Re: error creating ca cert for iked

2017-03-27 Thread Markus Rosjat 

Hi Andrei,

okay I will take a look if I can find a diff to apply it, there is 
always a first time for it :) or I just try to upgrade to a latest 
snapshot.


regards

MArkus

Am 27.03.2017 um 21:02 schrieb Andrei-Marius Radu:

Hi Markus,

I've sent a diff to bugs@ yesterday which fixes this issue for me.

Cheers,
Andrei.

On Mon, Mar 27, 2017, at 20:43, Markus Rosjat wrote:

hi there,

maybe I did it wrong but I got the following error:

$ doas ikectl ca ikectl.ca create
Generating RSA private key, 2048 bit long modulus
+++
+++
e is 65537 (0x10001)
error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf
34161266967200:error:0EFFF068:configuration file
routines:CRYPTO_internal:variable has no
value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27
error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf'
Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf
error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf'
5307585036640:error:0EFFF068:configuration file
routines:CRYPTO_internal:variable has no
value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27

Im running on current snapshot from 2017-03-25

this also overrides changes made in the cnf files

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: error creating ca cert for iked

2017-03-27 Thread Andrei-Marius Radu 
Hi Markus,

I've sent a diff to bugs@ yesterday which fixes this issue for me.

Cheers,
Andrei.

On Mon, Mar 27, 2017, at 20:43, Markus Rosjat wrote:
> hi there,
>
> maybe I did it wrong but I got the following error:
>
> $ doas ikectl ca ikectl.ca create
> Generating RSA private key, 2048 bit long modulus
> +++
> +++
> e is 65537 (0x10001)
> error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf
> 34161266967200:error:0EFFF068:configuration file
> routines:CRYPTO_internal:variable has no
> value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27
> error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf'
> Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf
> error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf'
> 5307585036640:error:0EFFF068:configuration file
> routines:CRYPTO_internal:variable has no
> value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27
>
> Im running on current snapshot from 2017-03-25
>
> this also overrides changes made in the cnf files
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT

error creating ca cert for iked

2017-03-27 Thread Markus Rosjat 

hi there,

maybe I did it wrong but I got the following error:

$ doas ikectl ca ikectl.ca create
Generating RSA private key, 2048 bit long modulus
+++
+++
e is 65537 (0x10001)
error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf
34161266967200:error:0EFFF068:configuration file 
routines:CRYPTO_internal:variable has no 
value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27

error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf'
Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf
error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf'
5307585036640:error:0EFFF068:configuration file 
routines:CRYPTO_internal:variable has no 
value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27


Im running on current snapshot from 2017-03-25

this also overrides changes made in the cnf files

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: specifying rom file for vio(4) in VMM

2017-03-27 Thread Mike Larkin 
On Mon, Mar 27, 2017 at 10:59:15AM -0400, Jiri B wrote:
> Is it possible to somehow make VMM to boot from vio with specified
> ROM file (eg. ipxe)?
> 
> j.
> 

Not yet, but loading option roms is possible in seabios, so a diff
to support that would be welcome. We could use that for sgabios too,
to to vga > serial redirection.

specifying rom file for vio(4) in VMM

2017-03-27 Thread Jiri B 
Is it possible to somehow make VMM to boot from vio with specified
ROM file (eg. ipxe)?

j.

Kernel panic on Dell R210 with OpenBSD 6.0

2017-03-27 Thread Mathieu BLANC 
Hello all,

I have a pair of firewalls running 6.0 (patched with openup in october, no patch
applied since then). 

Since the upgrade, this pair has some problem with kernel
panics (4 times since the upgrade in october).

The last one was this morning. The two firewall crashed at the same time with
these logs :

/bsd: panic: kernel diagnostic assertion "(sk->inp == NULL) || 
(sk->inp->inp_pf_sk == NULL)" failed: file "../../../../net/pf.c", line 6891
/bsd: Starting stack trace...
/bsd: panic() at panic+0x10b
/bsd: __assert() at __assert+0x25
/bsd: pf_state_key_unref() at pf_state_key_unref+0xc6
/bsd: pf_pkt_unlink_state_key() at pf_pkt_unlink_state_key+0x15
/bsd: m_free() at m_free+0xa0
/bsd: sbdroprecord() at sbdroprecord+0x61
/bsd: soreceive() at soreceive+0xb4f
/bsd: recvit() at recvit+0x139
/bsd: sys_recvfrom() at sys_recvfrom+0x9d
/bsd: syscall() at syscall+0x27b
/bsd: --- syscall (number 29) ---
/bsd: end of kernel
/bsd: end trace frame: 0x7f7dc870, count: 247
/bsd: 0x18ccb3b21ada:
/bsd: End of stack trace. 

I have another pair of firewalls with the same hardware (Dell R210) which is
running without problem.

After the crash this morning, i applied the last patches with openup. But after
reading the errata page, i'm not sure it will help... Or maybe this one could
be related :
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig ?

Thank you very much !

--
Mathieu
OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016

r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1047105536 (998MB)
avail mem = 1010954240 (964MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x3f79c000 (63 entries)
bios0: vendor Dell Inc. version "1.10.0" date 09/10/2013
bios0: Dell Inc. PowerEdge R210
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ 
TCPA SSDT
acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2261.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (LYD0)
acpiprt2 at acpi0: bus -1 (LYD2)
acpiprt3 at acpi0: bus 1 (HVD0)
acpiprt4 at acpi0: bus -1 (HVD2)
acpiprt5 at acpi0: bus 5 (PEX0)
acpiprt6 at acpi0: bus -1 (PEX4)
acpiprt7 at acpi0: bus -1 (PEX5)
acpiprt8 at acpi0: bus 6 (COMP)
acpicpu0 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1)
acpicpu1 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1)
acpicpu2 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1)
acpicpu3 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1)
"PNP0C33" at acpi0 not configured
"ACPI000D" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0501" at acpi0 not configured
"IPI0001" at acpi0 not configured
"PNP0C14" at acpi0 not configured
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core Host" rev 0x18
ppb0 at pci0 dev 1

Re: UEFI and Hyper-v

2017-03-27 Thread Markus Rosjat 

Hi,

that's an answer I can go with, I just needed some kind of 
acknowledgement that it's not totally my fault :-)


regards

Markus

Am 27.03.2017 um 10:53 schrieb Reyk Floeter:

On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote:

btw. Is there any reason or benefit to use Gen 2?  AFAIK, it is only
for Windows for secure boot etc.  I think Gen 1 is fine for OpenBSD,
you even have the hvn(4) and the hyperv(4) drivers now.  Even the
latest machines in Azure are Gen 1-based.

On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
like the topic says I look for some feedback here. I try to set up a Gen 2



And you shouldn't get confused by the naming: "Gen 1" and "Gen 2"
implies that one is better than the other.  This doesn't seem to be
the case - they are just different in regards to legacy devices.

Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?).

Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them.
And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it
wouldn't support the disk.  OpenBSD requires Gen 1 and the pciide(4)
emulation on Hyper-V.

Reyk



On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:

Hi there,

like the topic says I look for some feedback here. I try to set up a Gen 2
Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI
Medium. Since the normal iso doesnt provide that I took the following
approch:

 1. I created a USB stick from installXX.fs
 2. verified that I could boot from the stick
 3. created a VHDX from the stick
 4. Attached it to a Gen 2 VM
 5. booted the VM and here Im stuck for now
It starts to bood but instead of showing me all the nice dmesg
stuff I would expect  it just went black.

but the rest of the way would look like this

 6. Install OpenBSD on another VHDX
 7. dettach the first VHDX

So the question really is, do I miss a step or is it just not possible at
the moment to get it working with Gen 2 VMs? The secure boot feature of the
VM is disabled.

Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
K??nigsbr??cker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT



--




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: UEFI and Hyper-v

2017-03-27 Thread Reyk Floeter 
On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote:
> btw. Is there any reason or benefit to use Gen 2?  AFAIK, it is only
> for Windows for secure boot etc.  I think Gen 1 is fine for OpenBSD,
> you even have the hvn(4) and the hyperv(4) drivers now.  Even the
> latest machines in Azure are Gen 1-based.
> 
> On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> like the topic says I look for some feedback here. I try to set up a Gen 2
> 

And you shouldn't get confused by the naming: "Gen 1" and "Gen 2"
implies that one is better than the other.  This doesn't seem to be
the case - they are just different in regards to legacy devices.

Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?).

Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them.
And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it
wouldn't support the disk.  OpenBSD requires Gen 1 and the pciide(4)
emulation on Hyper-V.

