Re: Dissing Misks
Duncan Patton a Campbell writes: > fdisk seems unwilling to allow more than 2T in the partition: Look at the b command for disklabel(8) to set the OpenBSD disk boundaries. Allan
Re: Dissing Misks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Dec 2020 19:06:48 -0700 Duncan Patton a Campbell wrote: > > On Tue, 22 Dec 2020 18:21:30 -0700 > "Todd C. Miller" wrote: > > > On Tue, 22 Dec 2020 17:30:08 -0700, Duncan Patton a Campbell wrote: > > > > > I've added two identical 4TB disks to my system to set up a duald RAID. > > > > > > When I boot, they come up as > > > > > > sd2 at scsibus1 targ 2 lun 0: > > > naa.50014ee268199 > > > 5d6 > > > sd2: 3815447MB, 512 bytes/sector, 7814037168 sectors > > > > > > and > > > > > > wd0 at pciide1 channel 0 drive 0: > > > wd0: 16-sector PIO, LBA48, 3815447MB, 7814037168 sectors > > > > > > One of these things is not like the other, and I've not located > > > how this distinction is made at boot time. > > > > You should check your BIOS settings and make sure all the SATA > > channels are configured to use AHCI and not legacy ATA. > > > > - todd > > > > YES! That would be the problem. It's not done on a per-channel > basis but there's another obscure setting at the bottom of a page > that sets it for all ... > > Thanks, > > Dhu > meh. Still craziness. I have two 4Tb disks I want to put into a RAID1 (I want a BG partition for imaging other disks). Neither fdisk nor disklabel will create/recognize a part > 4294961600 (sect512) This is the dislabel dialogue: sd2> a a offset: [64] size: [4294961621] 7814037100 FS type: [4.2BSD] sd2*> p OpenBSD area: 64-4294961685; size: 4294961621; free: 21 #size offset fstype [fsize bsize cpg] a: 4294961600 64 4.2BSD 8192 65536 1 c: 78140371680 unused fdisk seems unwilling to allow more than 2T in the partition: atlas:/root/cde/Disks# fdisk sd2 Disk: sd2 geometry: 267349/255/63 [4294961685 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] - --- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 2 - 267348 254 63 [ 64: 4294961621 ] OpenBSD Any pointers or ideas appreciated. Thanks, Dhu - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf4sTuAAoJEI6Vun3D6YUPYsgP/34kfiLozvH2U9vEEf9TBafx 0x3KZ5fm9iWNZebsCPvs5H/b2g9FaWvpxdm0Kva+h4myeL3SBd3No3SEUBAzBKHT emCUDgJ3/hq6sr+kCaUgILko78jsJHT2ELLWP9l2ct5gGja9Te0DGTrdQPLtK3lY gFBND2o8IVV4pS/rUlpv5U15SsyKQtbRlrL0W6b1Vb44CeS/dVuQTQI14xBLB3Hg lpXQ5GlAm2PP/COY5ka8Z/ZRXu58PcxKwFd3BhR0D/DlC1js1e5nPWLV62eSfBOy prk1sY9yeqro/49gUNKSIJTPHFsukDsNfLEle3L1vOIzVNLVazSgcwV+oGqyemVX 4jIPD1R5HRvLMsAYhh+3tbVFJCLt3WR5Z73JmhI6ZM1Js4Ri72BV2lg6SL5EZWvC gScuK6fdV+Q1DBouTV3oTRaY8nyJFq+WWvJ4xbKOxPysmg4+8+hK/TaYfkgWFcXC 4ebKb8MmU0ms7AFKthrRIJ6/ZHsXfTrZdkenHZYbB7k1n/bH9E1kpiOmlfUXbkvB 6wjUoSNAjLHl3NdOVoSnhhRsZWgSzdzWuk27363ldCAjxv8yzF4ANwSHXHTtzXnr Wj0s0pHNGI1RKCBnG81gqdjzCV7+b6G7j6SJFAJ6F/FAsgAsjX3zvNMw2SyUBVnV CG4wfpsdQDtHnvSv8GLT =3DnS -END PGP SIGNATURE-
