Re: ftp.openbsd.org: tlsv1 alert protocol version

Could be IPv6 related, because with IPv4 it works: rudolf@variable-7400:~$ curl --verbose https://ftp.openbsd.org/pub/OpenBSD/patches/7.4/common/001_xserver.patch.sig * Trying 199.185.178.81:443... * Connected to ftp.openbsd.org (199.185.178.81) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3

Re: Understanding -current as 7.4 is released

On Fri, 2023-10-06 at 11:06 -0600, Theo de Raadt wrote: > Other operating systems do not have a vast number of people using  > daily snapshots in the way our users do, so it is only our users who > have this experience. Your expectation is, that people using snap shots, because they are  part of

Re: Require host-name from DHCP clients

On Wed, 2023-09-27 at 06:48 +, Tris wrote: > > --- Original Message --- > On Wednesday, September 27th, 2023 at 8:42 AM, Florian Obser > wrote: > > > > On 2023-09-27 01:01 +02, Joel Carnat j...@carnat.net wrote: > > > > > Hi, > > > > > > Because of Apple Private Address feature, m

Re: undocumented command switches -OR- fix documentation fully

re > talking to, the mailing list archive readers of a social club for > knitting for the elderly?  That is correct too.  Time will and does > demonstrate it perfectly. > > On 9/25/23, Rudolf Leitgeb wrote: > > Are you trying to teach the OpenBSD devs how to write good > >

Re: undocumented command switches -OR- fix documentation fully

aws,_guidelines_and_principles > > Thanks for the discussion and support, I've said my points and think > we're in accord and agreement on all details referenced. > > On 9/25/23, Rudolf Leitgeb wrote: > > If you document a switch, you are basically required to keep

Re: undocumented command switches -OR- fix documentation fully

If you document a switch, you are basically required to keep that functionality around forever. Given that the OpenBSD devs don't like these --options all that much, I don't see that happening. Submitting a patch won't change that. IMHO there's nothing wrong, if software can do more than its  docu

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

Either this, or the TLS 1.3 code was always buggy, but now it was actually used per default. Question: is there a similar commit in your DNS server? Do you use this DNS server with anything like TLS? On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote: > > > But yes, getting a specific commit

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

nd may allow me to see whether mysql is > pushed into similar codepaths on affected systems (and not on > unaffected ones), likely giving a better hint as to where the issue > is. > > With best regards, > Tobias > > On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote: >

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

Do the affected programs use the same libraries? On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote: > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy > memory > leakage over time. I initially attributed this to nginx, and solved > the > issue by ignoring it/throwing a bit more

Re: Checking OpenBSD host type

See this response for the same command on my EdgeRouter: edgy# sysctl hw hw.machine=octeon hw.model=Cavium OCTEON (rev 0.2) @ 1000 MHz hw.ncpu=4 hw.byteorder=4321 hw.pagesize=16384 hw.disknames=sd0:3b7d06c5b561182c hw.diskcount=1 hw.cpuspeed=

Re: desire for journaled filesystem

If push comes to shove, then the journaling file system may lose more data, but it will be consistent. FFS will have written as much as possible, sometimes without association with an inode, that's when people encounter full lost+found directories. Neither file system will correctly record the mos

Re: desire for journaled filesystem

On Tue, 2023-09-05 at 14:16 -0400, John Holland wrote: > So this gave me the list of the files with what they seem to be in > groups. I think a lot of them are browser cache, jpegs, pngsI > looked > at some of the gzipped ones and they were web pages and css files. > > There are some that do

Re: Possible off-by-one bug in usr.sbin/rad/engine.c

Coming from a C/C++ background, I would assume, that a range from 200 to 600 comprises numbers would start at 200 and reach as far as 599. This would be in sync with all STL functions for iterating through collections or for extracting ranges. As long as you need two random numbers to craft second

Re: news from my hacked box

> Yes could be, he has a "social engineering" approach to people. He places > people and > himself on the same level of machines. Then he searches vulnerability on > persons. > He makes extensive use of corruption to take advantage on his personal war. > From this > point of view also a vpn prov

Re: secure MTA

> Conversely, if everything was easily hackable then we probably wouldn't use > computers, at all. Being hacked is a risk everybody is ready to accept, some knowingly, some unknowingly. There may be people here, who have never done business with any of these entities listed here, but they are ce

Re: secure MTA (was: news from ...)