Reyk

> 
> On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> > Hi there,
> > 
> > like the topic says I look for some feedback here. I try to set up a Gen 2
> > Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI
> > Medium. Since the normal iso doesnt provide that I took the following
> > approch:
> > 
> >  1. I created a USB stick from installXX.fs
> >  2. verified that I could boot from the stick
> >  3. created a VHDX from the stick
> >  4. Attached it to a Gen 2 VM
> >  5. booted the VM and here Im stuck for now
> > It starts to bood but instead of showing me all the nice dmesg
> > stuff I would expect  it just went black.
> > 
> > but the rest of the way would look like this
> > 
> >  6. Install OpenBSD on another VHDX
> >  7. dettach the first VHDX
> > 
> > So the question really is, do I miss a step or is it just not possible at
> > the moment to get it working with Gen 2 VMs? The secure boot feature of the
> > VM is disabled.
> > 
> > Regards
> > 
> > -- 
> > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> > 
> > G+H Webservice GbR Gorzolla, Herrmann
> > K??nigsbr??cker Str. 70, 01099 Dresden
> > 
> > http://www.ghweb.de
> > fon: +49 351 8107220   fax: +49 351 8107227
> > 
> > Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> > you print it, think about your responsibility and commitment to the
> > ENVIRONMENT
> > 
> 
> -- 

--

Re: UEFI and Hyper-v

2017-03-27 Thread Reyk Floeter 
Hi,

I tried it once with a custom ISO but didn't get any further than the
OpenBSD UEFI boot loader.  At this point, it couldn't find the disk so
I couldn't get to boot OpenBSD.  But this was in the early stages of
our UEFI support.

So we seem to miss some EFI drivers for Hyper-V Gen 2.  If you get to
the boot loader and it finds the disk, you still might not be able to
get display output if it doesn't use an efifb(4)-compatible display.

btw. Is there any reason or benefit to use Gen 2?  AFAIK, it is only
for Windows for secure boot etc.  I think Gen 1 is fine for OpenBSD,
you even have the hvn(4) and the hyperv(4) drivers now.  Even the
latest machines in Azure are Gen 1-based.

Reyk

On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> Hi there,
> 
> like the topic says I look for some feedback here. I try to set up a Gen 2
> Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI
> Medium. Since the normal iso doesnt provide that I took the following
> approch:
> 
>  1. I created a USB stick from installXX.fs
>  2. verified that I could boot from the stick
>  3. created a VHDX from the stick
>  4. Attached it to a Gen 2 VM
>  5. booted the VM and here Im stuck for now
> It starts to bood but instead of showing me all the nice dmesg
> stuff I would expect  it just went black.
> 
> but the rest of the way would look like this
> 
>  6. Install OpenBSD on another VHDX
>  7. dettach the first VHDX
> 
> So the question really is, do I miss a step or is it just not possible at
> the moment to get it working with Gen 2 VMs? The secure boot feature of the
> VM is disabled.
> 
> Regards
> 
> -- 
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> K??nigsbr??cker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
> 

--

Re: Openup and stable

2017-03-27 Thread Andreas Thulin 
Thanks - I do, too. My questions were more about whether _I_ can be
trusted. :-)
lör 25 mars 2017 kl. 21:07 skrev Maurice McCarthy :

> On Sat, Mar 25, 2017 at 11:53:35AM +0100 or thereabouts, ludovic coues
> wrote:
> > You might have missed the email from Antoine Jacoutot about syspatch,
> > on the first december last year
> >
> > See http://man.openbsd.org/syspatch
> >
>
> The same Antoine Jacoutot also maintained openup. I believe several of the
> OpenBSD developers work for M:Tier. Therefore I think they can be trusted.

UEFI and Hyper-v

2017-03-27 Thread Markus Rosjat 

Hi there,

like the topic says I look for some feedback here. I try to set up a Gen 
2 Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a 
UEFI Medium. Since the normal iso doesnt provide that I took the 
following approch:


 1. I created a USB stick from installXX.fs
 2. verified that I could boot from the stick
 3. created a VHDX from the stick
 4. Attached it to a Gen 2 VM
 5. booted the VM and here Im stuck for now
It starts to bood but instead of showing me all the nice dmesg
stuff I would expect  it just went black.

but the rest of the way would look like this

 6. Install OpenBSD on another VHDX
 7. dettach the first VHDX

So the question really is, do I miss a step or is it just not possible 
at the moment to get it working with Gen 2 VMs? The secure boot feature 
of the VM is disabled.


Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT