Re: error creating ca cert for iked
Hi Andrei, okay I will take a look if I can find a diff to apply it, there is always a first time for it :) or I just try to upgrade to a latest snapshot. regards MArkus Am 27.03.2017 um 21:02 schrieb Andrei-Marius Radu: Hi Markus, I've sent a diff to bugs@ yesterday which fixes this issue for me. Cheers, Andrei. On Mon, Mar 27, 2017, at 20:43, Markus Rosjat wrote: hi there, maybe I did it wrong but I got the following error: $ doas ikectl ca ikectl.ca create Generating RSA private key, 2048 bit long modulus +++ +++ e is 65537 (0x10001) error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf 34161266967200:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf' Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf' 5307585036640:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 Im running on current snapshot from 2017-03-25 this also overrides changes made in the cnf files regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: error creating ca cert for iked
Hi Markus, I've sent a diff to bugs@ yesterday which fixes this issue for me. Cheers, Andrei. On Mon, Mar 27, 2017, at 20:43, Markus Rosjat wrote: > hi there, > > maybe I did it wrong but I got the following error: > > $ doas ikectl ca ikectl.ca create > Generating RSA private key, 2048 bit long modulus > +++ > +++ > e is 65537 (0x10001) > error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf > 34161266967200:error:0EFFF068:configuration file > routines:CRYPTO_internal:variable has no > value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 > error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf' > Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf > error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf' > 5307585036640:error:0EFFF068:configuration file > routines:CRYPTO_internal:variable has no > value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 > > Im running on current snapshot from 2017-03-25 > > this also overrides changes made in the cnf files > > regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT
error creating ca cert for iked
hi there, maybe I did it wrong but I got the following error: $ doas ikectl ca ikectl.ca create Generating RSA private key, 2048 bit long modulus +++ +++ e is 65537 (0x10001) error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf 34161266967200:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf' Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf' 5307585036640:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 Im running on current snapshot from 2017-03-25 this also overrides changes made in the cnf files regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: specifying rom file for vio(4) in VMM
On Mon, Mar 27, 2017 at 10:59:15AM -0400, Jiri B wrote: > Is it possible to somehow make VMM to boot from vio with specified > ROM file (eg. ipxe)? > > j. > Not yet, but loading option roms is possible in seabios, so a diff to support that would be welcome. We could use that for sgabios too, to to vga > serial redirection.
specifying rom file for vio(4) in VMM
Is it possible to somehow make VMM to boot from vio with specified ROM file (eg. ipxe)? j.
Kernel panic on Dell R210 with OpenBSD 6.0
Hello all, I have a pair of firewalls running 6.0 (patched with openup in october, no patch applied since then). Since the upgrade, this pair has some problem with kernel panics (4 times since the upgrade in october). The last one was this morning. The two firewall crashed at the same time with these logs : /bsd: panic: kernel diagnostic assertion "(sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL)" failed: file "../../../../net/pf.c", line 6891 /bsd: Starting stack trace... /bsd: panic() at panic+0x10b /bsd: __assert() at __assert+0x25 /bsd: pf_state_key_unref() at pf_state_key_unref+0xc6 /bsd: pf_pkt_unlink_state_key() at pf_pkt_unlink_state_key+0x15 /bsd: m_free() at m_free+0xa0 /bsd: sbdroprecord() at sbdroprecord+0x61 /bsd: soreceive() at soreceive+0xb4f /bsd: recvit() at recvit+0x139 /bsd: sys_recvfrom() at sys_recvfrom+0x9d /bsd: syscall() at syscall+0x27b /bsd: --- syscall (number 29) --- /bsd: end of kernel /bsd: end trace frame: 0x7f7dc870, count: 247 /bsd: 0x18ccb3b21ada: /bsd: End of stack trace. I have another pair of firewalls with the same hardware (Dell R210) which is running without problem. After the crash this morning, i applied the last patches with openup. But after reading the errata page, i'm not sure it will help... Or maybe this one could be related : https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig ? Thank you very much ! -- Mathieu OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016 r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1047105536 (998MB) avail mem = 1010954240 (964MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x3f79c000 (63 entries) bios0: vendor Dell Inc. version "1.10.0" date 09/10/2013 bios0: Dell Inc. PowerEdge R210 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ TCPA SSDT acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2261.27 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 132MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Xeon(R) CPU L3406 @ 2.27GHz, 2260.99 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 2, package 0 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (LYD0) acpiprt2 at acpi0: bus -1 (LYD2) acpiprt3 at acpi0: bus 1 (HVD0) acpiprt4 at acpi0: bus -1 (HVD2) acpiprt5 at acpi0: bus 5 (PEX0) acpiprt6 at acpi0: bus -1 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5) acpiprt8 at acpi0: bus 6 (COMP) acpicpu0 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1) acpicpu1 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1) acpicpu2 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1) acpicpu3 at acpi0: C3(350@96 mwait.1@0x20), C1(1000@1 mwait.1) "PNP0C33" at acpi0 not configured "ACPI000D" at acpi0 not configured "PNP0501" at acpi0 not configured "PNP0501" at acpi0 not configured "IPI0001" at acpi0 not configured "PNP0C14" at acpi0 not configured ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core Host" rev 0x18 ppb0 at pci0 dev 1
Re: UEFI and Hyper-v