On Wed, 2020-04-08 at 13:55 -0400, Allan Streib wrote: > My (default) smtpd.conf says: > > listen on lo0 > > So how might that be remotely exploitable? I can disable all network connections on an unpatched Windows 95 laptop - oh, this would make it s secure ... Hint: a server, which provid

Re: news from my hacked box

> yes exactly, I know who is the attacker and he has really great of resources > and power. > Most probably he is responsible of the death of a guy in my country. > Many people have preconceived ideas about security and about the attackers. > Many people think that an hacker is pushed by money or

Re: news from my hacked box

> OpenSMTPD does not listen to the internet, by default and even if you do set > it > to, it only affected certain configurations. A server, which does not listen to the outside is pretty useless, don't you think? I did not bring up opensmtp, because it is particularly bad, quite to the contrary:

Re: news from my hacked box

> True if you consider physical attacks and for most hardware, otherwise mostly > false. Anything can be hacked is also one of my biggest annoyances as a mantra > from "infosec", that gets more money than it deserves in comparison to real > security, like OpenBSD works on. We know from Snowden, th

Re: news from my hacked box

> I understand you perfectly but there are some points I want highlight: > Then there is a huge number of hacked site and hackaed desktop out there. > Many people > didn't know that their pc or phone is not under their control anymore. > The new frontier of hacking is espionage. None want be disco

Re: How to hide my server's IP?

On Mon, 2020-02-03 at 13:23 +0100, Janne Johansson wrote: > And refine the risk strategies, since the above conversation seem to be > centered around the concept of a hacker that > > 1. Someone successfully attacks your site over the internet, using your > outward facing IP A.A.A.A > 2. Manages to

Re: build error on octeon, 6.6

Somewhere in his error output it says: Target: mips64-unknown-openbsd6.6 This would not work with octeon AFAIK. Maybe this is the reason the build fails ? It would at least make sense regarding the "unable to execute command" message. On Fri, 2019-11-08 at 14:50 +0100, Janne Johansson wrote: >

Re: Errors when I try to configure multiple DNS search suffixes in dhcpd.conf

ports one domain name here. Oh well. Cheers, Rudi On Tue, 2019-09-24 at 08:32 +, Carlos Lopez wrote: > > Regards, > C. L. Martinez > > On 24/09/2019 10:22, Rudolf Leitgeb wrote: > > Could this be a case of missing semicolon at the end ? > > > > Thanks Rudol

Re: Errors when I try to configure multiple DNS search suffixes in dhcpd.conf

Could this be a case of missing semicolon at the end ? On Tue, 2019-09-24 at 08:11 +, Carlos Lopez wrote: > Hi all, > > When I try to configure multiple search DNS suffixes in dhcpd.conf, I > am receiving the following error: > > /etc/dhcpd.conf line 21: > option domain-search "custom.

Re: OpenBSD crypto and NSA/Bruce Schneier

> Second, low hanging fruit. Contrary to what some hysterical reports may claim, and some violations of rules aside, NSA is mostly after bad guys, some of which know quite well what they are doing. These bad guys will not necessarily be kind enough to present NSA with unpatched Windows desktops.

Re: Why I abandoned OpenBSD, and why you should too...

NSA would be foolish to go through all the effort it takes to place a back door into OpenBSD. I find it funny how people focus on potential back doors in software and completely ignore that all this software is executed on micro processors that are made by a select handful of US companies. We also

Re: how to use cpu affinity from user space

> under such load server is experience somewhat to "general network > delays", network conections become slow (both incoming and outgoing), > sometimes even 5 sec on 1G network. It sounds unlikely that CPU congestion is responsible for 5 s network delays unless your hardware is significantly under

Re: OpenBSD - UEFI Secure Boot

> Well, are you sure "UEFI disable button" will turn off ALL of UEFI > functions? > With that virtualization, both hardware bugs and attacks against > hypervisors are real world cases. So don't be naive. > > Trust me, I'll try hard to avoid virtualization and Fedora@UEFI on my > firewalls, no ma

Re: Ways to handle DNS amplification attacks with OpenBSD

Am Sonntag, den 10.06.2012, 00:37 + schrieb Stuart Henderson: > On 2012-06-09, Kostas Zorbadelos wrote: > > I am interested to hear possible solutions in other layers as well. > > http://fanf.livejournal.com/122111.html seems a nice approach... This seems to work nicely if the attacker spoof

Re: Ways to handle DNS amplification attacks with OpenBSD

Am Samstag, den 09.06.2012, 19:17 +0300 schrieb Kostas Zorbadelos: > What do you mean identify and filter based on TTL? In our case the > attacker used a specific query for a single domain. I mean the TTL field from the IP header of these packets. While the attacker's packets spoof the sender addr