Re: Dissing Misks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Dec 2020 18:21:30 -0700 "Todd C. Miller" wrote: > On Tue, 22 Dec 2020 17:30:08 -0700, Duncan Patton a Campbell wrote: > > > I've added two identical 4TB disks to my system to set up a duald RAID. > > > > When I boot, they come up as > > > > sd2 at scsibus1 targ 2 lun 0: > > naa.50014ee268199 > > 5d6 > > sd2: 3815447MB, 512 bytes/sector, 7814037168 sectors > > > > and > > > > wd0 at pciide1 channel 0 drive 0: > > wd0: 16-sector PIO, LBA48, 3815447MB, 7814037168 sectors > > > > One of these things is not like the other, and I've not located > > how this distinction is made at boot time. > > You should check your BIOS settings and make sure all the SATA > channels are configured to use AHCI and not legacy ATA. > > - todd > YES! That would be the problem. It's not done on a per-channel basis but there's another obscure setting at the bottom of a page that sets it for all ... Thanks, Dhu - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf4qY5AAoJEI6Vun3D6YUP7WcP/1BN+n9qWOjPN7GSf56wxKGY CkFg/JzPQj7Nk+i/QElJfUfNQKNlAWJHU11Div0nDtOBp84OaEpPHRvlk9dhcm8Q KyISR2XD5EbAFNRvkjNDKySqZKl/7gaW4vdzFdypjMdZGguteOIRUvlJ1fOZFqIC Dk0b8SThc3KJ8QltRB+p1awe76IhziveHDbTXNF7Q+LpuyKDFaW/6Lugctd/dwsf +HMnW4wTtxMOl4zZ+LZPBXeIfT1kiO0vJu5GvojyvjBydja5OsdwKIKKfWLBUOoW 4SLdE5Qv076W1yJEBofFPnMbR56MNJTt37Epdlv1XUEjqus5nSxZ2H1K+5fdGpXP TEppzp8nOhJnk5qBipv+acbvmAUMeP8nHh1MoKeSKw1a3JqsR28/ACVOIC/snpBy +t4/qcQK6FQw7a9GMWHYffnR+u6j13xo/yNVA65RQ036icqi3h4g/51rvm/n1jzN krgY6g8jFvqbI6jKIejiR/lVwmlWCf7KVC8V7HnQf/7z4cjs4HMm+UBsrHu/rNQ3 kfisapy4UpYcsHsx7digfjNWTJtHfVy2ZI1GMjAAhlFWhuf/iYkmvKkLYo0ihakC OblAQvOy7mx59iyjNvNHVErhJ8nR377iF81pg0Q742JUtrUCZDma3vNJXw0I9wsf umrE49/RTq5MJOMLjV8X =NYBQ -END PGP SIGNATURE-
Re: 6.8 openldap and SSL/TLS problem after upgrade
On 2020-12-22, Kapetanakis Giannis wrote: > Hi, > > After upgrading to 6.8-release I can no longer connect to my ldap server with > openldap and SSL/TLS. > I'm using a self signed root CA to sign LDAP server's certificate. > > /etc/openldap/ldap.conf has: > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT demand > > # /usr/local/bin/ldapsearch -d9 -x (openldap client) > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: > /CN=xxx > TLS certificate verification: Error, unable to get local issuer certificate > TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: > /CN=xxx > TLS certificate verification: Error, unable to get local issuer certificate > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate > verify failed (unable to get local issuer certificate). > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > Even setting TLS_CACERT does not fix it, only making > TLS_REQCERT never > > TLS_CACERTDIR has pem certificates and links with them with hashes > > ktrace does not show any reads on TLS_CACERTDIR > > bbbf0019.0@ -> My_ROOT_CA.asc > My_ROOT_CA.asc@ -> My_ROOT_CA.pem > > Apparently this also breaks freeradius which seems logical. > > Thanks, > > G > > There were big changes in certificate validation in libressl a little before 6.8 and various problems have been found with them. I added a workaround for one issue in a -stable packages update to openldap, some are fixed in libressl in -current, and workarounds for some ports have been made by changing them to use openssl instead of libressl. Your best option is probably to run -current and report back if there are still problems and then hopefully 6.9 will be better.