Hi, that's an answer I can go with, I just needed some kind of acknowledgement that it's not totally my fault :-) regards Markus Am 27.03.2017 um 10:53 schrieb Reyk Floeter: On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote: btw. Is there any reason or benefit to use Gen 2? AFAIK, it is only for Windows for secure boot etc. I think Gen 1 is fine for OpenBSD, you even have the hvn(4) and the hyperv(4) drivers now. Even the latest machines in Azure are Gen 1-based. On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: like the topic says I look for some feedback here. I try to set up a Gen 2 And you shouldn't get confused by the naming: "Gen 1" and "Gen 2" implies that one is better than the other. This doesn't seem to be the case - they are just different in regards to legacy devices. Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?). Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them. And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it wouldn't support the disk. OpenBSD requires Gen 1 and the pciide(4) emulation on Hyper-V. Reyk On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: Hi there, like the topic says I look for some feedback here. I try to set up a Gen 2 Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI Medium. Since the normal iso doesnt provide that I took the following approch: 1. I created a USB stick from installXX.fs 2. verified that I could boot from the stick 3. created a VHDX from the stick 4. Attached it to a Gen 2 VM 5. booted the VM and here Im stuck for now It starts to bood but instead of showing me all the nice dmesg stuff I would expect it just went black. but the rest of the way would look like this 6. Install OpenBSD on another VHDX 7. dettach the first VHDX So the question really is, do I miss a step or is it just not possible at the moment to get it working with Gen 2 VMs? The secure boot feature of the VM is disabled. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann K??nigsbr??cker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: UEFI and Hyper-v
On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote: > btw. Is there any reason or benefit to use Gen 2? AFAIK, it is only > for Windows for secure boot etc. I think Gen 1 is fine for OpenBSD, > you even have the hvn(4) and the hyperv(4) drivers now. Even the > latest machines in Azure are Gen 1-based. > > On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: > like the topic says I look for some feedback here. I try to set up a Gen 2 > And you shouldn't get confused by the naming: "Gen 1" and "Gen 2" implies that one is better than the other. This doesn't seem to be the case - they are just different in regards to legacy devices. Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?). Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them. And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it wouldn't support the disk. OpenBSD requires Gen 1 and the pciide(4) emulation on Hyper-V. Reyk > > On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: > > Hi there, > > > > like the topic says I look for some feedback here. I try to set up a Gen 2 > > Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI > > Medium. Since the normal iso doesnt provide that I took the following > > approch: > > > > 1. I created a USB stick from installXX.fs > > 2. verified that I could boot from the stick > > 3. created a VHDX from the stick > > 4. Attached it to a Gen 2 VM > > 5. booted the VM and here Im stuck for now > > It starts to bood but instead of showing me all the nice dmesg > > stuff I would expect it just went black. > > > > but the rest of the way would look like this > > > > 6. Install OpenBSD on another VHDX > > 7. dettach the first VHDX > > > > So the question really is, do I miss a step or is it just not possible at > > the moment to get it working with Gen 2 VMs? The secure boot feature of the > > VM is disabled. > > > > Regards > > > > -- > > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > > > G+H Webservice GbR Gorzolla, Herrmann > > K??nigsbr??cker Str. 70, 01099 Dresden > > > > http://www.ghweb.de > > fon: +49 351 8107220 fax: +49 351 8107227 > > > > Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > > you print it, think about your responsibility and commitment to the > > ENVIRONMENT > > > > -- --
Re: UEFI and Hyper-v
Hi, I tried it once with a custom ISO but didn't get any further than the OpenBSD UEFI boot loader. At this point, it couldn't find the disk so I couldn't get to boot OpenBSD. But this was in the early stages of our UEFI support. So we seem to miss some EFI drivers for Hyper-V Gen 2. If you get to the boot loader and it finds the disk, you still might not be able to get display output if it doesn't use an efifb(4)-compatible display. btw. Is there any reason or benefit to use Gen 2? AFAIK, it is only for Windows for secure boot etc. I think Gen 1 is fine for OpenBSD, you even have the hvn(4) and the hyperv(4) drivers now. Even the latest machines in Azure are Gen 1-based. Reyk On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: > Hi there, > > like the topic says I look for some feedback here. I try to set up a Gen 2 > Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI > Medium. Since the normal iso doesnt provide that I took the following > approch: > > 1. I created a USB stick from installXX.fs > 2. verified that I could boot from the stick > 3. created a VHDX from the stick > 4. Attached it to a Gen 2 VM > 5. booted the VM and here Im stuck for now > It starts to bood but instead of showing me all the nice dmesg > stuff I would expect it just went black. > > but the rest of the way would look like this > > 6. Install OpenBSD on another VHDX > 7. dettach the first VHDX > > So the question really is, do I miss a step or is it just not possible at > the moment to get it working with Gen 2 VMs? The secure boot feature of the > VM is disabled. > > Regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > K??nigsbr??cker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT > --
Re: Openup and stable
Thanks - I do, too. My questions were more about whether _I_ can be trusted. :-) lör 25 mars 2017 kl. 21:07 skrev Maurice McCarthy: > On Sat, Mar 25, 2017 at 11:53:35AM +0100 or thereabouts, ludovic coues > wrote: > > You might have missed the email from Antoine Jacoutot about syspatch, > > on the first december last year > > > > See http://man.openbsd.org/syspatch > > > > The same Antoine Jacoutot also maintained openup. I believe several of the > OpenBSD developers work for M:Tier. Therefore I think they can be trusted.
UEFI and Hyper-v
Hi there, like the topic says I look for some feedback here. I try to set up a Gen 2 Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI Medium. Since the normal iso doesnt provide that I took the following approch: 1. I created a USB stick from installXX.fs 2. verified that I could boot from the stick 3. created a VHDX from the stick 4. Attached it to a Gen 2 VM 5. booted the VM and here Im stuck for now It starts to bood but instead of showing me all the nice dmesg stuff I would expect it just went black. but the rest of the way would look like this 6. Install OpenBSD on another VHDX 7. dettach the first VHDX So the question really is, do I miss a step or is it just not possible at the moment to get it working with Gen 2 VMs? The secure boot feature of the VM is disabled. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT