Re: OpenBSD 6.0 "netstat -p proto" behavior
I did some tests for determining netstat issue. 1. I've just rebuilt the whole system on working machine with netstat problem. Now it's 6.0-stable amd64 MP kernel+world. The same output of "netstat -p tcp" as before... No any TCP connections listed. FYI, I have a lot of lan/wlan adapters installed on that machine: lo0, bge0, bge1, enc0, athn0 (usb wifi adapter with AR9280+AR7010 ICs), ppp0, tun0, pflog0 2. I've installed OpenBSD 6.0 amd64 MP from scratch (from official CD) onto virtual machine with emulated Intel Ethernet adapter - em0. All other adapter is the same: lo0, enc0, pflog0 "netstat -p tcp" shows all TCP connections as expected. It looks like netstat functionality depends on lan/wlan adapter present. Can it be fixed? Thanks. On 25.01.2017 21:05, Kapfhammer, Stefan wrote: > Works as expected with 6.0 stable on amd64 MP kernel. > > > Freundliche Grüße / Regards > -stefan kapfhammer > Originalnachricht > Von: Denis Lapshin > Gesendet: Mittwoch, 25. Januar 2017 21:13 > An: misc@openbsd.org > Betreff: OpenBSD 6.0 "netstat -p proto" behavior > > > On a regular basis I'm using # netstat -p proto command. > > On 5.4 it returns: > > # netstat -p tcp > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address(state) > tcp 0 44 127.0.0.1. 192.168.1.37.25253 > ESTABLISHED > tcp 0 0 127.0.0.1.9911 77.88.42.32.11.64385 > ESTABLISHED > tcp 0 0 82.32.11.11.48279 208.242.56.59.443 > ESTABLISHED > tcp 0 0 127.0.0.1.7110 *.*LISTEN > ... > > On 6.0 it seems to be "-p" option is not affected onto output at all > (the same data is provided by clear # netstat utility call): > > # netstat -p tcp > NameMtu Network Address Ipkts IerrsOpkts > Oerrs Colls > lo0 32768 196530 0 196530 > 0 0 > lo0 32768 ::1/128 ::1 196530 0 196530 > 0 0 > lo0 32768 fe80::%lo0/ fe80::1%lo0 196530 0 196530 > 0 0 > lo0 32768 127/8 127.0.0.1 196530 0 196530 > 0 0 > bge0150000:02:b6:42:ea:c070224 095117 > 0 0 > pflog0 331440 0 250 > 0 0 > ... > > What I'm doing wrong? > > Thanks.
OpenBSD 6.0 "netstat -p proto" behavior
On a regular basis I'm using # netstat -p proto command. On 5.4 it returns: # netstat -p tcp Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp 0 44 127.0.0.1. 192.168.1.37.25253 ESTABLISHED tcp 0 0 127.0.0.1.9911 77.88.42.32.11.64385 ESTABLISHED tcp 0 0 82.32.11.11.48279 208.242.56.59.443 ESTABLISHED tcp 0 0 127.0.0.1.7110 *.*LISTEN ... On 6.0 it seems to be "-p" option is not affected onto output at all (the same data is provided by clear # netstat utility call): # netstat -p tcp NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls lo0 32768 196530 0 196530 0 0 lo0 32768 ::1/128 ::1 196530 0 196530 0 0 lo0 32768 fe80::%lo0/ fe80::1%lo0 196530 0 196530 0 0 lo0 32768 127/8 127.0.0.1 196530 0 196530 0 0 bge0150000:02:b6:42:ea:c070224 095117 0 0 pflog0 331440 0 250 0 0 ... What I'm doing wrong? Thanks.
Can not read NTPd timedelta from NMEA device by sysctl hw.sensors.nmea0
Hi there! There is a problem to have time delta from NMEA device with NMEA 0183, version 4.0 (V2.3 or V4.1 configurable). # ldattach -s 9600 nmea /dev/cuaU2 # sysctl hw.sensors.nmea0 hw.sensors.nmea0.indicator0=Off (Signal), UNKNOWN While connected to cuaU2 by a terminal program all the GPS data seems ready and useful. What the problem could be? # cat ntpd.conf sensor nmea0 correction 7 weight 6 refid GPS stratum 1
Re: jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided
Now works great. Thanks. On 24.11.2016 11:40, David Coppa wrote: On Thu, Nov 24, 2016 at 9:32 AM, Denis Lapshin wrote: Hello All, There is a problem with starting jdk from packages on AMD64 platform. It doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. The same issue is present on both. # java Abort trap (core dumped) # gdb /usr/local/jdk-1.7.0/bin/java java.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging symbols found) Core was generated by `java'. Program terminated with signal 6, Aborted. Reading symbols from /usr/lib/libpthread.so.22.0...done. Loaded symbols for /usr/lib/libpthread.so.22.0 Loaded symbols for /usr/local/jdk-1.7.0/bin/java Reading symbols from /usr/lib/libz.so.5.0...done. Loaded symbols for /usr/lib/libz.so.5.0 Symbols already loaded for /usr/lib/libpthread.so.22.0 Reading symbols from /usr/lib/libc.so.88.0...done. Loaded symbols for /usr/lib/libc.so.88.0 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so Reading symbols from /usr/lib/libstdc++.so.57.0...done. Loaded symbols for /usr/lib/libstdc++.so.57.0 Reading symbols from /usr/lib/libm.so.9.0...done. Loaded symbols for /usr/lib/libm.so.9.0 Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so #0 0x12b62e14c0ca in mprotect () at :2 2 : No such file or directory. in (gdb) where #0 0x12b62e14c0ca in mprotect () at :2 #1 0x12b65861b5c8 in os::pd_commit_memory () from Your '/usr/local' filesystem does not have the "wxallowed" mount option. Read the mount(8) manual page. Ciao! David -- Denis Lapshin mailto: den...@mindall.org
jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided
Hello All, There is a problem with starting jdk from packages on AMD64 platform. It doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. The same issue is present on both. # java Abort trap (core dumped) # gdb /usr/local/jdk-1.7.0/bin/java java.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging symbols found) Core was generated by `java'. Program terminated with signal 6, Aborted. Reading symbols from /usr/lib/libpthread.so.22.0...done. Loaded symbols for /usr/lib/libpthread.so.22.0 Loaded symbols for /usr/local/jdk-1.7.0/bin/java Reading symbols from /usr/lib/libz.so.5.0...done. Loaded symbols for /usr/lib/libz.so.5.0 Symbols already loaded for /usr/lib/libpthread.so.22.0 Reading symbols from /usr/lib/libc.so.88.0...done. Loaded symbols for /usr/lib/libc.so.88.0 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so Reading symbols from /usr/lib/libstdc++.so.57.0...done. Loaded symbols for /usr/lib/libstdc++.so.57.0 Reading symbols from /usr/lib/libm.so.9.0...done. Loaded symbols for /usr/lib/libm.so.9.0 Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so...done. Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so #0 0x12b62e14c0ca in mprotect () at :2 2 : No such file or directory. in (gdb) where #0 0x12b62e14c0ca in mprotect () at :2 #1 0x12b65861b5c8 in os::pd_commit_memory () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #2 0x12b65861b5f0 in os::pd_commit_memory () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #3 0x12b658619cf7 in os::commit_memory () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #4 0x12b6587a3236 in VirtualSpace::expand_by () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #5 0x12b6587a34d8 in VirtualSpace::initialize () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #6 0x12b658366cab in CodeHeap::reserve () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #7 0x12b658214726 in CodeCache::initialize () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #8 0x12b6583829fa in init_globals () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #9 0x12b658750afd in Threads::create_vm () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #10 0x12b6583f04ce in JNI_CreateJavaVM () from /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so #11 0x12b397d0303c in JavaMain () from /usr/local/jdk-1.7.0/bin/java #12 0x12b643b6031e in _rthread_start (v=Variable "v" is not available. ) at /usr/src/lib/librthread/rthread.c:115 #13 0x12b62e141a2b in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75 #14 0x in ?? () Current language: auto; currently asm (gdb) Please let me know what I can do to make it in working order. Thanks
Native C written i2pd port for OpenBSD
Hi there. Looking for a OpenBSD port of PurpleI2P/i2pd C written project (non java version). Github link: https://github.com/PurpleI2P/i2pd Building it from scratch make a lot of errors. Please suggest. Denis
Adding more cuaUxx devices
Hi there! Could someone give some advice how to add more cuaUxx devices? Nowadays I have just cuaU0-9 ones, but need a bit more... MAKEDEV returns: # ./MAKEDEV cuaU10 cuaU10: unknown device Thank you in advance. Denis
Re: iked x509 negotiation problem with BlackBerry OS 10.3.1
Having patched ikev2_pld.c to accept emty certreq still have no
connection from BlackBerry smartphone.
Please give some ideas what can be wrong?