Re: Dissing Misks
On Tue, 22 Dec 2020 17:30:08 -0700, Duncan Patton a Campbell wrote: > I've added two identical 4TB disks to my system to set up a duald RAID. > > When I boot, they come up as > > sd2 at scsibus1 targ 2 lun 0: naa.50014ee268199 > 5d6 > sd2: 3815447MB, 512 bytes/sector, 7814037168 sectors > > and > > wd0 at pciide1 channel 0 drive 0: > wd0: 16-sector PIO, LBA48, 3815447MB, 7814037168 sectors > > One of these things is not like the other, and I've not located > how this distinction is made at boot time. You should check your BIOS settings and make sure all the SATA channels are configured to use AHCI and not legacy ATA. - todd
Re: Dissing Misks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also, is it the case that no more than ONE raid array is supported at a time? Thanks, Dhu On Tue, 22 Dec 2020 17:30:08 -0700 Duncan Patton a Campbell wrote: > > > Howdy all? This is a question about disks under OBSD. > > I've added two identical 4TB disks to my system to set up a duald RAID. > > When I boot, they come up as > > sd2 at scsibus1 targ 2 lun 0: > naa.50014ee2681995d6 > sd2: 3815447MB, 512 bytes/sector, 7814037168 sectors > > and > > wd0 at pciide1 channel 0 drive 0: > wd0: 16-sector PIO, LBA48, 3815447MB, 7814037168 sectors > > One of these things is not like the other, and I've not located > how this distinction is made at boot time. > > FWIW I've attached my dmesg. Any ideas would be appreciated. > > Thanks, > > Dhu > - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf4pTdAAoJEI6Vun3D6YUPjgUQAJ+stRtctjHvGdltwBfLJjYm Dg0xItmb7P7TkQ+AMVjGMaTpHXkKI+3RcK8CK1V0AKRvrme39g2QJJVCjrnf+1MS ONbY96/PcRdZtJ6VOhh2Ww4CtSNlAdEZIIaLFCP3kOilDnTeFw7fC/GZ3EEMDN9s HFOv+2myXMqrI04JadLPnnpYN3UIZXFlcNwfdhv/xe9165uVLZtbfFDp+b65W0sT JUvdl+8cz6HyYHKzW+xGaC4+b6qIkx3esC58coAvzcJprZcANzDfBtqOFHMNdjhr /XxJaKLyXfcdQvePdiDoz//caZMk9wledbfVhseKxPXkoTXfPjP+fvX0eoARYpW8 ykXX4dXQiIHWAVlgPSSkEIKgedoAqJpYAOsTxb/GUeKkypUxWkllXSW6jxPNu2Rg 771/t3s2OAAuWvsGI3kC4PL5uFf0AEre8g10txzHr3gR+j98E/DbaaZftMbkuLHl ReeOGRP088vg8OLmKP0Cw9wJ6Srt6mksigqipCDoL54xF1eQ6T/sdfjXcTbAUped X8VKiDbnIcfkvBceNu+hOlDEOr6wEGX+MOu8fAUc0St2bSbr1Vicdj6+fqhSzTTv K+Zwf0mCN0XzeFdGff9z9SH9jNBrmhttBQQsZMlE2Srdn6J/CxeOZPCQJURvfKgM 7Lydna696VI9IYnMShtT =tflr -END PGP SIGNATURE-
Dissing Misks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all? This is a question about disks under OBSD. I've added two identical 4TB disks to my system to set up a duald RAID. When I boot, they come up as sd2 at scsibus1 targ 2 lun 0: naa.50014ee2681995d6 sd2: 3815447MB, 512 bytes/sector, 7814037168 sectors and wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 3815447MB, 7814037168 sectors One of these things is not like the other, and I've not located how this distinction is made at boot time. FWIW I've attached my dmesg. Any ideas would be appreciated. Thanks, Dhu - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf4o+QAAoJEI6Vun3D6YUPsXkP/AgKvYb49GTMqZoF260KM+fI InMYcTM2Mx/IRGZTfU7vUBmba2ip2Kl3iVGoZ095sCuRQGNJQWEElsC8otdUkDUd 48Bfvpysxq7Sd+8wvg2ZUcnUw6aB/K4i+djmQYaO46CUMqp7jktHdEkCj/tfDu+A mETMLNvGHZ45IEZBKs8q9d6KzlC6Gq8ZsZQpUVy4SZXweHUkuhS56aJAdn6+a5sP wF/penmdmvcUQ6lAERLtzXABUAJQuDDzSPKOeQYquTXBok2cGB/l/HDbCtiJgUll EXrsZa0XxWPJ+Mc498Xcy2gDmfALQObbVgk0Fo0Lb8nJu721p3e7U7p5fCGO43iu CwcucujbaLwqkX3X+T7OEKyhVl+LA23tJC9wHNXHi8eyePPRKgIZHgaxiHdl5isb WgNp9pnbFqjRdCHVpfcv5cNayHw+jXsR59OdyaVEXcthIgK6QNrpIs/LY0Ukwjp1 Xixet7Vqhg2G50opACSbzZmBrH9dF1BfPofpSyeIxQLJAEzcptnb2KIYZCfazCW5 TrwFJb8RULCiUrwiHpvM3j2h6CgUPu+sOgpCATLklfXGoJ2AMFOfGhK8igD+qQpV PerBks9o81LfuouabaAJ+sW7s27646r3HblJfO7ut6r+4+ciEoNqTHhUD2avabwe 1aa2ptZ7BfaWKv4P63ZI =zsYp -END PGP SIGNATURE- dmesg.txt Description: Binary data
