Re: OT: True hardware UNIX terminal

[Joseph Pumphrey]

On Mar 30, 2016 4:29 PM, "Mihai Popescu"  wrote:
>
> I can see now why our keyboards are using Ctrl key, PgUp, PgDn, or why
> the serial port is so close programmed using terminal terminology.
>
> Thank you and please excuse me for the OT.
>

I still have IBM 122-key keyboards lying around from working in government
buildings and ripping out old terminals. Quite an education, as was this
thread!

Re: Syntax error in pf rules

[Adam Smith]

Hi there,

>--- jub...@fastmail.com wrote:
>
>From: Jubjub Jenkins 
>To: Adam Smith 
>Cc: misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 11:25:12 -0700
>
>
>The list owners are fascist anarchists and deem your "democracy" as
>bourgeois.

It's good to know that and that you're one of the fascists raving and 
demonstrating against poor Syrian refugees from war-torn Syria who are trying 
to find refuge in Europe.

People in the Linux community have warned me that there are far-right people 
with extremist views hiding within the OpenBSD community. I won't be surprised 
if you subscribe to the views of Greece's "Golden Dawn", Netherlands' "Partij 
voor de Vrijheid" and Germany's "Pegida" and 

Moreover your writing strongly indicates you're an Islamophobe as well.

In the meantime, please continue to be pro-fascist, anti-democratic and 
Islamophobic in whatever you do.
http://www.DCpages.com

Re: Syntax error in pf rules

[Theo de Raadt]

> I know. Do you have proof that I hadn't put in my minimum effort
> before jumping to conclusions?

Please stop picking fights with people.

The best approach is to leave the list.

Re: Syntax error in pf rules

[Adam Smith]

Are you the owner of misc@openbsd.org?

Who was trying to pick fights with me first? Have you investigated?

I feel sad for you and your OpenBSD project. Since its inception how much has 
the OpenBSD community grown? How much funds are there presently in your coffers?

In comparison FreeBSD has millions of fans and its foundation has received 
millions in donations from its members.

>--- dera...@cvs.openbsd.org wrote:
>
>From: Theo de Raadt 
>To: ken...@dcemail.com
>cc: "Raf Czlonka" , marko.cu...@mimar.rs, misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 20:39:57 -0600
>
>> I know. Do you have proof that I hadn't put in my minimum effort
>> before jumping to conclusions?
>>
>Please stop picking fights with people.
>
>The best approach is to leave the list.
http://www.DCpages.com

Re: Syntax error in pf rules

[Adam Smith]

>--- rczlo...@gmail.com wrote:
>
>From: Raf Czlonka 
>To: Adam Smith 
>Cc: Marko Cupać , misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 20:10:37 +0100
>
>
>
>Well, OpenBSD mailing lists have their own netiquette[0] so it would
>be nice if one did one's homework before posting such basic questions.

Do you've proof that I hadn't done my homework before posting basic questions? 

>Documentation (manual pages[1] and the FAQ[2]) is there for a reason
>and people work hard to write it all down and keep it up to date.

I couldn't find the answers to that particular question that I had asked in the 
manual pages and the FAQ.

>Minimum effort is a requirement.

I know. Do you have proof that I hadn't put in my minimum effort before jumping 
to conclusions?

Regards.

Adam
http://www.DCpages.com

Re: OpenBSD misc

[Adam Smith]

Hi Jubjub Jenkins,

That's your name, isn't it? Or it's just a pseudonym behind which you hide all 
your hatred towards humanity?

If you're the person in charge of misc@openbsd.org, just ban me from posting to 
it.

Adam

>--- jub...@fastmail.com wrote:
>
>From: Jubjub Jenkins 
>To: ken...@dcemail.com
>Subject: OpenBSD misc
>Date: Wed, 30 Mar 2016 10:48:14 -0700
>
>Hi there, 
>
>Please stop posting to the OpenBSD-misc list. 
>
>Thank you, 
>
>JJ
http://www.DCpages.com

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

[Sly Midnight]

Thank you!

I will try this.

I have confirmed it wasn't due to last year's OpenBSD 5.7 to 5.8 upgrade
as I built a VM with 5.7 using same settings and get exactly the same
behavior.  This was triple confirmed by being able to connect with iOS
on an iPhone, Windows 10, Chromebook (with md5 hmacs only) and even a
tablet running an older version of Android.  Here is the link to the bug
if anyone is interested.  But I will try the workaround offered by Yasuoka.

In the mean time, I have confirmed there is a Google Android bug
reported (by many people) confirming this is actually an issue with
Android not OpenBSD (or the myriad other VPN routers listed in the bug
report).  Though I very much appreciate understanding the underlying
reason as like Mattieu said, tweaking ipsec.conf for 3 days yielded no
solution.

https://code.google.com/p/android/issues/detail?id=196939

Thanks again!