On 04.07.2015 11:24, Denis Lapshin wrote:
Index: ikev2_pld.c
===
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.50
diff -u -p -r1.50 ikev2_pld.c
--- ikev2_pld.c26 Mar 2015 19:52:35 -1.50
+++ ikev2_pld.c3 Jul 2015 09:19:29 -
@@ -916,7 +916,9 @@ ikev2_pld_certreq(struct iked *env, stru
return (0);
if (cert.cert_type == IKEV2_CERT_X509_CERT) {
-if (!len || (len % SHA_DIGEST_LENGTH) != 0) {
+if (!len)
+return (0);
+if ((len % SHA_DIGEST_LENGTH) != 0) {
log_debug("%s: invalid certificate request", __func__);
return (-1);
}
iked -dvv log is below:
...
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: APPLICATION_VERSION 0x0007 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 92
ikev2_pld_sa: more 0 reserved 0 length 88 proposal #1 protoid ESP
spisize 4 xforms 8 spi 0xf3268010
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x00, require 0x00
ikev2_msg_auth: responder auth data length 357
ca_setauth: auth length 357
ikev2_sa_negotiate: score 7
config_free_proposals: free 0x203519780
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
config_free_proposals: free 0x203519b80
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 21 rspi 0xe58066731820 ispi
0x417f3816fccfc162 initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
Re: iked x509 negotiation problem with BlackBerry OS 10.3.1
Stuart,
I've just added patch you've provided. The error about "cert request"
disappeared but the connection freezes.
The phone has been set to "Automatically determine algorithm". Does it
affect or should I set the same algorithm on both ends?
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: APPLICATION_VERSION 0x0007 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 92
ikev2_pld_sa: more 0 reserved 0 length 88 proposal #1 protoid ESP
spisize 4 xforms 8 spi 0xf3268010
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x00, require 0x00
ikev2_msg_auth: responder auth data length 357
ca_setauth: auth length 357
ikev2_sa_negotiate: score 7
config_free_proposals: free 0x203519780
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
config_free_proposals: free 0x203519b80
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 21 rspi 0xe58066731820 ispi
0x417f3816fccfc162 initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
-
Denis
On 03.07.2015 21:54, Stuart Henderson wrote:
On 2015-07-03, Stuart Henderson wrote:
On 2015-07-02, Denis Lapshin wrote:
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message
iked doesn't accept an empte certreq (which appears to be valid), this affects
interop with Firebrick's implementation too.
On 2015/07/03 11:40, Denis Lapshin wrote:
Stuart,
What can be done to accept an empty certreq (or fill certreq) on server's
side and/or phone's side to obtain a connection?
You could try this diff, though I'm not sure whether it is correct,
I don't have a suitable IKEv2 implementation to test against myself.
Index: ikev2_pld.c
===
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.50
diff -u -p -r1.50 ikev2_pld.c
--- ikev2_pld.c 26 Mar 2015 19:52:35 - 1.50
+++ ikev2_pld.c 3 Jul 2015 09:19:29 -
@@ -916,7 +916,9 @@ ikev2_pld_certreq(struct iked *env, stru
return (0);
if (cert.cert_type == IKEV2_CERT_X509_CERT) {
- if (!len || (len % SHA_DIGEST_LENGTH) != 0) {
+ if (!len)
+ return (0);
+ if ((len % SHA_DIGEST_LENGTH) != 0) {
log_debug("%s: invalid certificate request", __func__);
return (-1);
}
--
Denis Lapshin
mailto: den...@mindall.org
iked "ikev2_pld_certreq: invalid certificate request"
Hi, Can someone help in explaining last two rows of iked -dvv output in time of initiating VPN connection? ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 240 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 240/240 padding 15 ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00 length 19 ikev2_pld_id: id FQDN/myserver.domain length 15 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 0x00 length 5 ikev2_pld_certreq: type X509_CERT signatures length 0 ikev2_pld_certreq: invalid certificate request ikev2_resp_recv: failed to parse message Denis
Re: iked x509 negotiation problem with BlackBerry OS 10.3.1
Can it be MTU problem?
On 02.07.2015 11:51, Denis Lapshin wrote:
Hi,
Have working setup with OpenIKEd and Win7 machine in part of IPsec
link negotiating by using IKEv2 and MSCHAP-v2. Using certificate and
2048 key in *.P12 form.
10.0.20.0/24 is local network
10.0.10.0/24 is IPsec network
DNS server is 10.0.20.1
/etc/iked.conf is:
ikev2 "winauth" passive esp \
from 10.0.20.0/24 to 10.0.10.0/24 \
local IP_of_server peer any \
srcid myserver.domain \
eap "mschap-v2" \
config address 10.0.10.10 \
config netmask 255.255.255.0 \
config name-server 10.0.20.1 \
# ikesa auth hmac-sha1 enc 3des group modp2048 \
# childsa auth hmac-sha1 enc aes-256 group modp2048 \
tag "$name-$id"
The server machine has working PF with some rules to allow traffic
over ports {isakmp, ipsec-nat-t} and both protos {ah, esp}.