An ode to OpenBSD
This isn't actually an ode, as I can't rhyme things good, but I just wanted to thank the OpenBSD folks for their fantastic engineering. I had a major power outage and network disruption at my hosting provider yesterday, and all but one of my relayd load balancers was knocked out, as well as much of my httpd cluster. Even while Zabbix was blowing up my phone with alerts, thanks to the magic of CARP+pfsync+relayd, all my services remained available, and a disaster was largely turned into a non-event. Thank you for creating the greatest software project of all time. Regards, Jordan
Re: Enhancing Privacy in 2020 attached screenshot
On 22.12.20 00:18, pipus wrote: > (...) > Interesting 28 public and private emails protecting Stuart and his parts > 2 really nice private emails on the product itself :) Well, in fact the project sounds indeed to me in the beginning. But reading this thread I must realize that you tried hard to create very bad conditions for that project by stumbling through this list insulting people and lecture me in a top-down approach what I have been supposedly "waiting for ages" and such I am very happy that you are not in MY marketing team (and I mean *really* happy). I can only speak for me, but the project you announced before is not longer on my list (I don't know but this project has negative connotation since reading this thread). Chapeau!
Re: 6.8 openldap and SSL/TLS problem after upgrade
I'm replying in misc@ since it affects other people as well. For freeradius (freeradius-2.2.10p1) and ldap communication I had to also set require_cert = "allow" It didn't respect the setting of /etc/openldap/ldap.conf Maybe it's now linked against local ldap library and not openldap's ? G On 22/12/2020 16:59, Kostya Berger wrote: Wow, I seem to have the same problem with Freeradius. Fails to connect with the same error: unable to get local issuer certificate. And that with certificates that work FINE with exactly the same version of Freeradius in FreeBSD. And yes, no additional setting seem to help this. With kindest regards, Kostya Berger On Tuesday, 22 December 2020, 17:52:48 GMT+3, Kapetanakis Giannis wrote: Hi, After upgrading to 6.8-release I can no longer connect to my ldap server with openldap and SSL/TLS. I'm using a self signed root CA to sign LDAP server's certificate. /etc/openldap/ldap.conf has: TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand # /usr/local/bin/ldapsearch -d9 -x (openldap client) TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: /CN=xxx TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: /CN=xxx TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (unable to get local issuer certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Even setting TLS_CACERT does not fix it, only making TLS_REQCERT never TLS_CACERTDIR has pem certificates and links with them with hashes ktrace does not show any reads on TLS_CACERTDIR bbbf0019.0@ -> My_ROOT_CA.asc My_ROOT_CA.asc@ -> My_ROOT_CA.pem Apparently this also breaks freeradius which seems logical. Thanks, G
Re: OSPF and CARP interfaces
Hello,
The fix recommended by Remi works great. Can we have this into an official
patch?