Sly


On 03/30/2016 02:18 AM, YASUOKA Masahiko wrote:
> On Tue, 29 Mar 2016 11:37:14 +0200
> Mattieu Baptiste  wrote:
>> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>>> I don't mean to bring up an old thread, but I was wondering if anyone
>>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>>> (preferably the version on the Nexus line of devices) connecting to
>>> ipsec/l2tp.
>>>
>>> I had this working late last year some time and hadn't used it in a few
>>> months.  When I went to use it again a few days ago it didn't work at
>>> all.  After rebooting my phone and even trying it on my tablet that
>>> coincidentally runs the exact same version of stock Android 6.0.1, it
>>> too didn't work there.
>> I have the very same problem.
>> To me, It's caused by some Android updates. I saw this since 6.0, but
>> some security updates near 5.1.1 seems to trigger the same behavior.
>> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
>> did not have the time to dig further...
> My colleague and I also hit this issue.
>
> This issue is caused by Android, it sends ESP packets with wrong
> padding size when SHA2-256 is selected for HMAC.  It seems that
> Android is using an old ietf draft for SHA2-256, but OpenBSD is using
> RFC 4868.
>
> When the issue occurs,
>
>   XXX packets with bad payload size or padding received
>
> counter in "netstat -sp esp" will be incremented.
>
> We can force using MD5 or SHA for HMAC to workaround this issue.  To
> do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
> "-K" from isakmpd_flags.
>
>   Authorizer: "POLICY"
>   Comment: This is test
>   Licensees: "passphrase:PASSPHRASE"
>   conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present 
> == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> 
> "true";
>
> --yasuoka

Re: OT: True hardware UNIX terminal

[Adam Thompson]

On 16-03-30 03:07 AM, Sean Kamath wrote:

Still using a Wyse (50?) on my Ultrasparc 80.

In college, we had these weird DEC PC’s that we used as VT100 compatible
terminals.
That would either have been a DEC Rainbow, which was a 
hybrid-dual-processor 8088/Z80 machine that ran MS/DOS, CP/M *and* had a 
full-blown VT220 emulator in ROM, or a VT180 "Robin" which was basically 
a (Z80-based) VT102/VT103 with enough memory (i.e. 64k) to run CP/M off 
the attached floppy drives.


I had a Rainbow, which is in *many* ways an architecturally fascinating 
machine, during the late '80s/early '90s as my primary PC.  I also had a 
Northern Telecom Displayphone, and then later a DisplayPhone II, for 
those of you with a perverse bent for terminal history.


Of course, I'm also the author of at least five termcap(5)/terminfo(5) 
entries, some of which have not yet been superseded by better 
definitions in the ncurses master list... so naturally I had some really 
f*ing weird terminals at various points in my life.


I wish I could remember what the name was of the "portable" terminal I 
once had - off-white (of course), looked like a Buck Rogers spaceship 
(pointy cylinder) in profile, and the entire front two inches of it 
unsnapped to become the keyboard kind of like an Osborne...


-Adam

Re: OT: True hardware UNIX terminal

[Mihai Popescu]

Thank you all for the answers. I can say I got the idea of what a
terminal was back then.
Reading all your posts and searching again on web using the mentioned
keywords move away any if not all of my confusions about "terminals".
I can see now why our keyboards are using Ctrl key, PgUp, PgDn, or why
the serial port is so close programmed using terminal terminology.

Thank you and please excuse me for the OT.

Re: Mouse click problems with firefox and firefox-esr

[Solène Rapenne]

Le 2016-03-30 20:23, Nick a écrit :

Hello,

I have tried both firefox and firefox-esr in both OpenBSD 5.8 and 5.9
and can say that there are issues with the mouse not picking up 10-15%
of my clicks, sometimes having to click a good 3 times or more for it
to actually work correctly! When I select and drag text, it can
randomly un-select it as if I have let go of the mouse and clicked
elsewhere.. Just all sorts of stangeness. I never have a problem with
moving the mouse cursor though. To say it's a nuisance is a bit of an
understatement as I am now having to use chromium - which I detest,
being a keen avoider of any google pish.

For extra info, I am using XFCE.

Does anyone have this issue? What is going on?

Thanks


Hello,

I can't reproduce this issue on my systems and I have never seen 
something of this kind.


Do you experience problem with both left and right clicks ? Is it only 
on links ?

Can you try firefox in safe mode ? How do you start xfce ?

Instead of Chrome you can also use Xombrero while you figure out about 
your click problem.


Kind regards
Solène

Re: faq12.html

[Rob Pierce]

> From: "Nick Holland" 
> To: "misc" 
> Sent: Wednesday, March 30, 2016 12:14:23 PM
> Subject: Re: faq12.html

> On 03/30/16 08:49, Theo Buehler wrote:
> >> -The Zaurus has very little current available on its USB port, so many
> >> +The Zaurus has very little currently available on its USB port, so many

> > electrical current?

> both what is there and "electrical current" are/would be precisely
> correct, but "power" might be a more understood word.

> Nick.
I must admit that was a bit of helicopter editing on my part, so it caught me 
off guard. 

Changing "little" to "low" would solve any ambiguity. 

I am embarrassed to say that I studied electrical circuits way back when... 

