Let's Encrypt ACMEv1 end-of-life

[Diogo Pinela]

As I understand it, acme-client currently only supports
ACMEv1. Let's Encrypt recently announced they're going
to begin progressively deprecating that protocol starting
this November:

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

Given that, are there any plans to add ACMEv2 support to
acme-client before then?

Thanks,
Diogo Pinela

Re: OpenBSD runs only in RAM from a USB Flash Drive

[Kevin Chadwick]

>FFS isn't a journaling filesystem so any 'wear', even on primitive
>flash storage, won't be enough to worry about.

I disagree, depending on a few variables. If you can't get a better device then 
be prepared to replace the storage or count writes and create new files, 
keeping the old. KARL and randomness development depends on writing and 
shouldn't be disabled.

There is a lot of misinformation about flash out there from fairly respectable 
people too. Maybe because phones are also in the close our eyes and hope 
brigade.

Re: Debug Tool for golang

[Kevin Chadwick]

On 5/31/19 5:28 PM, Ted Unangst wrote:
> Kevin Chadwick wrote:
>> Does anyone debug golang on OpenBSD and can advise on llvm/gcc or provide any
>> other insight?
> 
> I just use log.
> 

Yep, not missing a trick then and apparently the old recommendation, Thanks all.

https://blog.golang.org/debugging-go-code-status-report

"When it comes to debugging, nothing beats a few strategic print statements to
inspect variables or a well-placed panic to obtain a stack trace. However,
sometimes you’re missing either the patience or the source code, and in those
cases a good debugger can be invaluable. That's why over the past few releases
we have been improving the support in Go’s gc linker (6l, 8l) for GDB, the GNU
debugger."

Re: Debug Tool for golang

[Ted Unangst]

Kevin Chadwick wrote:
> Does anyone debug golang on OpenBSD and can advise on llvm/gcc or provide any
> other insight?

I just use log.

Re: Lenovo w/ AMD Ryzen CPU

[danieljboyd]

On Wed, May 29, 2019 at 10:52:53AM +1000, Jonathan Gray wrote:
> On Tue, May 28, 2019 at 09:58:58AM -0700, Chris Cappuccio wrote:
> > David Anthony [d...@silentsystems.org] wrote:
> > > All,
> > > 
> > > The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> > > imminent. 
> > > 
> > > Would these be poor choices for OpenBSD? Are there any anticipated 
> > > ???gotchas??? that I should be aware of? Any thoughts would be greatly 
> > > appreciated.
> > > 
> > 
> > Chances are it will work very well.
> 
> I disagree.
> 
> > 
> > First, less flaws were identified with AMD's implementation of speculative
> > execution. That means that there are less mitigations to slow down the 
> > system.
> > Whether there are unidentified flaws, that's another issue..
> > 
> > Second, the amdgpu driver was just imported to OpenBSD 6.5-current. That
> > means you'll have graphics support. Combined with the recent improvements
> > to xhci and wi-fi driver improvments (well, mostly intel), support for 
> > modern
> > laptops has never been better.
> 
> There is no support for newer Intel wireless like the 9260 the T495 has.
> 
> The version of amdgpu in the tree does not include support for
> picasso APUs (Ryzen 3xxx) https://en.wikichip.org/wiki/amd/cores/picasso
> or whatever raven2 works out to be.
> 
> It is also not enabled by default just yet.
> 
> If anyone wants to have a Ryzen thinkpad work in the short term the
> current A series A285/A485 and similar generation E series require less
> work.  Suspend/resume doesn't work right on them currently.
> They mostly ship with RTL8822BE wireless which there is no support for
> but this can be replaced with an Intel 8265 which is in the bios
> whitelist and is supported by iwm(4).
> 

The E495s I ordered have the Picasso APU and the Intel 9260 wifi. I was
just running 6.5-release. When I get a minute this afternoon, I will
try the latest snapshot and see if I can get video working.

