ikectl ca certificate create fails due to invalid subjectAltName
Hello, I'm running the latest snapshot and I've found that I cannot create certificates with ikectl. It fails due to the fact that the request contains an invalid subjectAltName of only 'IP:' or 'DNS:'. In turn this is due to the fact that in the OpenSSL config file the variable names are 'IP:$ENV::CERTIP' and 'DNS:$ENV::CERTFQDN' but in ikeca.c they appear as only '$ENV::CERTIP' and '$ENV::CERTFQDN'. I don't know exactly the last working version but I think that this issue was introduced in rev 1.41 . With the patch below creating certificates works again. If the correct string is built in ca_request() (prefixed with 'IP:' or 'DNS:') then it must not be deallocated at the return of ca_request(). So I thought it's better to change ca_setenv() to make sure that any strings it puts in ca_env will not be deallocated too soon. But I didn't want to leave any allocations not freed so this is the reason for also changing ca_crlenv(). Any memory leak is irrelevant since ikectl exits immediately but in the interest of correctness ca_crlenv() should be called if any ca_setenv() is present in the code path. If this is not the best way to handle this situation please let me know and I can try to redo the patch in a different manner. Best regards, Andrei. IKECTL tests with the latest snapshot version: == root@server1 ~ $ sysctl kern.version kern.version=OpenBSD 6.1-current (GENERIC.MP) #4: Mon Aug 14 18:51:58 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP root@server1 ~ $ ls -lsah /usr/sbin/ikectl 104 -r-xr-xr-x 1 root bin 50.3K Aug 15 03:42 /usr/sbin/ikectl root@server1 ~ $ ikectl ca test-vpn create CA passphrase: Retype CA passphrase: Generating RSA private key, 2048 bit long modulus .+++ .+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [r...@openbsd.org]: Signature ok subject=/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA/emailAddress=r...@openbsd.org Getting Private key Using configuration from /etc/ssl/test-vpn/ca-revoke-ssl.cnf root@server1 ~ $ ikectl ca test-vpn certificate 10.1.2.3 create Generating RSA private key, 2048 bit long modulus ..+++ .+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [10.1.2.3]: Email Address [r...@openbsd.org]: Using configuration from /etc/ssl/test-vpn/10.1.2.3-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :ASN.1 12:'Lower Saxony' localityName :ASN.1 12:'Hanover' organizationName :ASN.1 12:'OpenBSD' organizationalUnitName:ASN.1 12:'iked' commonName:ASN.1 12:'10.1.2.3' emailAddress :IA5STRING:'r...@openbsd.org' ERROR: adding extensions in section x509v3_IPAddr 13531723566432:error:22FFF06D:X509 V3 routines:func(4095):invalid null value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: 13531723566432:error:22FFF069:X509 V3 routines:func(4095):invalid extension string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: 13531723566432:error:22FFF080:X509 V3 routines:func(4095):error in extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, value=IP: root@server1 ~ $ ikectl ca test-vpn certificate test-client.test-vpn.net create Generating RSA private key, 2048 bit long modulus .+++ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few
Re: bsd.rd not bringing up all vlans during upgrade
For the archives I can confirm that this has been fixed, presumably
by this commit
http://marc.info/?l=openbsd-cvs=150217645202029=2
thanks,
.jh
On 2017/07/28 23:38, Johan Huldtgren wrote:
> hello,
>
> I have a host which has multiple vlan(4) configured. When I go to upgrade
> with the latest bsd.rd (and several prior) after I enter which mirror to
> fetch the sources from it simply hangs and nothing happens. If I ctrl-c
> out and do an 'ifconfig' only one vlan (not the one I need to reach out)
> will appear. It looks like this:
>
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? u
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN. You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
>
> Terminal type? [vt220]
> Available disks are: sd0.
> Which disk is the root disk? ('?' for details) [sd0]
> Checking root filesystem (fsck -fp /dev/sd0a)...OK.
> Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK.
> Force checking of clean non-root filesystems? [no]
> fsck -p 6fb9381c12ea5fc1.i...OK.
> fsck -p 6fb9381c12ea5fc1.f...OK.
> fsck -p 6fb9381c12ea5fc1.g...OK.
> fsck -p 6fb9381c12ea5fc1.h...OK.
> fsck -p 6fb9381c12ea5fc1.e...OK.
> /dev/sd0a (6fb9381c12ea5fc1.a) on /mnt type ffs (rw, local)
> /dev/sd0i (6fb9381c12ea5fc1.i) on /mnt/home type ffs (rw, local, nodev,
> nosuid)
> /dev/sd0f (6fb9381c12ea5fc1.f) on /mnt/usr type ffs (rw, local, nodev)
> /dev/sd0g (6fb9381c12ea5fc1.g) on /mnt/usr/X11R6 type ffs (rw, local, nodev)
> /dev/sd0h (6fb9381c12ea5fc1.h) on /mnt/usr/local type ffs (rw, local, nodev)
> /dev/sd0e (6fb9381c12ea5fc1.e) on /mnt/var type ffs (rw, local, nodev, nosuid)
>
> Let's upgrade the sets!
> Location of sets? (disk http or 'done') [http]
> HTTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]
> HTTP Server? (hostname, list#, 'done' or '?') [ftp.openbsd.org]
> ftp4.usa.openbsd.org
> Server directory? [pub/OpenBSD/snapshots/amd64]
> ^C
>
>
> # ifconfig
> lo0: flags=8049 mtu 32768
> llprio 3
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> inet 127.0.0.1 netmask 0xff00
> em0: flags=8843 mtu 1500
> lladdr 00:00:24:d1:ad:60
> llprio 3
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255
> em1: flags=8843 mtu 1500
> lladdr 00:00:24:d1:ad:61
> llprio 3
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> em2: flags=8843 mtu 1500
> lladdr 00:00:24:d1:ad:62
> llprio 3
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> em3: flags=8843 mtu 1500
> lladdr 00:00:24:d1:ad:63
> llprio 3
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> vlan666: flags=8843 mtu 1500
> lladdr 00:00:24:d1:ad:63
> llprio 3
> encap: vnetid 666 parent em3
> groups: vlan
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> inet 10.66.66.3 netmask 0xff00 broadcast 10.66.66.255
> #
>
> Rebooting, this is what an ifconfig normally looks like:
>
> $ ifconfig
> lo0: flags=8049 mtu 32768
> index 6 priority 0 llprio 3
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
> inet 127.0.0.1 netmask 0xff00
> em0: flags=8b43 mtu
> 1500
> lladdr 00:00:24:d1:ad:60
> index 1 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255
> em1: flags=8b43 mtu
> 1500
> lladdr 00:00:24:d1:ad:61
> index 2 priority 0 llprio 3
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> em2: flags=8b43 mtu
> 1500
> lladdr 00:00:24:d1:ad:62
> index 3 priority 0 llprio 3
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> em3: flags=8b43 mtu
> 1500
> lladdr 00:00:24:d1:ad:63
> index 4 priority 0 llprio 3
>
Re: fortune: Winston Churchill typo
On Tue, Aug 15, 2017 at 11:07:32AM -0500, Scott Cheloha wrote: > Due to something like the Echo Effect this particular typo has been > picked up from our collection by various online fortune/quote collections > and spread from there. Fixed, thanks > > -- > Scott Cheloha > > Index: games/fortune/datfiles/fortunes > === > RCS file: /cvs/src/games/fortune/datfiles/fortunes,v > retrieving revision 1.51 > diff -u -p -r1.51 fortunes > --- games/fortune/datfiles/fortunes 13 Jul 2017 02:45:56 - 1.51 > +++ games/fortune/datfiles/fortunes 15 Aug 2017 16:02:53 - > @@ -8464,7 +8464,7 @@ Lunatic Asylum, n.: > % > Lysistrata had a good idea. > % > -"MacDonald has the gift on compressing the largest amount of words into > +"MacDonald has the gift of compressing the largest amount of words into > the smallest amount of thoughts." > -- Winston Churchill > % >
Re: Failing resume from hibernate (IntelDRM related?)