Why I am not using it as Claudio recommends is that vlan20 in my case also
is a transit vlan like vlan21 so it cannot be a passive interface. From the
docs I understand that having carp listed as an interface will force it
into passive mode. I should have mentioned this in my original email, sorry
about that.
All in all, current snapshot seems to do what documentation says in terms
of "depend on". The stable 6.8 does not so a patch is warranted I think.
On Tue, Dec 22, 2020 at 3:50 PM Claudio Jeker
wrote:
> On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> > Hello,
> > I am seeing what I deem to be unexpected behavior with ospfd and
> depending
> > on carp interfaces.
> > Running 6.8 with latest patches applied on all three routers.
> >
> > # uname -a
> > OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
> >
> > My setup is as following;
> > Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
> > interfaces.
> > Single openbsd box (R1) that in this instance acts as a client trying to
> > reach servers that are reachable via the FWs.
> > VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
> > behind the FW pair.
> > VLan21 is the link network between all the three boxes. The FWs share a
> > carp21 interface.
> >
> > My FW ospfd.conf (same on all three boxes apart from the "depend on"
> which
> > is absent from R1):
> > router-id
> >
> > area 0.0.0.0 {
> > interface lo1
> > interface vlan20 {
> > depend on carp20
> > }
> > interface vlan21 {
> > depend on carp21
> > }
> > }
>
> I would change the config to just use
>
> area 0.0.0.0 {
> interface lo1
> interface carp20
> interface vlan21
> }
>
> This way the network on vlan20/carp20 will be announced depending on the
> carp state with the backup system announcing the same route with a high
> metric. There is no need to use "depend on" for such a simple case.
>
> For vlan21 I would not do that since there you want reachability in any
> case especially if you announce BGP networks on the firewalls with the
> carp21 address (instead of the default vlan21 one).
>
> > Carp20:
> > root@FW1:~ # ifconfig carp20 | grep inet
> > inet 172.30.9.21 netmask 0xfff0 broadcast 172.30.9.31
> >
> > Now to the strange part. I see that the selected route in R1 points to
> FW1
> > even though carp20/21 on FW1 is in state BACKUP. No matter what I do,
> apart
> > from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
> > root@FW1:~ # ifconfig vlan21 | grep inet
> > inet 172.30.9.34 netmask 0xfff0 broadcast 172.30.9.47
> > root@FW1:~ # ifconfig carp20 | grep carp:
> > carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
> > root@FW1:~ # ifconfig carp21 | grep carp:
> > carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
> >
> > root@FW2:~ # ifconfig vlan21 | grep inet
> > inet 172.30.9.35 netmask 0xfff0 broadcast 172.30.9.47
> > root@FW2:~ # ifconfig carp20 | grep carp:
> > carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
> > root@FW2:~ # ifconfig carp21 | grep carp:
> > carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
> >
> > root@R1:~ # ospfctl sh
> > neighID Pri StateDeadTime Address Iface
> > Uptime
> > 172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan21
> 00:21:33
> > 172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan21
> 00:22:14
> >
> > root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
> > *O 32 172.30.9.16/28 172.30.9.34
> > *O 32 172.30.9.16/28 172.30.9.35
> >
> > root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
> > 172.30.9.16/28 172.30.9.34 Intra-Area Network 20
> > 00:30:33
> > 172.30.9.16/28 172.30.9.35 Intra-Area Network 20
> > 00:29:56
> >
> > root@R1:~ # route -n get 172.30.9.21
> >route to: 172.30.9.21
> > destination: 172.30.9.16
> >mask: 255.255.255.240
> > gateway: 172.30.9.34
> > interface: vlan21
> > if address: 172.30.9.37
> >priority: 32 (ospf)
> > flags:
> > use mtuexpire
> > 11 0 0
> >
> > As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which
> is
> > wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21.
> What I
> > in the end want to achieve is that the router with carp20/21 MASTER
> should
> > be the preferred carp20 nexthop. An assumption can be made that carp20/21
> > will always have the same FW as master in my case.
>
> --
> :wq Claudio
>
6.8 openldap and SSL/TLS problem after upgrade
Hi, After upgrading to 6.8-release I can no longer connect to my ldap server with openldap and SSL/TLS. I'm using a self signed root CA to sign LDAP server's certificate. /etc/openldap/ldap.conf has: TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand # /usr/local/bin/ldapsearch -d9 -x (openldap client) TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: /CN=xxx TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: /CN=xxx TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (unable to get local issuer certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Even setting TLS_CACERT does not fix it, only making TLS_REQCERT never TLS_CACERTDIR has pem certificates and links with them with hashes ktrace does not show any reads on TLS_CACERTDIR bbbf0019.0@ -> My_ROOT_CA.asc My_ROOT_CA.asc@ -> My_ROOT_CA.pem Apparently this also breaks freeradius which seems logical. Thanks, G
Re: OSPF and CARP interfaces
On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> Hello,
> I am seeing what I deem to be unexpected behavior with ospfd and depending
> on carp interfaces.
> Running 6.8 with latest patches applied on all three routers.
>
> # uname -a
> OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
>
> My setup is as following;
> Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
> interfaces.
> Single openbsd box (R1) that in this instance acts as a client trying to
> reach servers that are reachable via the FWs.
> VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
> behind the FW pair.
> VLan21 is the link network between all the three boxes. The FWs share a
> carp21 interface.
>
> My FW ospfd.conf (same on all three boxes apart from the "depend on" which
> is absent from R1):
> router-id
>
> area 0.0.0.0 {
> interface lo1
> interface vlan20 {
> depend on carp20
> }
> interface vlan21 {
> depend on carp21
> }
> }
I would change the config to just use
area 0.0.0.0 {
interface lo1
interface carp20
interface vlan21
}
This way the network on vlan20/carp20 will be announced depending on the
carp state with the backup system announcing the same route with a high
metric. There is no need to use "depend on" for such a simple case.
For vlan21 I would not do that since there you want reachability in any
case especially if you announce BGP networks on the firewalls with the
carp21 address (instead of the default vlan21 one).
> Carp20:
> root@FW1:~ # ifconfig carp20 | grep inet
> inet 172.30.9.21 netmask 0xfff0 broadcast 172.30.9.31
>
> Now to the strange part. I see that the selected route in R1 points to FW1
> even though carp20/21 on FW1 is in state BACKUP. No matter what I do, apart
> from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
> root@FW1:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.34 netmask 0xfff0 broadcast 172.30.9.47
> root@FW1:~ # ifconfig carp20 | grep carp:
> carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
> root@FW1:~ # ifconfig carp21 | grep carp:
> carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
>
> root@FW2:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.35 netmask 0xfff0 broadcast 172.30.9.47
> root@FW2:~ # ifconfig carp20 | grep carp:
> carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
> root@FW2:~ # ifconfig carp21 | grep carp:
> carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
>
> root@R1:~ # ospfctl sh
> neighID Pri StateDeadTime Address Iface
> Uptime
> 172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan2100:21:33
> 172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan2100:22:14
>
> root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
> *O 32 172.30.9.16/28 172.30.9.34
> *O 32 172.30.9.16/28 172.30.9.35
>
> root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
> 172.30.9.16/28 172.30.9.34 Intra-Area Network 20
> 00:30:33
> 172.30.9.16/28 172.30.9.35 Intra-Area Network 20
> 00:29:56
>
> root@R1:~ # route -n get 172.30.9.21
>route to: 172.30.9.21
> destination: 172.30.9.16
>mask: 255.255.255.240
> gateway: 172.30.9.34
> interface: vlan21
> if address: 172.30.9.37
>priority: 32 (ospf)
> flags:
> use mtuexpire
> 11 0 0
>
> As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which is
> wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21. What I
> in the end want to achieve is that the router with carp20/21 MASTER should
> be the preferred carp20 nexthop. An assumption can be made that carp20/21
> will always have the same FW as master in my case.
--
:wq Claudio
Re: OSPF and CARP interfaces
On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> Hello,
> I am seeing what I deem to be unexpected behavior with ospfd and depending
> on carp interfaces.
> Running 6.8 with latest patches applied on all three routers.
>
> # uname -a
> OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
>
> My setup is as following;
> Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
> interfaces.
> Single openbsd box (R1) that in this instance acts as a client trying to
> reach servers that are reachable via the FWs.
> VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
> behind the FW pair.
> VLan21 is the link network between all the three boxes. The FWs share a
> carp21 interface.
>
> My FW ospfd.conf (same on all three boxes apart from the "depend on" which
> is absent from R1):
> router-id
>
> area 0.0.0.0 {
> interface lo1
> interface vlan20 {
> depend on carp20
> }
> interface vlan21 {
> depend on carp21
> }
> }
>
> Carp20:
> root@FW1:~ # ifconfig carp20 | grep inet
> inet 172.30.9.21 netmask 0xfff0 broadcast 172.30.9.31
>
> Now to the strange part. I see that the selected route in R1 points to FW1
> even though carp20/21 on FW1 is in state BACKUP. No matter what I do, apart
> from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
> root@FW1:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.34 netmask 0xfff0 broadcast 172.30.9.47
> root@FW1:~ # ifconfig carp20 | grep carp:
> carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
> root@FW1:~ # ifconfig carp21 | grep carp:
> carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
>
> root@FW2:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.35 netmask 0xfff0 broadcast 172.30.9.47
> root@FW2:~ # ifconfig carp20 | grep carp:
> carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
> root@FW2:~ # ifconfig carp21 | grep carp:
> carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
>
> root@R1:~ # ospfctl sh
> neighID Pri StateDeadTime Address Iface
> Uptime
> 172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan2100:21:33
> 172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan2100:22:14
>
> root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
> *O 32 172.30.9.16/28 172.30.9.34
> *O 32 172.30.9.16/28 172.30.9.35
>
> root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
> 172.30.9.16/28 172.30.9.34 Intra-Area Network 20
> 00:30:33
> 172.30.9.16/28 172.30.9.35 Intra-Area Network 20
> 00:29:56
>
> root@R1:~ # route -n get 172.30.9.21
>route to: 172.30.9.21
> destination: 172.30.9.16
>mask: 255.255.255.240
> gateway: 172.30.9.34
> interface: vlan21
> if address: 172.30.9.37
>priority: 32 (ospf)
> flags:
> use mtuexpire
> 11 0 0
>
> As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which is
> wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21. What I
> in the end want to achieve is that the router with carp20/21 MASTER should
> be the preferred carp20 nexthop. An assumption can be made that carp20/21
> will always have the same FW as master in my case.
Can you test if it works as expected with current?
I think you are affected by a bug fixed by dlg with this commit:
https://marc.info/?l=openbsd-cvs=160427701605657=2
OSPF and CARP interfaces
Hello,
I am seeing what I deem to be unexpected behavior with ospfd and depending
on carp interfaces.
Running 6.8 with latest patches applied on all three routers.
# uname -a
OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
My setup is as following;
Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
interfaces.
Single openbsd box (R1) that in this instance acts as a client trying to
reach servers that are reachable via the FWs.
VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
behind the FW pair.
VLan21 is the link network between all the three boxes. The FWs share a
carp21 interface.