Re: Syntax error in pf rules

[Kapetanakis Giannis]

On 30/03/16 17:05, Adam Smith wrote:

Hi Marko

In the rule below:

vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.236}"


a. Must there be a space each before and after the = sign?
b. Must there be a space after the opening curly bracket and before the first 
IP address?
c. Must there be a space after the comma and before the next IP address?
d. Must there be a space after the last IP address and before the closing curly 
bracket?

Thanks in advance for your clarification.

Regards.

Adam




You can always test your config before applying it.
So, very easy to check it yourself.

pfctl -nf /etc/pf.conf

man pf

G

Re: faq12.html

[Nick Holland]

On 03/30/16 08:49, Theo Buehler wrote:

-The Zaurus has very little current available on its USB port, so many
+The Zaurus has very little currently available on its USB port, so many


  electrical current?


both what is there and "electrical current" are/would be precisely 
correct, but "power" might be a more understood word.


Nick.

Mouse click problems with firefox and firefox-esr

[Nick]

Hello,

I have tried both firefox and firefox-esr in both OpenBSD 5.8 and 5.9 and can 
say that there are issues with the mouse not picking up 10-15% of my clicks, 
sometimes having to click a good 3 times or more for it to actually work 
correctly! When I select and drag text, it can randomly un-select it as if I 
have let go of the mouse and clicked elsewhere.. Just all sorts of stangeness. 
I never have a problem with moving the mouse cursor though. To say it's a 
nuisance is a bit of an understatement as I am now having to use chromium - 
which I detest, being a keen avoider of any google pish.

For extra info, I am using XFCE.

Does anyone have this issue? What is going on?

Thanks

Re: Supermicro X11SSL-F freezes probing USB 3

[Sonic]

On Tue, Mar 29, 2016 at 5:55 PM, Stuart Henderson  wrote:
> Make sure it's set to stop redirecting after boot in BIOS, then when
> you hit the boot-loader, you should be able to 'stty com0 ' and
> 'set tty com0'.

Ahha! Who would have thought... com0 was the ticket. Thanks much!

Chris

Re: Syntax error in pf rules

[Raf Czlonka]

On Wed, Mar 30, 2016 at 04:47:03PM BST, Adam Smith wrote:
> Hi Marko
> 
> Thank you for your detailed clarification. I really benefited from it.
> 
> >--- marko.cu...@mimar.rs wrote:
> >
> >From: Marko Cupać 
> >To: "Adam Smith" 
> >Cc: 
> >Subject: Re: Syntax error in pf rules
> >Date: Wed, 30 Mar 2016 16:53:38 +0200
> >
> >
> >
> >There. I hope by posting this I didn't turn openbsd's misc@ into
> >askubuntu :)
> 
> Does it matter if misc@openbsd.org is an askubuntu of sorts?
> 
> I hope the person(s) in charge of this mailing list believes in
> democracy and freedom of speech and expression, provided that
> questions asked in the list pertain to OpenBSD and how to use it.
> 
> If people here are offended because they find my questions to be
> noobish, elementary, etc...they are welcome to press the "Delete"
> key to trash it.

Hi Adam,

Well, OpenBSD mailing lists have their own netiquette[0] so it would
be nice if one did one's homework before posting such basic questions.

Documentation (manual pages[1] and the FAQ[2]) is there for a reason
and people work hard to write it all down and keep it up to date.

Minimum effort is a requirement.

> Just so you know when I graduated from high school back in the
> early 70s, the personal computer, the pager or beeper, mobile or
> cell phone, internet, smartphones, Microsoft Windows, Mac OS, Linux,
> OpenBSD weren't invented yet. And in those days computing or IT
> wasn't taught in the high school curriculum.

Being an "old-timer" is not excuse for being a bit lazy ;^)

> Regards.
> 
> Adam
> http://www.DCpages.com

Regards,

Raf

[0] http://www.openbsd.org/mail.html
[1] http://man.openbsd.org/
[2] http://www.openbsd.org/faq/

Re: Socklog on OpenBSD -current

[Predrag Punosevac]

On 3/29/16 5:42 PM, Stuart Henderson wrote:
> On 2016-03-29, Jeff Ross  wrote:
>> Greetings all!
>>
>> I've been away from OpenBSD for a while and for sure I've missed more
>> than a few things.  Just updated a firewall in anticipation of
upgrading
>> my server but there are things that have changed.
>>
>> What has me puzzled now is the change to syslogd.  For literally
years
>> I've run socklog from ports to replace the stock syslog with no
problems
>> but now it simply doesn't work on 5.9 -current.
>>
>> My former installations of socklog all listen to /dev/log but when I
>> couldn't get anything to work listening there I switched to listening
to
>> 0.0.0.0:514 but still no joy.
>>
>> If anyone out there is using socklog, or possibly any alternative to
>> syslog, I'd sure appreciate a clue by four to get socklog running
again.
> OpenBSD's syslog functions now use sendsyslog(2) which doesn't use
> /dev/log sockets any more.
>
> Here is where syslogd was modified to do things this way:
>
http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699
> - it's probably not all that complex to convert other logging daemons,
> but afaik nobody has yet felt the need to do this for any of the
> alternative log daemons in ports.
>
> If you don't want to write code and want to stick with socklog,
> the easiest way is probably a minimal syslogd(8) setup that
> forwards everything via UDP.
>
Hi Stuart,

Could you please clarify something to me? I am running a centralized
logging server using syslog-ng from the ports. The way I read your
e-mail is that I will no longer be able to log messages using syslog-ng
from the local host but the port will continue to work as expected.
Would I be able to run syslogd for the local host and syslog-ng for
remote hosts simultaneously? IIRC I saw people posting on misc who were
doing that in the past but I think when I played with it syslog-ng
didn't want to start until I turned off syslogd. How suitable is syslogd
from the base as a centralized logging server. I know that it supports
TCP and TLS now but does it play well with rsyslog or syslog-ng? I have
bunch of Linux servers to log.