While IPsec between Win7 and server has established, can ping DNS
server only. No other traffic can pass in this stage of setup
encrypted connection.
But my question is below and about connection setup between BB OS
10.3.1 and iked only.
Trying to do the same setup with BlackBerry 10.3.1 OS using the same
/etc/iked.conf just another user certificate and 2048 key in *.P12
(*.PFX) form have been imported into BB phone and installed in phone's
Certificate storage. All seems to be going fine since than but no.
The Profile to make IPsec VPN on BB phone is:
---
Server address: IP_of_server
Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN
Server, but unsuccessful too)
Auth Type: EAP-MSCHAPv2
Authentication ID Type: FQDN
Auth ID: myserver.domain
MSCHAPv2 EAP Identity: username
MSCHAPv2 EAP Identity: username
MSCHAPv2 Password: userpass
Gateway Auth Type: PKI
Gateway Auth ID Type: FQDN
Gateway Auth ID: myserver.domain
Allow Untrusted Cert: Prompt
Gateway CA Cert: CAmyserver.domain.name
Perfect Forward Secrecy: set_to_YES
Auto IP: set_to_YES
Auto DNS: set_to_YES
Auto Determine Algorithm: set_to_YES
IKE lifetime in Sec.: 86400
IPSec Lifetime: 10800
NAT Keep Alive: 30
DPD Frequency: 240
Use Proxy: set_to_NO
-
Once trying to connect to server with running iked -dvv options using
BB phone - the result from iked:
...
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 240
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical
0x00 length 19
ikev2_pld_id: id FQDN/myserver.domain length 15
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message
The same connection works fine between Win7 and iked. Log of iked is
below:
...
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical
0x00 length 28
ikev2_pld_auth: method SHARED_KEY_MIC length 20
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 32
ikev2_pld_cp: type REPLY length 24
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x84ea51d8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical
0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical
0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255
ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500,
212 bytes, NAT-T
pfkey_sa_add: update spi 0x84ea51d8
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8
pfkey_sa_add: add spi 0xcfea0559
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559
ikev2_childsa_enable: loaded fl
iked x509 negotiation problem with BlackBerry OS 10.3.1
Hi,
Have working setup with OpenIKEd and Win7 machine in part of IPsec link
negotiating by using IKEv2 and MSCHAP-v2. Using certificate and 2048 key
in *.P12 form.
10.0.20.0/24 is local network
10.0.10.0/24 is IPsec network
DNS server is 10.0.20.1
/etc/iked.conf is:
ikev2 "winauth" passive esp \
from 10.0.20.0/24 to 10.0.10.0/24 \
local IP_of_server peer any \
srcid myserver.domain \
eap "mschap-v2" \
config address 10.0.10.10 \
config netmask 255.255.255.0 \
config name-server 10.0.20.1 \
# ikesa auth hmac-sha1 enc 3des group modp2048 \
# childsa auth hmac-sha1 enc aes-256 group modp2048 \
tag "$name-$id"
The server machine has working PF with some rules to allow traffic over
ports {isakmp, ipsec-nat-t} and both protos {ah, esp}.
While IPsec between Win7 and server has established, can ping DNS server
only. No other traffic can pass in this stage of setup encrypted connection.
But my question is below and about connection setup between BB OS 10.3.1
and iked only.
Trying to do the same setup with BlackBerry 10.3.1 OS using the same
/etc/iked.conf just another user certificate and 2048 key in *.P12
(*.PFX) form have been imported into BB phone and installed in phone's
Certificate storage. All seems to be going fine since than but no.
The Profile to make IPsec VPN on BB phone is:
---
Server address: IP_of_server
Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN
Server, but unsuccessful too)
Auth Type: EAP-MSCHAPv2
Authentication ID Type: FQDN
Auth ID: myserver.domain
MSCHAPv2 EAP Identity: username
MSCHAPv2 EAP Identity: username
MSCHAPv2 Password: userpass
Gateway Auth Type: PKI
Gateway Auth ID Type: FQDN
Gateway Auth ID: myserver.domain
Allow Untrusted Cert: Prompt
Gateway CA Cert: CAmyserver.domain.name
Perfect Forward Secrecy: set_to_YES
Auto IP: set_to_YES
Auto DNS: set_to_YES
Auto Determine Algorithm: set_to_YES
IKE lifetime in Sec.: 86400
IPSec Lifetime: 10800
NAT Keep Alive: 30
DPD Frequency: 240
Use Proxy: set_to_NO
-
Once trying to connect to server with running iked -dvv options using BB
phone - the result from iked:
...