>> after a discussion with semarie@ on #openbsd, the point here is that in >> /etc/rc we have: >> >> ln -fh /bsd /bsd.booted >> >> so in order to be compatible with current KARL/hibernation/resume mechanism, >> the booted kernel *must* be called "/bsd". When people push enough buttons, they will eventually hit something undocumented. That may seem terribly sad, but it would be worse if the documentation turned into a garbagepit. I'd rather remove we options that people misuse, than document the consequences of combining lots of choices.
fortune: Winston Churchill typo
Due to something like the Echo Effect this particular typo has been picked up from our collection by various online fortune/quote collections and spread from there. -- Scott Cheloha Index: games/fortune/datfiles/fortunes === RCS file: /cvs/src/games/fortune/datfiles/fortunes,v retrieving revision 1.51 diff -u -p -r1.51 fortunes --- games/fortune/datfiles/fortunes 13 Jul 2017 02:45:56 - 1.51 +++ games/fortune/datfiles/fortunes 15 Aug 2017 16:02:53 - @@ -8464,7 +8464,7 @@ Lunatic Asylum, n.: % Lysistrata had a good idea. % -"MacDonald has the gift on compressing the largest amount of words into +"MacDonald has the gift of compressing the largest amount of words into the smallest amount of thoughts." -- Winston Churchill %
Re: Failing resume from hibernate (IntelDRM related?)
Hi Mike, On Tue 15/08/2017 08:16, Mike Larkin wrote: Although this may be true, that's the default and IMO doesn't need to be documented as such. But thanks nonetheless for clarifying this. Maybe an addition in config(8), "-o" option? -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis
Re: Failing resume from hibernate (IntelDRM related?)
On Tue, Aug 15, 2017 at 05:05:59PM +0200, Alessandro DE LAURENZIS wrote: > Mike, all, > > On Sat 12/08/2017 19:01, Alessandro DE LAURENZIS wrote: > > Hello Mike, > > > > > > root on sd0a (ff014e14e96d5c40.a) swap on sd0b dump on sd0b > > > > WARNING: / was not properly unmounted > > > > so: it tries to unpack a hibernated image, but then it is like the > > previous hibernation didn't complete, since a fsck is forced. > > > > But I was just reviewing this stuff, and can give some additional > > information: the IntelDRM doesn't play any roles here; actually what I'm > > observing is that an unmodified /bsd works flawlessly, instead the > > hibernation "fails" after a modification with config(8); I just do the > > following: > > > > [snip] > > sh> config -o /bsd.noulpt -e /bsd > > OpenBSD 6.1-current (GENERIC.MP) #44: Thu Aug 3 12:12:07 MDT 2017 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > Enter 'help' for information > > ukc> disable ulpt* > > 299 ulpt* disabled > > ukc> quit > > [snip] > > > > and then rebooting with /bsd.noulpt and hibernating/resuming, I see the > > problem. > > > > Does that make any sense? > > after a discussion with semarie@ on #openbsd, the point here is that in > /etc/rc we have: > > ln -fh /bsd /bsd.booted > > so in order to be compatible with current KARL/hibernation/resume mechanism, > the booted kernel *must* be called "/bsd". > Although this may be true, that's the default and IMO doesn't need to be documented as such. But thanks nonetheless for clarifying this. -ml > I think a mention in https://www.openbsd.org/faq/current.html could be > beneficial to other users, too. > > Thanks for your time (and sorry again for the poor report). > > -- > Alessandro DE LAURENZIS > [mailto:jus...@atlantide.t28.net] > LinkedIn: http://it.linkedin.com/in/delaurenzis