I'll send the dmesg to dm...@openbsd.org.

Re: OpenBSD runs only in RAM from a USB Flash Drive

[KAWAMATA Yoshihiro]

Hi,

From: sove...@vivaldi.net
Subject: OpenBSD runs only in RAM from a USB Flash Drive
Date: Thu, 30 May 2019 17:40:11 -0700
Message-ID: <24f3d709e54642fefb33ae3afab7b...@vivaldi.net>

> In order to minimize wear on the USB Flash memory, is there a way to
> command OpenBSD to always run in RAM, and at shutdown to either save
> or not save the session to the USB Flash Drive.

Try FuguIta - http://fuguita.org/
This is the live system based on OpenBSD.

It has several boot mode.

FuguIta mounts USB flash memory with read only.
Or it places the entire file tree on TMPFS memory file system.

Also, you can save your session and can retrieve at next boot time.

It may be similar to Puppy's concept.


Regards,

Yoshihiro KAWAMATA

Re: mirroring firmware.openbsd.org

[Stuart Henderson]

On 2019-05-30, Lyndon Nerenberg  wrote:
> Our firewalls can't connecto to firmware.openbsd.org (by design).
> Is there a way to mirror the contents of firmware.openbsd.org?  It
> would be nice if these files were available in the usual OpenBSD
> mirrors, since we already mirror those and could just point fw_update
> at our internal mirror host.  But something like an rsync- or ftp-able
> firmware.openbsd.org source would be just fine.
>
> --lyndon
>
>

$ lftp http://firmware.openbsd.org/
cd ok, cwd=/ 
lftp firmware.openbsd.org:/> ls
drwxr-xr-x  --  firmware 
lftp firmware.openbsd.org:/> cd firmware
lftp firmware.openbsd.org:/firmware> ls
drwxr-xr-x  --  ..   
drwxr-xr-x  --  4.9
drwxr-xr-x  --  5.0
drwxr-xr-x  --  5.1
drwxr-xr-x  --  5.2
drwxr-xr-x  --  5.3
drwxr-xr-x  --  5.4
drwxr-xr-x  --  5.5
drwxr-xr-x  --  5.6
drwxr-xr-x  --  5.7
drwxr-xr-x  --  5.8
drwxr-xr-x  --  5.9
drwxr-xr-x  --  6.0
drwxr-xr-x  --  6.1
drwxr-xr-x  --  6.2
drwxr-xr-x  --  6.3
drwxr-xr-x  --  6.4
drwxr-xr-x  --  6.5
drwxr-xr-x  --  snapshots
lftp firmware.openbsd.org:/firmware> mirror 6.5
New: 25 files, 0 symlinks   
  
33068315 bytes transferred in 14 seconds (2.28 MiB/s)
lftp firmware.openbsd.org:/firmware> exit

Or if you prefer command line:

$ lftp -e 'mirror 6.5; exit' http://firmware.openbsd.org/firmware/ 
cd ok, cwd=/firmware
New: 25 files, 0 symlinks   
  
33068315 bytes transferred in 13 seconds (2.46 MiB/s)

exFAT devices not detected

[Oriol Demaria]

I tested this before, even I have some hotplugd script to mount this 
devices, but since some days ago exFAT formatted devices are not 
detected and won't even appear on dmesg. Does anyone seen this behaviour 
too?


Thanks.

--
Oriol Demaria
2FFED630C16E4FF8

Re: relayd - "forward with tls to" and "forward to" in one relay

[Kamil Andrusz]