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 240
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical
0x00 length 19
ikev2_pld_id: id FQDN/myserver.domain length 15
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message
The same connection works fine between Win7 and iked. Log of iked is below:
...
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
length 28
ikev2_pld_auth: method SHARED_KEY_MIC length 20
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 32
ikev2_pld_cp: type REPLY length 24
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x84ea51d8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255
ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500,
212 bytes, NAT-T
pfkey_sa_add: update spi 0x84ea51d8
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8
pfkey_sa_add: add spi 0xcfea0559
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559
ikev2_childsa_enable: loaded flow 0x20527e400
ikev2_childsa_enable: loaded flow 0x204a56800
sa_state: EAP_VALID -> ESTABLISHED from IP_of_c
Re: Creating and protecting flash installed OpenBSD image
It helps a lot. Thank you On 04.04.2015 16:32, Paul Suh wrote: On Apr 3, 2015, at 5:30 AM, Denis Lapshin wrote: Interesting does anybody have experience of creating flash memory image with OpenBSD system running. I see this like extracting all of soldered FLASH memory contents in to RAM and running from where. Flash memory image protection from reading and modifying is interesting aspect also. Please suggest. Denis Denis, Have you looked into flashrd? I’ve been using it for several years now, and it’s been very useful in maintaining routers. http://www.nmedia.net/flashrd/ —Paul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Creating and protecting flash installed OpenBSD image
Interesting does anybody have experience of creating flash memory image with OpenBSD system running. I see this like extracting all of soldered FLASH memory contents in to RAM and running from where. Flash memory image protection from reading and modifying is interesting aspect also. Please suggest. Denis
Re: ACPI implementation for Aspeed AST2050
The machine is DCS6005. This is an old Dell branded AMD based server node. They named it as "Cloud Server Node" or something like that. It has AST2050 installed. I would like to buy some for a project, but not sure that OpenBSD support ACPI tables of this machine properly. Because of negative result of using hp-compaq laptop with ACPI thermal zones problem I would like to know about ASPEED for sure. As for 8510, it can have an internal SMC bug, I don't know exactly about this, but regretting about the problem during update from release to release. That is all I have to ask. Denis On 29.03.2015 14:15, Stuart Henderson wrote: On 2015/03/29 11:55, Denis Lapshin wrote: Since 4.9 till current 8510p/w read acpi temp with error (enormous high temp about 2000-5000 C) because SMBus data is not ready for reading. It seems data reading should be delayed. Theo, you told that you don't want to implement "shit" in CVS repository. Most of ACPI code should be rewritten in new way. I have enormous high temperature reading in various ACPI zones on HP Compaq laptops from time to time. Still applying delay patch into acpiec.c to have it working. On 28.03.2015 22:48, Theo de Raadt wrote: Every release I need to apply a patch after upgrade for reading ACPII data from 8510p in time, to prevent wrong data on SMBUS. Theo replied that the patch will not be implemented in CVS because all ACPI must be rewritten in new manner. But they will do nothing since my last report... I doubt I said anything close to your interpretation. -- Denis Lapshin mailto: den...@mindall.org From what I understand of that thread, the embedded controller on those HPs lies about when it's ready. The diff had some definitely wrong things in it (like the local volatile stuff) and at least 3 developers were in agreement that it was the wrong approach. But since everybody who was affected seemed more interested in locally patching with a quick fix rather than working on a correct diff, what can be done? Back to the AST2050. You need more information than that. Whether the machine is going to work depends on more than just which ICs it has. If your question is "does anybody know if machine X works with OpenBSD" then just ask that question instead (though there is still some element of surprise as they may have different BIOS, firmware version, etc). I have machines with other similar Aspeed chips that work fine, but without more details about the machines that's not useful information.