Re: Ways to handle DNS amplification attacks with OpenBSD

Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos: > The situation is similar but not the same as the one discribed here: > > https://isc.sans.edu/diary.html?storyid=13261 > > We used IPtables and the string module to match a specific signature of > the problematic queries and it

Re: Trusting the Installation

Am Montag, 5. Mdrz 2012, 13:30:14 schrieb Henning Brauer: > you completely missed the point of my remark. > > most "secure encryption devices" on the market run linux. their > "security" is snake oil. you don't wanna know what I have seen (and I > can't talk about it in most cases)... This mailin

Re: Trusting the Installation

Am Montag, 5. Mdrz 2012, 12:36:56 schrieb Henning Brauer: > * Rudolf Leitgeb [2012-03-05 12:01]: > > That's the reason why companies which make secure encryption devices would > > never trust any CPU/OS combo. Depending on paranoia they offer you either > > an FPGA base

Re: Trusting the Installation

Am Montag, 5. MC$rz 2012, 10:12:02 schrieb PP;QQ P(P8P?P8QP8P=: > P.S. I'm not a paranoic, but I respect people to be paranoic if they want > to. You can be paranoid about the sources and binaries all you want, but you still don't know the CPU which executes all that code. Even if Intel/AMD wo

Re: How to deal with DDoS ?

Am Mittwoch, 22. Februar 2012, 08:36:49 schrieb Jan Stary: > > $ sysctl net.inet.udp.{recvspace,sendspace} > > net.inet.udp.recvspace=131072 > > net.inet.udp.sendspace=131072 > > I don't think it's gonna help with handling a DDOS, anyway. Especially not in this particular case. He drops UDP anywa

Re: Automatic "fsck -y" at Boot

Am Montag, 19. Dezember 2011, 13:52:40 schrieb Henning Brauer: > gotta compromise for crippled systems. solvable with a little shell > script run from cron and rc.shutdown. Wait: your solution would be to periodically remount some volume read/write, merge the changes and then drop back to ro ? You

Re: Automatic "fsck -y" at Boot

Am Freitag, 16. Dezember 2011, 21:49:18 schrieb Henning Brauer: > in these cases - where "runs" is the top priority and manual > intervention is hard - you most probably want to run with ro / and an > mfs or three. This is one nice approach but doesn't cover features like user changeable settings

Re: Automatic "fsck -y" at Boot

Am Freitag, 16. Dezember 2011, 10:26:27 schrieb Henning Brauer: > there is no solution but a proper remote console access, i. e. cereal. > it is completely beyond me why some people accept anything else. > yes yes, some/many providers don't offer any. so pick one that does. > you don't buy condoms

Re: Narcicism?

Am Freitag, den 02.12.2011, 17:40 +0100 schrieb Anonymous Remailer (austria): > Fuck you man! Who needs a new computer? Blades rule! ;-) The idea of OpenBSD, as far as I have understood this, is that you rule the computer and not that you are ruled by a computer, much less a blade :-P

Re: Narcicism?

Am Freitag, 2. Dezember 2011, 06:13:42 schrieb Richard Thornton: > I came to openbsd only recently trying to find a modern OS which will run on > my old sun blade 100. I wanted to use a linux but the only current linux > for sparc64 is debian 6.03 and it seems incompatible with the rage xl video >

Re: microsoft and UEFI boot

Am Montag, den 26.09.2011, 11:09 +0200 schrieb Paolo Aglialoro: > Actually I'm way more optimist about OEM motherboard manufacturers rather > than PC companies. > The weak spot will in fact be laptops and other portable equipment, as these > are all proprietary design. > > Considering that laptop

Re: OPenBSD 4.9 i386, Asus EEE 701, no network

Am Montag, den 25.07.2011, 13:00 +0100 schrieb Owain Ainsworth: > > Did you up the interface? > > ifconfig lii0 up Thanks a lot, Owain, that was the problem. Network fully operational now! Cheers, Rudi

Re: OPenBSD 4.9 i386, Asus EEE 701, no network

> Rudi, post a complete dmesg, always. There can be interactions that might > not be obvious, so always post the complete dmesg. Here it comes, included in the body and as an attachment. Cheers, Rudi OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011 dera...@i386.openbsd.org:/usr/src

OPenBSD 4.9 i386, Asus EEE 701, no network

Hi folks, I wanted to give OpenBSD a new try and installed it on my Asus EEEPC 701. Install went well, but for some reason the network interface lii0 reports "no carrier". Since I have no network in the OpenBSD computer, please forgive me for not going through the regular sendbug routine but post