Thanks,
Predrag

Re: Syntax error in pf rules

[Jubjub Jenkins]

On Wed, Mar 30, 2016, at 08:47 AM, Adam Smith wrote:

> Does it matter if misc@openbsd.org is an askubuntu of sorts?
>

Yes, first off you have to understand that Ubuntu is geared towards the
retard market
that is why most of their userbase are refereed to as "Ubuntards". As
such, askubuntu
is for people that don't want to learn or read manuals they simply just
want to be 
spoonfed answers from anonymous drones. Ubuntu's "dad" actually escaped
into
space to avoid all the 'tards asking questions about video cards and
such. There is
no askubuntu in space.

This mailing list is for users who actually try to figure things out on
their own so
they can provide useful information and help, not just "Oh Ah-dumb, you
forgot to do this!!!"  
 
> I hope the person(s) in charge of this mailing list believes in democracy
> and freedom of speech and expression, provided that questions asked in
> the list pertain to OpenBSD and how to use it.

The list owners are fascist anarchists and deem your "democracy" as
bourgeois.
 
> If people here are offended because they find my questions to be noobish,
> elementary, etc...they are welcome to press the "Delete" key to trash it. 

We are offended because you think you can just dump a bunch of silly
questions on
us in the hope that we'll just answer 'em for ya instead of you reading
the manuals 
or trying to figure it out on your own.

> Just so you know when I graduated from high school back in the early 70s,
> the personal computer, the pager or beeper, mobile or cell phone,
> internet, smartphones, Microsoft Windows, Mac OS, Linux, OpenBSD weren't
> invented yet. And in those days computing or IT wasn't taught in the high
> school curriculum.

No one cares, and this is not a good excuse for not trying. When I was
young there were
no computers so I had to program in raw electricity. I would keep the
stack inside a 
bag of potatoes (they were called starch beans then) and the heap on a
blackboard
but of course, no one cares about that here.

Yours in Christ, 

JJ

Re: Syntax error in pf rules

[Adam Smith]

Hi Marko

In the rule below:

vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.236}"


a. Must there be a space each before and after the = sign?
b. Must there be a space after the opening curly bracket and before the first 
IP address?
c. Must there be a space after the comma and before the next IP address?
d. Must there be a space after the last IP address and before the closing curly 
bracket?

Thanks in advance for your clarification.

Regards.

Adam

>--- marko.cu...@mimar.rs wrote:
>
>From: Marko Cupać 
>To: misc@openbsd.org
>Cc: 
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 10:02:40 +0200
>
>
>As a side note, commas in pf macros appear to be optional. I prefer not
>to have them - they don't make rules more readable while consuming
>character space.
http://www.DCpages.com

Re: Rails and OpenSSL root certs

[Murk Fletcher]

Thank you so much!

Murk

On Wed, Mar 30, 2016 at 6:02 PM, joshua stein  wrote:

> On Wed, 30 Mar 2016 at 17:34:16 +0200, Murk Fletcher wrote:
> > Anybody here using http://rails-assets.org (to simplify JavaScript
> assets
> > in Rails) and know how to prevent the following error?
> >
> > Simply renaming "https" to "http" makes no difference.
> >
> > % bundle install
> > Fetching source index from https://rails-assets.tenex.tech/
> > Retrying source fetch due to error (2/3):
> > Bundler::Fetcher::CertificateFailureError Could not verify the SSL
> > certificate for https://rails-assets.tenex.tech/.
>
> It looks like that site is using Let's Encrypt, and LE's
> cross-signing root was added to /etc/ssl/cert.pem 9 months ago.
> You could just fetch an updated version and install it there, which
> Ruby is looking at.
>
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem?rev=1.11=text/plain

Re: Rails and OpenSSL root certs

[joshua stein]

On Wed, 30 Mar 2016 at 17:34:16 +0200, Murk Fletcher wrote:
> Anybody here using http://rails-assets.org (to simplify JavaScript assets
> in Rails) and know how to prevent the following error?
> 
> Simply renaming "https" to "http" makes no difference.
> 
> % bundle install
> Fetching source index from https://rails-assets.tenex.tech/
> Retrying source fetch due to error (2/3):
> Bundler::Fetcher::CertificateFailureError Could not verify the SSL
> certificate for https://rails-assets.tenex.tech/.