> On 31 May 2019, at 12:15, Kamil Andrusz  wrote:
> 
> Hello Misc!
> 
> I’m trying to get relayd working in the following scenario:
> - relayd listens on external IP port 443 with tls
> - based on the path relay to one of two hosts:
>  o  webhost listening on 443 with tls
>  o  bwhost listening on 4567 just http
> 
> Everything works fine for the webhost. For bwhost I get:
> $ curl https://testhost.net/bwhost/index.php
> curl: (52) Empty reply from server
> 
> Is it possible to get this working? Am I missing something obvious?
> 
> My relayd config is simple:
> ext_if="10.0.0.1"
> table  { 192.168.3.1 }
> table  { 192.168.3.2 }
> 
> http protocol https {
>match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>match request header append "X-Forwarded-By” \
> value "$SERVER_ADDR:$SERVER_PORT"
>match request header set "Connection" value "close"
> 
>pass request path "/*" forward to  
>pass request path "/bwhost/*" forward to 
> }
> 
> relay https {
>listen on $ext_if port 443 tls
>protocol "https"
>forward to  port 4567
>forward with tls to  port 443
> }
> 
> Thanks for help!
> 
Silly to reply to my own mail, BUT. I "fixed” it. After a bit of debugging it 
turned out, that even though for  there’s just „forward to”, relayd is 
using TLS to connect to it. So I worked around this by using the following 
solution. It works, even though it shouldn’t be necessary, I think. So, I added 
additional protocol section, where I pass all the traffic and a relay section 
just for that one host.

relay https {
listen on $ext_if port 443 tls
protocol "https"
forward to  port 8443
forward with tls to  port 443
}

http protocol bwhostfilter {
pass forward to 
}

relay bwhostfilter {
listen on 127.0.0.1 port 8443 tls

protocol bwhostfilter

forward to  port 4567
}

Any hints on how broken this idea is are welcome :) I’m begining to wonder, 
might this be a bug in relayd?


Kamil

Re: Debug Tool for golang

[paul wisehart]

On Fri, May 31, 2019 at 01:11:41PM +0100, Kevin Chadwick wrote:
> It seems delve which is suggested by golang.org due to optimised binary 
> support
> expects a Linux /proc and Linux threads (FreeBSD delve github issue tracker). 
> So
> I guess without delve then building unoptimised binaries would be required 
> which
> is possibly to be expected when debugging. I'm not sure that should make delve
> the preferred tool, if it is platform centric!
> 
> Does anyone debug golang on OpenBSD and can advise on llvm/gcc or provide any
> other insight?

I use Go on OpenBSD a lot, and I have always done my serious debugging using
Printf or logging.  I would like to use delve as well, and have considered 
getting it to work on OpenBSD.

https://github.com/go-delve/delve/pull/1480

It looks like there is current work getting it supported in FreeBSD.
Would that be a better starting point for OpenBSD?

I'm pretty noob at C, but I have recently been learning it pretty seriously.
(for whatever that's worth)

I guess I'm not adding much except that Go on OpenBSD is great, and I have never
been stuck by not having delve.

thanks,
Paul

 

Re: OpenBSD runs only in RAM from a USB Flash Drive

[Patrick Harper]

FFS isn't a journaling filesystem so any 'wear', even on primitive flash 
storage, won't be enough to worry about.

-- 
  Patrick Harper
  paia...@fastmail.com

On Fri, 31 May 2019, at 03:41, sove...@vivaldi.net wrote:
> 30 May, 2019
> 
> Greetings OpenBSD aficionados,
> 
> As a newbie to OpenBSD, I am delighted to have the chance to interact 
> with the OpenBSD Mailing Lists community.
> Since I am about to install OpenBSD 6.5 (amd64) on a USB Flash Drive for 
> the first time, I was wondering if anyone has a solution to the 
> following conundrum.
> 
> In order to minimize wear on the USB Flash memory, is there a way to 
> command OpenBSD to always run in RAM, and at shutdown to either save or 
> not save the session to the USB Flash Drive.
> 
> For instance, Precise Puppy Linux 5.7.1 has a package called Puppy Event 
> Manager. Since Precise Puppy is programmed to run in RAM, you can select 
> the 'Save Session' tab and enter the span of minutes for everything in 
> RAM to be saved to the Precise Puppy SaveFile.
> 
> Best of all, you can enter 0 minutes to only do a save at shutdown. 
> Perfect for minimizing wear on a USB Flash Drive.
> 
> Please accept my apologies if this issue has already been solved. My 
> search so far in sites like https://marc.info has come up empty.
> 
> I thank you for your support.
> 
> Best regards,
> Hugh
> 
>

relayd - "forward with tls to" and "forward to" in one relay

[Kamil Andrusz]

Hello Misc!