Re: ACPI implementation for Aspeed AST2050
Since 4.9 till current 8510p/w read acpi temp with error (enormous high temp about 2000-5000 C) because SMBus data is not ready for reading. It seems data reading should be delayed. Theo, you told that you don't want to implement "shit" in CVS repository. Most of ACPI code should be rewritten in new way. I have enormous high temperature reading in various ACPI zones on HP Compaq laptops from time to time. Still applying delay patch into acpiec.c to have it working. On 28.03.2015 22:48, Theo de Raadt wrote: Every release I need to apply a patch after upgrade for reading ACPII data from 8510p in time, to prevent wrong data on SMBUS. Theo replied that the patch will not be implemented in CVS because all ACPI must be rewritten in new manner. But they will do nothing since my last report... I doubt I said anything close to your interpretation. -- Denis Lapshin mailto: den...@mindall.org
Re: ACPI implementation for Aspeed AST2050
I'm sorry, but the question have sense. Using HP 8510p for four years with OpenBSD, I have a great trouble with reading SMBUS (data ready on it) for years. Every release I need to apply a patch after upgrade for reading ACPII data from 8510p in time, to prevent wrong data on SMBUS. Theo replied that the patch will not be implemented in CVS because all ACPI must be rewritten in new manner. But they will do nothing since my last report... All the troubles the same as four years ago. Only the patch can be implemented to read ACPI data on HP 8510p properly during boot, no CVS implemented. So I'm interesting about AST2050 fully supported just now in CVS. Thanks. Denis On 28.03.2015 16:14, Stuart Henderson wrote: On 2015-03-28, Denis Lapshin wrote: Hi, Has OpenBSD implemented ACPI for Aspeed AST2050 in current or release? The question doesn't really make sense, ACPI is a method where the manufacturer can supply a set of BIOS tables with instructions about how to route interrupts, control power use etc. It isn't specifically implemented for each vendor, it is a common standard. This IC is present in some Dell branded Tyan products like DCS6005 cloud nodes and some other Tyan MBs. Seems Aspeed its their own product because these ICs can be found on all Tyan server mainboards as I can see. Not just Tyan, a number of vendors use Aspeed controllers. Where they're seen in servers, they usually have BMC, superio (GPIO, UARTs, PWM for fan control etc) and basic graphics support. -- Denis Lapshin mailto: den...@mindall.org
ACPI implementation for Aspeed AST2050
Hi, Has OpenBSD implemented ACPI for Aspeed AST2050 in current or release? This IC is present in some Dell branded Tyan products like DCS6005 cloud nodes and some other Tyan MBs. Seems Aspeed its their own product because these ICs can be found on all Tyan server mainboards as I can see. Thank you for answer in advance. Denis
Re: Getting errors during security(8) maintenance
I forgot to say, this happens on OpenBSD 5.4. Where is no any changes has been made in the system before. No upgrade etc. Please ask for more information if its help. What I have to check to fix this? Thanks Denis On 26.03.2015 14:40, Nick Holland wrote: On 03/26/15 04:32, Denis Lapshin wrote: Some time ago start getting errors after nightly Secutiry running: What problem can be? Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile The root path includes . This would not be a bad thing to fix. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in -d at /usr/libexec/security line 386. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Stunning lack of information, but sounds like you botched an upgrade somewhere. Nick. -- Denis Lapshin mailto: den...@mindall.org
Getting errors during security(8) maintenance
Some time ago start getting errors after nightly Secutiry running: What problem can be? Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile The root path includes . Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in -d at /usr/libexec/security line 386. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Thank you. Denis
Re: Using /dev/cuaU* with USB 3G modem where 'ucom0' - AT commands and 'ucom1' - voice port