My FW ospfd.conf (same on all three boxes apart from the "depend on" which
is absent from R1):
router-id
area 0.0.0.0 {
interface lo1
interface vlan20 {
depend on carp20
}
interface vlan21 {
depend on carp21
}
}
Carp20:
root@FW1:~ # ifconfig carp20 | grep inet
inet 172.30.9.21 netmask 0xfff0 broadcast 172.30.9.31
Now to the strange part. I see that the selected route in R1 points to FW1
even though carp20/21 on FW1 is in state BACKUP. No matter what I do, apart
from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
root@FW1:~ # ifconfig vlan21 | grep inet
inet 172.30.9.34 netmask 0xfff0 broadcast 172.30.9.47
root@FW1:~ # ifconfig carp20 | grep carp:
carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
root@FW1:~ # ifconfig carp21 | grep carp:
carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
root@FW2:~ # ifconfig vlan21 | grep inet
inet 172.30.9.35 netmask 0xfff0 broadcast 172.30.9.47
root@FW2:~ # ifconfig carp20 | grep carp:
carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
root@FW2:~ # ifconfig carp21 | grep carp:
carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
root@R1:~ # ospfctl sh
neighID Pri StateDeadTime Address Iface
Uptime
172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan2100:21:33
172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan2100:22:14
root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
*O 32 172.30.9.16/28 172.30.9.34
*O 32 172.30.9.16/28 172.30.9.35
root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
172.30.9.16/28 172.30.9.34 Intra-Area Network 20
00:30:33
172.30.9.16/28 172.30.9.35 Intra-Area Network 20
00:29:56
root@R1:~ # route -n get 172.30.9.21
route to: 172.30.9.21
destination: 172.30.9.16
mask: 255.255.255.240
gateway: 172.30.9.34
interface: vlan21
if address: 172.30.9.37
priority: 32 (ospf)
flags:
use mtuexpire
11 0 0
As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which is
wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21. What I
in the end want to achieve is that the router with carp20/21 MASTER should
be the preferred carp20 nexthop. An assumption can be made that carp20/21
will always have the same FW as master in my case.
Re: Enhancing Privacy in 2020 attached screenshot
On 22/12/20 10:18 am, pipus wrote: > First rule Dunning-Kruger club is to … [ snip telegraphic diarrhoea ] > > Interesting 28 public and private emails protecting Stuart … [ snip > telegraphic diarrhoea ] Seriously, grow up. It is said that empty vessels make the most sound, and you've made more than enough noise. > Australia is nearing a totalitarian state, … [ snip more telegraphic > diarrhoea ] … and? Unless you live here, that's our problem to deal with and not yours. I look around at other places that are world-wide accepted as totalitarian states, and this one really doesn't seem that totalitarian in comparison. In any case, such discussions are irrelevant here. There's a file, /dev/null, that you might want to send this diatribe to. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Wireguard - VPN up after reboot
Hi Everyone, I'm happily using 'Wireguard' to setup few VPNs. I store the required configuration within /etc/hostname.wg0 & I startup the tunnel with 'doas sh /etc/netstart wg0'. Everything is working like expected. However, upon system reload the connectivity is lost. The wg0 interface comes up but the tunnel stays in a sort of 'waiting' state. The only way I figure out to bring it up is either re-launching 'doas sh /etc/netstart wg0' or pinging the tunnel default gateway. Is there any decent/clean way to avoid manual intervention? --- :wq, Salvatore.
Re: OpenBSD Monitor Sleep No Response
Hi Ben, I do have the same issue and though I was neither able to find a root cause or even some helpful logs, this is the workaround that doesn't bother me too much: The power save features are all turned off, the monitor does not blank or turn off at all, and as soon as I want to lock the screen, I pull the power plug of the monitor after locking it. When I want to continue to work, I press CTRL and enter the password, then plug the power of the monitor back in. And then I'm back at the desktop... Sounds a bit complicated, but as written, I am not even sure where the issue happens and I suspect the monitor behaving badly as I did not have that kind of issue in the past. Hope this helps and kind regards, telsh On 21.12.20 03:26, ben wrote: Hello, misc; I've been having an issue with my OpenBSD install, specifically when the system turns off the monitor after a period of no use. After the monitor goes blank I can't use the start using the machine and must restart, that is after keypress and mouse movement the system does not show anything on the monitor. I suspect something is wrong due to hardware. I've checked the logs, nothing seems to be off. I've turned off apmd as to not interfer with power management and still no response after the monitor goes to sleep. Here's a list of the hardware: - AMD Ryzen 5 3400G Processor - Asus Prime B550M-A/CSM Motherboard - Radeon RX 580 POLARIS10 GPU Has anyone else experience any issues with like this? Is there still no support for polaris GPUs? Thank you in advance. Ben Raskin