It looks like that site is using Let's Encrypt, and LE's
cross-signing root was added to /etc/ssl/cert.pem 9 months ago.
You could just fetch an updated version and install it there, which
Ruby is looking at.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem?rev=1.11=text/plain

Re: Socklog on OpenBSD -current

[Jeff Ross]

On 3/29/16 5:42 PM, Stuart Henderson wrote:

On 2016-03-29, Jeff Ross  wrote:

Greetings all!

I've been away from OpenBSD for a while and for sure I've missed more
than a few things.  Just updated a firewall in anticipation of upgrading
my server but there are things that have changed.

What has me puzzled now is the change to syslogd.  For literally years
I've run socklog from ports to replace the stock syslog with no problems
but now it simply doesn't work on 5.9 -current.

My former installations of socklog all listen to /dev/log but when I
couldn't get anything to work listening there I switched to listening to
0.0.0.0:514 but still no joy.

If anyone out there is using socklog, or possibly any alternative to
syslog, I'd sure appreciate a clue by four to get socklog running again.

OpenBSD's syslog functions now use sendsyslog(2) which doesn't use
/dev/log sockets any more.

Here is where syslogd was modified to do things this way:
http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699
- it's probably not all that complex to convert other logging daemons,
but afaik nobody has yet felt the need to do this for any of the
alternative log daemons in ports.

If you don't want to write code and want to stick with socklog,
the easiest way is probably a minimal syslogd(8) setup that
forwards everything via UDP.

Thank you, Stuart!  As always, you've been very helpful.  For now I'll 
stick to forwarding and play with the code as time permits.


Jeff

Re: Syntax error in pf rules

[Adam Smith]

Hi Marko

Thank you for your detailed clarification. I really benefited from it.

>--- marko.cu...@mimar.rs wrote:
>
>From: Marko Cupać 
>To: "Adam Smith" 
>Cc: 
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 16:53:38 +0200
>
>
>
>There. I hope by posting this I didn't turn openbsd's misc@ into
>askubuntu :)

Does it matter if misc@openbsd.org is an askubuntu of sorts?

I hope the person(s) in charge of this mailing list believes in democracy and 
freedom of speech and expression, provided that questions asked in the list 
pertain to OpenBSD and how to use it.

If people here are offended because they find my questions to be noobish, 
elementary, etc...they are welcome to press the "Delete" key to trash it. 

Just so you know when I graduated from high school back in the early 70s, the 
personal computer, the pager or beeper, mobile or cell phone, internet, 
smartphones, Microsoft Windows, Mac OS, Linux, OpenBSD weren't invented yet. 
And in those days computing or IT wasn't taught in the high school curriculum.

Regards.

Adam
http://www.DCpages.com

Rails and OpenSSL root certs

[Murk Fletcher]

Hi!

Anybody here using http://rails-assets.org (to simplify JavaScript assets
in Rails) and know how to prevent the following error?

Simply renaming "https" to "http" makes no difference.

% bundle install
Fetching source index from https://rails-assets.tenex.tech/
Retrying source fetch due to error (2/3):
Bundler::Fetcher::CertificateFailureError Could not verify the SSL
certificate for https://rails-assets.tenex.tech/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for
verification. For information about OpenSSL certificates, see
bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources
and change 'https' to 'http'.
Retrying source fetch due to error (3/3):
Bundler::Fetcher::CertificateFailureError Could not verify the SSL
certificate for https://rails-assets.tenex.tech/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for
verification. For information about OpenSSL certificates, see
bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources
and change 'https' to 'http'.
Could not verify the SSL certificate for https://rails-assets.tenex.tech/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for
verification. For
information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect
without
using SSL, edit your Gemfile sources and change 'https' to 'http'.

In FreeBSD I can `pkg install ca_root_nss`, but what about OpenBSD?

Many thanks!

Murk

Re: Syntax error in pf rules

[Marko Cupać]

On Wed, 30 Mar 2016 07:05:56 -0700
"Adam Smith"  wrote:

> Hi Marko
>
> In the rule below:
>
>
vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.2
36}"
>
>
> a. Must there be a space each before and after the = sign?
> b. Must there be a space after the opening curly bracket and before
> the first IP address? c. Must there be a space after the comma and
> before the next IP address? d. Must there be a space after the last
> IP address and before the closing curly bracket?

Adam,

all those are easy to test, but as I still remember lack of confidence
back in time when I was setting it up for the first time, but also warm
atmosphere and helpfulness of misc@ list back in a day, here you go:

a. Spaces are not required before and after the = sign, but I usually do
   the alignment using spaces for the purpose of readability, such as:

   users  = "{ 192.0.2.1 192.0.2.2 192.0.2.3 }"
   developers = "{ 192.0.2.1 192.0.2.2 192.0.2.3 }"
   ldap   = "{ 389 636 3268 3269 }"

b. Spaces are not mandatory after the curly bracket and first ip
   address, but I prefer to have them for the purpose of readability,
   as in example above.

c. Spaces after commas, before next ip addresses are not mandatory.
   However, I prefer to ditch commas entirely, separating ip addresses
   only with spaces as in example above.

d. Not mandatory, but nice to have IMHO.