I've just tried to use cuaU2 and cuaU1 to have both ucom1 and ucom2 ports connected instead of ucom0 cuaU0 for command/voice interface of the modem. All works fine from now. Thanks for comprehensive answer. Cheers On 07.09.2014 3:45, Zé Loff wrote: On Sat, Sep 06, 2014 at 10:04:28PM +0400, Denis Lapshin wrote: Having trouble accessing both Data (ucom0) and Voice (ucom1) in one composite device: '/dev/cuaU0' - USB 3G modem. /dev/cuaU0 is not a composite device, is the terminal interface for one of the two serial ports on your modem (and I'm pretty sure none of them are for 'voice', but without a dmesg one can only wonder). The other serial interface (ucom1) can be accessed on /dev/cuaU1. Is it possible to use the same /dev/cuaU* device for accessing both ucom0, ucom1, ucom* to have voice and data functions available in the modem simultaneously? You need to be a lot clearer in explaining what exactly are you trying to do, and what you mean by simultaneous. My 3G modem also has two serial interfaces and I can send AT commands on both of them (e.g. use one for connect/disconnect chat and the other to periodically get connection stats without fear of collisions/races). Needed functionality seems to be integrated into FreeBSD by using 'u3g' kernel mode driver which provides access to a modem 'ucom*' ports by accessing to: /dev/cuaU0.1 and /dev/cuaU0.2 How to the same functionality can be performed in OpenBSD? I don't know a thing about FreeBSD device numbering, but my guess is that /dev/cuaU0.1 and /dev/cuaU0.2 are /dev/cuaU0 and /dev/cuaU1. Some ideas will be helpful. Read man 4 ucom, look at your dmesg carefully and please append it to your message next time. Cheers Zé
Using /dev/cuaU* with USB 3G modem where 'ucom0' - AT commands and 'ucom1' - voice port
Having trouble accessing both Data (ucom0) and Voice (ucom1) in one composite device: '/dev/cuaU0' - USB 3G modem. Is it possible to use the same /dev/cuaU* device for accessing both ucom0, ucom1, ucom* to have voice and data functions available in the modem simultaneously? Needed functionality seems to be integrated into FreeBSD by using 'u3g' kernel mode driver which provides access to a modem 'ucom*' ports by accessing to: /dev/cuaU0.1 and /dev/cuaU0.2 How to the same functionality can be performed in OpenBSD? Some ideas will be helpful. Denis
Re: Changing naming order of HDD SD drives on boot by kernel
I've simply disabled detecting any USB mass storage devices by kernel. Since then there is no problem with reordering SDx devices and all works good except usb related storage devices... Cheers On 15.08.2014 15:44, Denis Lapshin wrote: May I use DUID in my case when I have a USB card reader which has no flash card in it? How to fix using DUID for SD1 (fstab with SD1 DUIDs is below) as boot disk don't mind on any other USB disks, readers (without card, for instance) connected to the system during boot? How to make USB SDx staff working with softraid encrypted HDD which must be mounted as SD1 by the kernel (using DUID), but physically determined as SD0. Cheers On 15.08.2014 13:51, Joel Sing wrote: On Fri, 15 Aug 2014, Denis Lapshin wrote: My fstab has identity for main boot HDD: 548ac03903a985e9.a / ffs rw 1 1 548ac03903a985e9.g /home ffs rw,nodev,nosuid 1 2 548ac03903a985e9.d /tmp ffs rw,nodev,nosuid 1 2 548ac03903a985e9.f /usr ffs rw,nodev 1 2 548ac03903a985e9.e /var ffs rw,nodev,nosuid 1 2 835806792ad105b8.b none swap sw 127.0.0.1:/home/cvs /var/www/cvs nfs rw,nodev,nosuid 0 0 but once I installed usb flash drive and reboot the system, my main boot HDD stay SD3 instead of SD1 as it should be. The HDD is encrypted by softraid discipline additionally, so kernel physically determine it as SD0, softraid mount it as SD1. Any additional drive detected by kernel stop booting from main HDD SD0=SR SD1 because of renaming all SD drives. Why? What is referencing the sd0/sd1 device directly, rather than using a DUID? In FAQ I found about drives renumeration by kernel: "The first drive of a particular type identified by OpenBSD will be drive '0', the second will be '1', etc. So, the first IDE-like disk will be wd0, the third SCSI-like disk will be sd2. If you have two SCSI-like drives and three IDE-like drives on a system, you would have sd0, sd1, wd0, wd1, and wd2 on that machine. The order is based on the order they are found during hardware discovery at boot. There are a few key points to keep in mind: * Drives may not be numbered in the same order as your boot ROM attempts to boot them (i.e., your system may attempt to boot what OpenBSD identifies as wd2 or sd1). Sometimes you may be able to change this, sometimes not. * Removing or adding a disk may impact the identity of other drives on the system. " I would like bind SD labels to drives in invariable fashion. In short, there is no way to do this - this is what DUIDs are for. On 15.08.2014 11:51, Daniel Jakots wrote: On Fri, 15 Aug 2014 11:37:56 +0400, Denis Lapshin wrote: Is it possible to change or set fixed device names for drives like SD0, SD1, SD2, SD3 and so on. http://www.openbsd.org/faq/faq14.html#DUID Cheers,
Re: Changing naming order of HDD SD drives on boot by kernel