I’m trying to get relayd working in the following scenario:
- relayd listens on external IP port 443 with tls
- based on the path relay to one of two hosts:
  o  webhost listening on 443 with tls
  o  bwhost listening on 4567 just http

Everything works fine for the webhost. For bwhost I get:
$ curl https://testhost.net/bwhost/index.php
curl: (52) Empty reply from server

Is it possible to get this working? Am I missing something obvious?

My relayd config is simple:
ext_if="10.0.0.1"
table  { 192.168.3.1 }
table  { 192.168.3.2 }

http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By” \
 value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"

pass request path "/*" forward to  
pass request path "/bwhost/*" forward to 
}

relay https {
listen on $ext_if port 443 tls
protocol "https"
forward to  port 4567
forward with tls to  port 443
}

Thanks for help!

Kamil
-- 
It's just a matter of opinion.

Debug Tool for golang

[Kevin Chadwick]

It seems delve which is suggested by golang.org due to optimised binary support
expects a Linux /proc and Linux threads (FreeBSD delve github issue tracker). So
I guess without delve then building unoptimised binaries would be required which
is possibly to be expected when debugging. I'm not sure that should make delve
the preferred tool, if it is platform centric!

Does anyone debug golang on OpenBSD and can advise on llvm/gcc or provide any
other insight?

Thanks

Re: bgpd acting up, dropping connected/static network statements

[Tommy Nevtelen]

On 24/05/2019 12.25, open...@kene.nu wrote:

Hello,

I finally got to testing this and the bug seems to be fixed. What is
the recommended way of implementing this fix into a critical
production environment?

Should we wait for a syspatch (will one be made available for this bug)?


It is possible to deploy it via hacks in automation tools but it would 
be nice to know if there was an "official" way of doing it or plans for one.


On Linux distros you can have additional repos that override the 
official packages if the ones in there are newer and trusted.


Is it possible to have multiple repos like that? Also not sure how it 
would work to update base since packages in there are not really 
distributed via the normal repo. Since everything is signed I don't see 
how we could do it in a nice way. Unless there is support to add 
additional trusted keys.


/T

Re: OpenBSD runs only in RAM from a USB Flash Drive

[Jan Stary]

On May 30 17:40:11, sove...@vivaldi.net wrote:
> As a newbie to OpenBSD, I am delighted to have the chance to interact with
> the OpenBSD Mailing Lists community.
> Since I am about to install OpenBSD 6.5 (amd64) on a USB Flash Drive for the
> first time, I was wondering if anyone has a solution to the following
> conundrum.

Why? If this is your first OpenBSD installation,
keep it simple: install on a spare computer.

Do you need to have a portable installation
that you can carry around?

> In order to minimize wear on the USB Flash memory, is there a way to command
> OpenBSD to always run in RAM, and at shutdown to either save or not save the
> session to the USB Flash Drive.

Don't. A USB flash is a disk, just like any other disk.
Install on it like you would on any other disk.

> For instance, Precise Puppy Linux 5.7.1 has a package called Puppy Event
> Manager. Since Precise Puppy is programmed to run in RAM, you can select the
> 'Save Session' tab and enter the span of minutes for everything in RAM to be
> saved to the Precise Puppy SaveFile.
> Best of all, you can enter 0 minutes to only do a save at shutdown. Perfect
> for minimizing wear on a USB Flash Drive.

What 'wear'? What heavy IO are you going to be doing
on your usb flash installation? If you plan to do heavy io,
using USB flash is a mistake in the first place.

Jan