> bsd.mp kernel automatically, but do select it. Then it will get
> installed and the system will boot the correct mp kernel.
> 
> I'm sure we can supply more detail if needed.
> 
> - Peter

Linux KVM host? IIRC I have seen the same and it depends how you define
CPU for a VM, ie. sockets/cores.

j.

Re: DHCP over bridge(4) was: OpenBSD as a non-routing access point

[Jan Lambertz]

Works for me.
Bridge0
tap0
tap1
em0
vether0

Important: em0 (link to LAN) must not be configured with an IP Adresse. If
you need an address for your host usw vether0

Re: OpenIKED and Windows 10 Client

[Bobby Johnson]

Just the CA and server cert need to be installed on the OpenBSD side.

On Thu, Apr 13, 2017 at 3:10 AM, Markus Rosjat  wrote:

> just to be clear I don't need to install the client cert on the openbsd
> machine?
>
> And since this is eating up my time I might switch back to ikev1 and
> isakmpd. At least there I know I get it done
>
> regards
>
> markus
>
>
> Am 13.04.2017 um 10:13 schrieb Markus Rosjat:
>
>> As I stated befor I did all the cert installing for the local machine
>> store I will try to create some more certs with diffrent "names" just to
>> see if this makes a diffrence. I might be wrong what the real FQDN is or
>> better what windows believe it should be :)
>>
>> regards
>>
>> Markus
>>
>> Am 12.04.2017 um 17:21 schrieb Bobby Johnson:
>>
>>> If you're doing pure certificate auth, not eap I think you need both
>>> certs.  They do need to be installed under the local computer account.
>>> Install the CA cert in the trusted root CA store, put the machine cert in
>>> the personal store.  I also think it may be necessary to put the full
>>> asn1_dn of the server and client certs in the src_id and dst_id lines of
>>> the iked config.
>>>
>>>
>>> On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
>>> wrote:
>>>
>>> On 2017-04-12, Markus Rosjat  wrote:

> Am 12.04.2017 um 11:49 schrieb Martijn van Duren:
>
>> On 04/12/17 11:42, Stuart Henderson wrote:
>>
>>> On 2017-04-11, Markus Rosjat  wrote:
>>>
 I think the problem is with the windows site because it tells me
 there
 is no certificate to be found. I added the certificate to local

>>> machine

> store -> own certificates (at least in the german UI is no personal

>>> folder)

>
>>> I think you're adding this cert to the wrong one of the many cert
>>>
>> stores

> on Windows. It worked for me in trusted CAs, though there may be a
>>>
>> better

> option that also works.
>>>
>>> One thing that also bit me was that I had to put them in the
>> system-wide
>> store and not in the personal store.
>>
>>
> well I put the CA certs in the trusted CA Folder and the cert for the
> machine in "Eigene Zertifikate" in the local machine store
>
> it seems to be a problem on the windows site thought
>

 You only want the CA certificate, not the machine certificate.

>>>
>>>
>>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT

Re: upgrading on vultr.com: make sure to select the bsd.mp set

[Stuart Henderson]

On 2017-04-13, Peter N. M. Hansteen  wrote:
> Upgrading a couple of virtual machines hosted at vultr.com from 6.0 to
> 6.1 just now, we were a bit suprprised that after the upgrade the system
> booted the 6.0 bsd kernel, and of course during startup pfctl gave an
> error message that I correctly assumed came from kernel/userland mismatch.
>
> The fix was actually quite simple: the installer does not select the
> bsd.mp kernel automatically, but do select it. Then it will get
> installed and the system will boot the correct mp kernel.
>
> I'm sure we can supply more detail if needed.
>
> - Peter
>

dmesg from the install kernel would be handy. If you're lucky you might
still have it sitting in the dmesg buffer after a reboot.

OpenBSD 6.1/httpd SNI and acme-client

[Leighton Sheppard]

Hi,

Sorry for spam, but I just wanted to share a pointer on how I have
setup httpd/SNI in OpenBSD 6.1 to work with HTTPS redirect and
acme-client. I used the following httpd.conf which works well:


Regards,
Leighton


# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $

server "example.com" {
listen on * port 80
listen on :: port 80
alias secure.example,com
alias www.example.com

log { access "example.com-access.log", error "example.com-error.log" }

location "/.well-known/acme-challenge/*" {
root "/htdocs/example.com/acme"
root strip 2
}
location "/*" {
block return 301 "https://$SERVER_NAME$REQUEST_URI";
}
}

server "example.com" {
listen on * tls port 443
listen on :: tls port 443
alias secure.example.com
alias www.example.com

log { access "example.com-sslaccess.log", error
"example.com-sslerror.log" }

tls certificate "/etc/ssl/example.com.fullchain.pem"
tls key "/etc/ssl/private/example.com.key.pem"

directory { index "index.php" }
location "*.php" { fastcgi socket "/run/php-fpm.sock" }

root "/htdocs/example.com/"
}

Re: Adding default IPv6 route fails on 6.1

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Sterling,

On 04/12/17 01:20, Sterling Archer wrote:
> Hello everyone.
> 
> After upgrading to 6.1 about an hour ago, I noticed that I didn't have an 
> IPv6 connection anymore.
> 
> I use dhcpcd over a pppoe session, which worked fine in 6.0-stable.


