ikectl ca and subjectAltName for IKEv2 VPNs
Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The subjectAltName can be the same as the CN; it just has to be present. Questions about this: 1. Does the 'ikectl ca certificate create' command support creation of X.509 certs with a subjectAltName defined in addition to the CN? If so, what's the syntax? 2. Can a separate standalone CA just create the certs with the necessary SAN fields? Is it as easy as just dropping the root cert, the client certs, and keys in these respective directories? /etc/iked/ca /etc/iked/certs /etc/iked/private If not, what else is needed? Thanks! dn * https://discussions.apple.com/thread/250760557
Re: GCC only on OpenBSD adds -L/usr/lib as prefix, why? Re: OpenBSD: Failing to link custom libpng to custom libz, any thoughts how fix?
On Wednesday, 3 March 2021 19:20, Marc Espie wrote: > On Wed, Mar 03, 2021 at 06:10:22PM +, Bob wrote: > > > Does that -L/usr/lib really need to be in the leading position??? > > I have zero idea how to do that purely in specs. Have fun tinkering. > > This is probably something we'll adopt but low priority. Hi Marc, Thank you a lot for confirming. I am talking to Jonathan at the GCC mailing list, and hope to have figured out soon how to have the -L/usr/lib moved from the beginning to the end through a change to the spec file. Will share outcome here. Ref. https://gcc.gnu.org/pipermail/gcc/2021-March/234927.html > > > - Where is GCC's default specs file say for AMD64/i386? > > somewhere under /usr/lib/gcc-lib or /usr/local/lib/gcc-lib > > you can get gcc to spew it out with -dumpspecs. > > > - Using what environment variable or GCC command line argument do > > I specify an alternative one? > > > > Oh come on, just read the man page and /spec :) > > -specs=file is fairly prominent.
Re: GCC only on OpenBSD adds -L/usr/lib as prefix, why? Re: OpenBSD: Failing to link custom libpng to custom libz, any thoughts how fix?
On Wednesday, 3 March 2021 16:21, Marc Espie wrote: > Do you have some actual reason to use gcc for that project instead of > clang ?... ... > But again: why gcc ? Hi Marc, Thank you very much for responding. I am in a special code project that is centered around unique GCC features and I can absolutely not move to clang now without enduring great pains. I hope that clang will have some tweaks so that I can move to it, however expectably it will take clang 2-3 years to do that. Indeed my situation is slightly uncommon. > it's been a long time since I've last looked at gcc, we've moved to clang > a few years ago for the most part. gcc is mostly there for the legacy > architectures that do not have clang support. > > Oh, I remember now, it's because of ld.ldd, the linker from clang. > see, that one does not link with /usr/lib by default, which tends to break > everything. Thank you very much for clarifying why OpenBSD GCC adds a -L/usr/lib to LD that GCC on other platforms does not have. Here an immediate followup question: Does that -L/usr/lib really need to be in the leading position??? I'm asking myself if adding it in the leading position was even deliberate. Also was it maybe just a convenient choice due to some technicality of spec file syntax, such. What I see clang do both on OpenBSD and other platforms, and GCC do on other platforms, is that they do add -L/usr/lib to LD, but they do it in the trailing position. Would doing so be fine for the purpose you just described, also? If it would be fine, what about actually moving OpenBSD's GCC (bundled & port) to do that? For completeness, here example output of clang on OpenBSD: $ echo "int main(){}">t.c; clang -c -o t.o t.c ; clang -o t t.o -LMYDIRTEST -Wl,-v --verbose OpenBSD clang version 8.0.1 (tags/RELEASE_801/final) (based on LLVM 8.0.1) Target: amd64-unknown-openbsd6.7 Thread model: posix InstalledDir: /usr/bin "/usr/bin/ld" -e __start --eh-frame-hdr -Bdynamic -dynamic-linker /usr/libexec/ld.so -o t /usr/bin/../lib/crt0.o /usr/bin/../lib/crtbegin.o -LMYDIRTEST -L/usr/bin/../lib -L/usr/lib t.o -v -lcompiler_rt -lc -lcompiler_rt /usr/bin/../lib/crtend.o LLD 8.0.1 (compatible with GNU linkers) As you see, clang adds -L/usr/lib too (in the form "-L/usr/bin/../lib"), however does so in trailing position. Here is what GCC on Debian does: $ gcc -v [..] gcc version 8.3.0 (Debian 8.3.0-6) $ echo "int main(){}">t.c; gcc -c -o t.o t.c ; gcc -o t t.o -LMYDIRTEST -Wl,-v collect2 version 8.3.0 /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/8/liblto_plugin.so -plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper -plugin-opt=-fresolution=/tmp/ccd7waom.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=gnu -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -o t /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/8/crtbeginS.o -LMYDIRTEST -L/usr/lib/gcc/x86_64-linux-gnu/8 -L/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/8/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/8/../../.. t.o -v -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/8/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crtn.o GNU ld (GNU Binutils for Debian) 2.31.1 As you see it does just the same as clang: it adds -L/usr/lib , however in trailing position. > Note that you don't have to recompile gcc to change that: the specs file > is where the magic happens, and hey, you can specify a new one on the command > line, so you just need to copy and change. Brilliant, also thanks for pointing out. To navigate this question, * Where is GCC's default specs file say for AMD64/i386? * Using what environment variable or GCC command line argument do I specify an alternative one? > as far as -L goes you've got a lot of choices, between linking directly to > the .so, linking with --nostdlib and putting back the pieces manually. I agree there are alternatives however they come with great pains: * Switching GCC/LD argument from "-lz" to "libz.so" indeed works, however it's very difficult to do this in other people's code, projects generally are hardwired to the "-lz" form, e.g. Boost. * -nostdlib does many things and skipping the -L/usr/lib is only one of them. It appears an unnecessarily strong measure for what I want to achieve. If I used it, I'd need to figure out a set of additional arguments to counter all effects -nostdlib has, that I don't want. Thus in summary altering my local GCC spec file (or if this feedback makes all
Re: GCC only on OpenBSD adds -L/usr/lib as prefix, why? Re: OpenBSD: Failing to link custom libpng to custom libz, any thoughts how fix?
On Wed, Mar 03, 2021 at 06:10:22PM +, Bob wrote: > Does that -L/usr/lib really need to be in the leading position??? I have zero idea how to do that purely in specs. Have fun tinkering. This is probably something we'll adopt but low priority. > * Where is GCC's default specs file say for AMD64/i386? somewhere under /usr/lib/gcc-lib or /usr/local/lib/gcc-lib you can get gcc to spew it out with -dumpspecs. > * Using what environment variable or GCC command line argument do >I specify an alternative one? Oh come on, just read the man page and /spec :) -specs=file is fairly prominent.
Re: 6.8 with gnome boots to xterm after upgrade
Hi Sivan, I think you need to provide more details on your problem if you want some help at least a log from X and what is in your .xsession file. You also mentioned errors but don't say what they are. Did you upgrade the packages each time you upgraded the system? Regards Ed Gray On Wed, 3 Mar 2021, 5:12 pm Sivan !, wrote: > After sysupgrade -s, during which there were two or more automatic > reboots, freebsd, upgraded to 6.9 booted after asking password for ssh key, > and started with xvterm console. Startx attempted to switch to gui, but > returned errors. > > Please advise. > > Thank you >
Re: 6.8 with gnome boots to xterm after upgrade
On Wed, Mar 3, 2021, 22:38 Sivan ! wrote: > After sysupgrade -s, during which there were two or more automatic > reboots, freebsd, > OpenBSD. Sorry upgraded to 6.9 booted after asking password for ssh key, and started with > xvterm console. Startx attempted to switch to gui, but returned errors. > > Please advise. > > Thank you > >
Re: Window Manager performance impact on applications
Hi Mihai, What do you mean by slow moving? Are window operations like moving the window, maximizing, iconify slow or is Firefox slow performing? If it's Firefox, I have not had any issues on 6.8 but perhaps check the pkg-readme file if you haven't already for Cwm and Firefox. I don't know any security reason not to run fvwm 2 although it's older than others. Maybe worth confirming if this just an issue with the last snapshot and providing more details. Different window managers can certainly provide better general performance especially with low memory or older hardware but I'm not aware of any technical reasons why Firefox should be significantly faster with one rather than another. You'd still be using gtk either way I imagine. Regards Ed Gray On Wed, 3 Mar 2021, 3:48 pm Mihai Popescu, wrote: > Hello, > > Technically speaking, is it possible for a window manager to have a > performance impact on running applications in the GUI area? > > Real case: i had to run firefox very fast on a fresh snapshot install, so i > used the default fvwm instead of cwm. The graphical response is instant, > much much better than cwm. I tried twm, firefox was slow moving too. The > configuration for firefox is the same on all WM. > Is it possible, or is it my imagination? > > If that's the case, is it advisable to run fvwm from base? Is it too old > and should be avoided? > > Thank you/ >
6.8 with gnome boots to xterm after upgrade
After sysupgrade -s, during which there were two or more automatic reboots, freebsd, upgraded to 6.9 booted after asking password for ssh key, and started with xvterm console. Startx attempted to switch to gui, but returned errors. Please advise. Thank you
Window Manager performance impact on applications
Hello, Technically speaking, is it possible for a window manager to have a performance impact on running applications in the GUI area? Real case: i had to run firefox very fast on a fresh snapshot install, so i used the default fvwm instead of cwm. The graphical response is instant, much much better than cwm. I tried twm, firefox was slow moving too. The configuration for firefox is the same on all WM. Is it possible, or is it my imagination? If that's the case, is it advisable to run fvwm from base? Is it too old and should be avoided? Thank you/
Re: GCC only on OpenBSD adds -L/usr/lib as prefix, why? Re: OpenBSD: Failing to link custom libpng to custom libz, any thoughts how fix?
Do you have some actual reason to use gcc for that project instead of clang ?... as far as -L goes you've got a lot of choices, between linking directly to the .so, linking with --nostdlib and putting back the pieces manually. it's been a long time since I've last looked at gcc, we've moved to clang a few years ago for the most part. gcc is mostly there for the legacy architectures that do not have clang support. Oh, I remember now, it's because of ld.ldd, the linker from clang. see, that one does not link with /usr/lib by default, which tends to break everything. Note that you don't have to recompile gcc to change that: the specs file is where the magic happens, and hey, you can specify a new one on the command line, so you just need to copy and change. But again: why gcc ?