Finally, `pfctl -nf' is your friend for testing ruleset before
applying it. In case you typed something incorrectly, it will spill
syntax error along with bad line numbers. If you are comfortable with
vi, you can jump to offending line by typing `:' (eg.
`:55') in command (default) mode. If not, you can paste complete ruleset
into editor you are comfortable with, which has line numbering (my
favourite is xfce's mousepad) and double-check offending line. Once you
have zero output of `pfctl -nf', load the ruleset with `pfctl -f'.

There. I hope by posting this I didn't turn openbsd's misc@ into
askubuntu :)
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: faq12.html

[Rob Pierce]

> From: "Theo Buehler" 
> To: "misc" 
> Sent: Wednesday, March 30, 2016 8:50:20 AM
> Subject: Re: faq12.html

> > -The Zaurus has very little current available on its USB port, so many
> > +The Zaurus has very little currently available on its USB port, so many

> electrical current?

> > USB devices will not work if they are directly attached to it.
> > You will need to use a powered USB hub to run these devices.
Yes, my mistake. Sorry for the noise. 

Re: faq12.html

[Donald Allen]

On Wed, Mar 30, 2016 at 8:41 AM, Rob Pierce  wrote:
> For your consideration.

Looks to me like the original was talking about current, as in
amperes; as evidenced by the subsequent sentence about the need for a
powered USB hub to run devices that don't work when directly attached.
I don't think your change is correct.

>
> Index: faq12.html
> ===
> RCS file: /cvs/www/faq/faq12.html,v
> retrieving revision 1.125
> diff -u -p -r1.125 faq12.html
> --- faq12.html  29 Mar 2016 01:27:39 -  1.125
> +++ faq12.html  30 Mar 2016 12:30:48 -
> @@ -662,7 +662,7 @@ on SIMH page.
>
>  12.7.1 - USB devices aren't working properly
>
> -The Zaurus has very little current available on its USB port, so many
> +The Zaurus has very little currently available on its USB port, so many
>  USB devices will not work if they are directly attached to it.
>  You will need to use a powered USB hub to run these devices.

Re: faq12.html

[Peter Hessler]

In this case 'current' is referring to amperage.  The existing use is
correct.


On 2016 Mar 30 (Wed) at 08:41:41 -0400 (-0400), Rob Pierce wrote:
:For your consideration.
:
:Index: faq12.html
:===
:RCS file: /cvs/www/faq/faq12.html,v
:retrieving revision 1.125
:diff -u -p -r1.125 faq12.html
:--- faq12.html 29 Mar 2016 01:27:39 -  1.125
:+++ faq12.html 30 Mar 2016 12:30:48 -
:@@ -662,7 +662,7 @@ on SIMH page.
: 
: 12.7.1 - USB devices aren't working properly
: 
:-The Zaurus has very little current available on its USB port, so many
:+The Zaurus has very little currently available on its USB port, so many
: USB devices will not work if they are directly attached to it.
: You will need to use a powered USB hub to run these devices.
:

-- 
Fortune's Office Door Sign of the Week:

Incorrigible punster -- Do not incorrige.

Re: faq12.html

[Theo Buehler]

> -The Zaurus has very little current available on its USB port, so many
> +The Zaurus has very little currently available on its USB port, so many

 electrical current?

>  USB devices will not work if they are directly attached to it.
>  You will need to use a powered USB hub to run these devices.

Re: faq12.html

[Theo de Raadt]

-The Zaurus has very little current available on its USB port, so many
+The Zaurus has very little currently available on its USB port, so many

Actually it is current: Low amps.

Re: faq12.html

[Kamil Cholewiński]

On Wed, 30 Mar 2016, Rob Pierce  wrote:
> For your consideration.
>
> Index: faq12.html
> ===
> RCS file: /cvs/www/faq/faq12.html,v
> retrieving revision 1.125
> diff -u -p -r1.125 faq12.html
> --- faq12.html29 Mar 2016 01:27:39 -  1.125
> +++ faq12.html30 Mar 2016 12:30:48 -
> @@ -662,7 +662,7 @@ on SIMH page.
>  
>  12.7.1 - USB devices aren't working properly
>  
> -The Zaurus has very little current available on its USB port, so many
> +The Zaurus has very little currently available on its USB port, so many
>  USB devices will not work if they are directly attached to it.
>  You will need to use a powered USB hub to run these devices.

"current" as in electricity.

FAQ - part 6.2.2 notice about dhcp/rtsol and mygate

[S V]

Hello, I think it will be good to add notice from mygate man page to
FAQ about default gateway configuration.

Here is diff:

Index: faq6.html
===
RCS file: /cvs/www/faq/faq6.html,v
retrieving revision 1.361
diff -u -p -r1.361 faq6.html
--- faq6.html   29 Mar 2016 01:27:39 -  1.361
+++ faq6.html   30 Mar 2016 12:20:17 -
@@ -291,6 +291,12 @@ You can't assume things like the resolve
 In other words, it had better be an IP address or something that is
 defined in the /etc/hosts file.

+
+/etc/mygate is processed after all interfaces have been
configured.  If
+any http://man.openbsd.org/?query=hostname.if;>hostname.if(5)
files contain "dhcp" directives, IPv4 entries in
+/etc/mygate will be ignored.  If they contain "rtsol" directives, IPv6
+entries will be ignored.
+
 6.2.3 - DNS Resolution

 DNS resolution is controlled by the file

faq12.html

[Rob Pierce]

For your consideration.

Index: faq12.html
===
RCS file: /cvs/www/faq/faq12.html,v
retrieving revision 1.125
diff -u -p -r1.125 faq12.html
--- faq12.html  29 Mar 2016 01:27:39 -  1.125
+++ faq12.html  30 Mar 2016 12:30:48 -
@@ -662,7 +662,7 @@ on SIMH page.
 
 12.7.1 - USB devices aren't working properly
 
-The Zaurus has very little current available on its USB port, so many
+The Zaurus has very little currently available on its USB port, so many
 USB devices will not work if they are directly attached to it.
 You will need to use a powered USB hub to run these devices.

Re: sasyncd fails to start on system boot

[Bornkessel, Bernd]

Applying the patch has solved the issue.

Thx a lot!

- Original Message -
> From: "Otto Moerbeek" 
> To: "Bornkessel, Bernd" 
> Cc: misc@openbsd.org
> Sent: Wednesday, March 30, 2016 7:58:48 AM
> Subject: Re: sasyncd fails to start on system boot

> On Wed, Mar 30, 2016 at 07:52:01AM +0200, Bornkessel, Bernd wrote:
> 
>> Thank you for your response.
>> Currently I'm running 5.8-stable.
> 
> The fix wasn't commited to -stable,
> 
> In 5.8-stabke you could apply the fix below,
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sasyncd/carp.c.diff?r1=1.13=1.14=h
> 
> But 5.9 would be better. It is out since yesterday
> 
>   -Otto

Re: OT: True hardware UNIX terminal

[Eric Huiban]

Sent from my WIKO PULP 4G
Le 30 mars 2016 10:07, Sean Kamath  a écrit :
>
> Still using a Wyse (50?) on my Ultrasparc 80. 
>
> In college, we had these weird DEC PC’s that we used as VT100 compatible 
> terminals. 
>
> There were so many.  The VT100 was the prototype what XTerm emulated. 
>
> Sean 
>
> > On Mar 29, 2016, at 5:18 AM, Nick Holland  
> wrote: 
> > Some things to search for: 
> > * DEC VT100  (a terminal that still influcences the standards today) 
> > * DEC VT52   (a terminal with an easier to understand command set) 
> > * ADM3A  (a terminal that was old when the DEC vt100 came out) 
> > * DECwriter  (printing terminal.  DECwriter II was a beautiful machine) 
> > * TI Silent 700 ("home oriented" printing terminal.  At the time, in the 
> > US, it was illegal to attach non-telephone company equipment to the 
> > telephone company's phone lines...) 
> > * ASCII  (the non-IBM standard character coding system) 
> > * EBCDIC (the IBM standard) 
> > * ASR33  (one of the earliest printing terminals.  And why we use 
> > "TTY" today in the Unix world!  If you wonder why unix commands are so 
> > short, imagine typing on this...) 
> > * Tektronix 4010 (In case you thought terminals were dull and graphics 
> > free...and I suspect a LOT of people who have been rolling their eyes at 
> > everything I've said up to now will have their eyes bug out a bit when 
> > they figure out how these things work) 
> > 
> > Anything more than that (and probably a lot less than that), probably 
> > best to ask me off list. :)  (and yes, I've glossed over and simplified 
> > a few things here) 
> > 
> > Nick. 
>

You may have also a look at the ncd 88k terminal which was also a very common 
terminal. Wikipedia has a small article about this at "X terminal". 

Éric

Re: OT: True hardware UNIX terminal

[Sean Kamath]

Still using a Wyse (50?) on my Ultrasparc 80.

In college, we had these weird DEC PC’s that we used as VT100 compatible
terminals.

There were so many.  The VT100 was the prototype what XTerm emulated.

Sean

> On Mar 29, 2016, at 5:18 AM, Nick Holland 
wrote:
> Some things to search for:
> * DEC VT100  (a terminal that still influcences the standards today)
> * DEC VT52   (a terminal with an easier to understand command set)
> * ADM3A  (a terminal that was old when the DEC vt100 came out)
> * DECwriter  (printing terminal.  DECwriter II was a beautiful machine)
> * TI Silent 700 ("home oriented" printing terminal.  At the time, in the
> US, it was illegal to attach non-telephone company equipment to the
> telephone company's phone lines...)
> * ASCII  (the non-IBM standard character coding system)
> * EBCDIC (the IBM standard)
> * ASR33  (one of the earliest printing terminals.  And why we use
> "TTY" today in the Unix world!  If you wonder why unix commands are so
> short, imagine typing on this...)
> * Tektronix 4010 (In case you thought terminals were dull and graphics
> free...and I suspect a LOT of people who have been rolling their eyes at
> everything I've said up to now will have their eyes bug out a bit when
> they figure out how these things work)
>
> Anything more than that (and probably a lot less than that), probably
> best to ask me off list. :)  (and yes, I've glossed over and simplified
> a few things here)
>
> Nick.

Re: Syntax error in pf rules

[Marko Cupać]

On Tue, 29 Mar 2016 08:45:11 -0700
"Adam Smith"  wrote:

> Hi guys
>
> I have a syntax error in my pf rules. I hope you can help me fix it.
>
> Thanks.
>
> Adam
>
>
>
> -snippet of my pf rules-
>
> #This is where I change or add different IP addresses of VPN gateways
>
> vpnip="77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78,
> 66.85.14.205, 54.201.110.154"
>
>
>
> #Below is the rule that OpenBSD tells me there's a syntax error
>
> pass out quick on $wan proto tcp from any to $vpnip port 443 keep
> state
>
> -end of snippet-
> http://www.DCpages.com
>

As a side note, commas in pf macros appear to be optional. I prefer not
to have them - they don't make rules more readable while consuming
character space.
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

[Mattieu Baptiste]

On Wed, Mar 30, 2016 at 8:18 AM, YASUOKA Masahiko  wrote:
> On Tue, 29 Mar 2016 11:37:14 +0200
> Mattieu Baptiste  wrote:
>> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>>> I don't mean to bring up an old thread, but I was wondering if anyone
>>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>>> (preferably the version on the Nexus line of devices) connecting to
>>> ipsec/l2tp.
>>>
>>> I had this working late last year some time and hadn't used it in a few
>>> months.  When I went to use it again a few days ago it didn't work at
>>> all.  After rebooting my phone and even trying it on my tablet that
>>> coincidentally runs the exact same version of stock Android 6.0.1, it
>>> too didn't work there.
>>
>> I have the very same problem.
>> To me, It's caused by some Android updates. I saw this since 6.0, but
>> some security updates near 5.1.1 seems to trigger the same behavior.
>> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
>> did not have the time to dig further...
>
> My colleague and I also hit this issue.

[...]

> We can force using MD5 or SHA for HMAC to workaround this issue.  To
> do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
> "-K" from isakmpd_flags.
>
>   Authorizer: "POLICY"
>   Comment: This is test
>   Licensees: "passphrase:PASSPHRASE"
>   conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present 
> == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> 
> "true";

Thank you, it works flawlessly with that change.

-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

[YASUOKA Masahiko]

On Tue, 29 Mar 2016 11:37:14 +0200
Mattieu Baptiste  wrote:
> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>> I don't mean to bring up an old thread, but I was wondering if anyone
>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>> (preferably the version on the Nexus line of devices) connecting to
>> ipsec/l2tp.
>>
>> I had this working late last year some time and hadn't used it in a few
>> months.  When I went to use it again a few days ago it didn't work at
>> all.  After rebooting my phone and even trying it on my tablet that
>> coincidentally runs the exact same version of stock Android 6.0.1, it
>> too didn't work there.
> 
> I have the very same problem.
> To me, It's caused by some Android updates. I saw this since 6.0, but
> some security updates near 5.1.1 seems to trigger the same behavior.
> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
> did not have the time to dig further...

My colleague and I also hit this issue.

This issue is caused by Android, it sends ESP packets with wrong
padding size when SHA2-256 is selected for HMAC.  It seems that
Android is using an old ietf draft for SHA2-256, but OpenBSD is using
RFC 4868.

When the issue occurs,

  XXX packets with bad payload size or padding received

counter in "netstat -sp esp" will be incremented.

We can force using MD5 or SHA for HMAC to workaround this issue.  To
do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
"-K" from isakmpd_flags.

  Authorizer: "POLICY"
  Comment: This is test
  Licensees: "passphrase:PASSPHRASE"
  conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == 
"yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";

--yasuoka

Re: sasyncd fails to start on system boot

[Otto Moerbeek]

On Wed, Mar 30, 2016 at 07:52:01AM +0200, Bornkessel, Bernd wrote:

> Thank you for your response.
> Currently I'm running 5.8-stable.

The fix wasn't commited to -stable,

In 5.8-stabke you could apply the fix below,

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sasyncd/carp.c.diff?r1=1.13=1.14=h

But 5.9 would be better. It is out since yesterday

-Otto

> 
> - Original Message -
> > From: "Otto Moerbeek" 
> > To: "Bornkessel, Bernd" 
> > Cc: misc@openbsd.org
> > Sent: Wednesday, March 30, 2016 7:04:25 AM
> > Subject: Re: sasyncd fails to start on system boot
> 
> > On Tue, Mar 29, 2016 at 11:47:17PM +0200, Bornkessel, Bernd wrote:
> > 
> >> Hi,
> >> 
> >> I've got the problem that sasyncd fails to start on system boot. On the 
> >> console
> >> screen I see:
> >> 
> >> 'starting early daemons: syslogd pflogd ntpd isakmpd sasyncd(failed)'
> > 
> > This souinds like a bug I fixed in 5.8. You are not telling which
> > version you are runing, but your best bet is to upgrade to 5.9.
> > 
> > -Otto