I'd love to see your dhcpcd.conf.


Regards
Harri

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAljv6pgACgkQCp4qnmbT
gctozwgAiYbeVffl4b5NM4HTfgNxHa/nivt/EZb6PS5wn7mlxQDDSkCJpXju+8W6
ZfXOCM8v9T3D8j7aDp+r+rbdriFZykysV84jH7Dkb5AA/BgP0YslOmsx7fdAUqO1
MyNLQk+WykKN+E0fjJbSp9eAOd7mGjIan6oMavJs+3SyRxSUyO5NYZT58NvQ/Glb
dQNJI8rV+JMfLEow9k3l44/S8hcPMwVCYibsFBAnV1vvqKvsAWdNdGPTxMC4qG6f
WjSpS9kKkmPXr4Y7O3Rb1du7emlv8nc6vXtn0Mvonegeq2wkXPMRUuyZO6vhWVwn
E36knEvL6FJ1Q8/IirW0Dde3TY8MTA==
=HUdz
-END PGP SIGNATURE-

6.1: dnsmasq unresponsive?

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi folks,

is it just me, or is the new dnsmasq unresponsive?

dig @127.0.0.1 heise.de A +short

gets stuck. Moving back to the old dnsmasq provided for 6.0
there is no such problem.

dnsmasq.conf:

server=8.8.4.4


Every helpful comment is highly appreciated
Harri
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAljv6dEACgkQCp4qnmbT
gcs5uQf+IkZtdxaZf8m6INKoiPzAr9KXxPWQ58C1II5aN681tqAhkUuKS+RhTUxT
S2jFfG+qx73LeE1oegjdyXYiBVHP3WHwzJxABb0borRNmBYiHZl0R2FBpeCWawT+
k0lD3qtJEif6PaGIdpkvoMl5jhV36nUeXjaQLTNvAkZKbhBrXDeAxcEkvVa+kIl+
YqQ9igTX38hFGjcRdCwebwAT3lFp4SJRJWAIyV+Rh/6ojUaETRtwMebMta4Dnv5r
MZYoGrk8M9IHdjkRwRLx+Nxb8OtApGlOQ2wUBz3MQFNLaPuZLZGi332JEsvI7BRb
Uc5wo26Z4RNuBkkG1JoBCGh7HEKYZA==
=+xmu
-END PGP SIGNATURE-

xenodm and .kshrc

[Adam Steen]

Hi

I used to start X using startx and when opening terminal my .kshrc
would get run,

but now i have switched to xenodm, my .kshrc is not being executed.

my .profile has "export ENV=$HOME/.kshrc"

what i am i missing?

Cheers
Adam

Re: xenodm and .kshrc

[Theo Buehler]

On Fri, Apr 14, 2017 at 11:45:05AM +0800, Adam Steen wrote:
> Hi
> 
> I used to start X using startx and when opening terminal my .kshrc
> would get run,
> 
> but now i have switched to xenodm, my .kshrc is not being executed.
> 
> my .profile has "export ENV=$HOME/.kshrc"
> 
> what i am i missing?

Assuming that you use xterm: does your .Xdefaults contain

XTerm*loginShell: true

I removed the following somewhat outdated section from the FAQ because
by default it does:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/faq8.html?rev=1.308&content-type=text/html#ksh

See also this post:

https://marc.info/?l=openbsd-misc&m=142829426523976&w=2

and the other posts in that thread.

Re: xenodm and .kshrc

[Adam Steen]

Thanks Theo

If you start X with xdm, then you need to either
A) manually set ENV (or source your entire .profile) from your
.xsession that xdm invokes

from 
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/faq8.html?rev=1.308&content-type=text/html#ksh
did the trick

On Fri, Apr 14, 2017 at 1:01 PM, Theo Buehler  wrote:
> On Fri, Apr 14, 2017 at 11:45:05AM +0800, Adam Steen wrote:
>> Hi
>>
>> I used to start X using startx and when opening terminal my .kshrc
>> would get run,
>>
>> but now i have switched to xenodm, my .kshrc is not being executed.
>>
>> my .profile has "export ENV=$HOME/.kshrc"
>>
>> what i am i missing?
>
> Assuming that you use xterm: does your .Xdefaults contain
>
> XTerm*loginShell: true
>
> I removed the following somewhat outdated section from the FAQ because
> by default it does:
>
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/faq8.html?rev=1.308&content-type=text/html#ksh
>
> See also this post:
>
> https://marc.info/?l=openbsd-misc&m=142829426523976&w=2
>
> and the other posts in that thread.