May I use DUID in my case when I have a USB card reader which has no flash card in it? How to fix using DUID for SD1 (fstab with SD1 DUIDs is below) as boot disk don't mind on any other USB disks, readers (without card, for instance) connected to the system during boot? How to make USB SDx staff working with softraid encrypted HDD which must be mounted as SD1 by the kernel (using DUID), but physically determined as SD0. Cheers On 15.08.2014 13:51, Joel Sing wrote: On Fri, 15 Aug 2014, Denis Lapshin wrote: My fstab has identity for main boot HDD: 548ac03903a985e9.a / ffs rw 1 1 548ac03903a985e9.g /home ffs rw,nodev,nosuid 1 2 548ac03903a985e9.d /tmp ffs rw,nodev,nosuid 1 2 548ac03903a985e9.f /usr ffs rw,nodev 1 2 548ac03903a985e9.e /var ffs rw,nodev,nosuid 1 2 835806792ad105b8.b none swap sw 127.0.0.1:/home/cvs /var/www/cvs nfs rw,nodev,nosuid 0 0 but once I installed usb flash drive and reboot the system, my main boot HDD stay SD3 instead of SD1 as it should be. The HDD is encrypted by softraid discipline additionally, so kernel physically determine it as SD0, softraid mount it as SD1. Any additional drive detected by kernel stop booting from main HDD SD0=SR SD1 because of renaming all SD drives. Why? What is referencing the sd0/sd1 device directly, rather than using a DUID? In FAQ I found about drives renumeration by kernel: "The first drive of a particular type identified by OpenBSD will be drive '0', the second will be '1', etc. So, the first IDE-like disk will be wd0, the third SCSI-like disk will be sd2. If you have two SCSI-like drives and three IDE-like drives on a system, you would have sd0, sd1, wd0, wd1, and wd2 on that machine. The order is based on the order they are found during hardware discovery at boot. There are a few key points to keep in mind: * Drives may not be numbered in the same order as your boot ROM attempts to boot them (i.e., your system may attempt to boot what OpenBSD identifies as wd2 or sd1). Sometimes you may be able to change this, sometimes not. * Removing or adding a disk may impact the identity of other drives on the system. " I would like bind SD labels to drives in invariable fashion. In short, there is no way to do this - this is what DUIDs are for. On 15.08.2014 11:51, Daniel Jakots wrote: On Fri, 15 Aug 2014 11:37:56 +0400, Denis Lapshin wrote: Is it possible to change or set fixed device names for drives like SD0, SD1, SD2, SD3 and so on. http://www.openbsd.org/faq/faq14.html#DUID Cheers,
Re: Changing naming order of HDD SD drives on boot by kernel
My fstab has identity for main boot HDD: 548ac03903a985e9.a / ffs rw 1 1 548ac03903a985e9.g /home ffs rw,nodev,nosuid 1 2 548ac03903a985e9.d /tmp ffs rw,nodev,nosuid 1 2 548ac03903a985e9.f /usr ffs rw,nodev 1 2 548ac03903a985e9.e /var ffs rw,nodev,nosuid 1 2 835806792ad105b8.b none swap sw 127.0.0.1:/home/cvs /var/www/cvs nfs rw,nodev,nosuid 0 0 but once I installed usb flash drive and reboot the system, my main boot HDD stay SD3 instead of SD1 as it should be. The HDD is encrypted by softraid discipline additionally, so kernel physically determine it as SD0, softraid mount it as SD1. Any additional drive detected by kernel stop booting from main HDD SD0=SR SD1 because of renaming all SD drives. In FAQ I found about drives renumeration by kernel: "The first drive of a particular type identified by OpenBSD will be drive '0', the second will be '1', etc. So, the first IDE-like disk will be wd0, the third SCSI-like disk will be sd2. If you have two SCSI-like drives and three IDE-like drives on a system, you would have sd0, sd1, wd0, wd1, and wd2 on that machine. The order is based on the order they are found during hardware discovery at boot. There are a few key points to keep in mind: * Drives may not be numbered in the same order as your boot ROM attempts to boot them (i.e., your system may attempt to boot what OpenBSD identifies as wd2 or sd1). Sometimes you may be able to change this, sometimes not. * Removing or adding a disk may impact the identity of other drives on the system. " I would like bind SD labels to drives in invariable fashion. Cheers On 15.08.2014 11:51, Daniel Jakots wrote: > On Fri, 15 Aug 2014 11:37:56 +0400, Denis Lapshin > wrote: > >> Is it possible to change or set fixed device names for drives like >> SD0, SD1, SD2, SD3 and so on. > http://www.openbsd.org/faq/faq14.html#DUID > > > Cheers,
Changing naming order of HDD SD drives on boot by kernel
Is it possible to change or set fixed device names for drives like SD0, SD1, SD2, SD3 and so on. When I boot with connected USB drives like flash sticks, kernel numbered it starting from SD0, SD1 so the system HDD stand SD2 and kernel can't mound disk with file system as it should be.
Cyrus-SASL Cyrus-IMAP server error on OpenBSD 5.3 amd64 release
I'm trying setting up Cyrus imap server on OpenBSD 5.3 amd64 realease but unsuccessful. The same configuration works fine on 5.1 release but seems buggy on 5.3. *The result of #uname -a command is:* OpenBSD mail.host.name 5.3 GENERIC.MP#62 amd64 *I have installed only the packages listed below:* cyrus-imapd-2.4.17p0 Cyrus IMAP server cyrus-sasl-2.1.26p0-ldap RFC SASL (Simple Authentication and Security Layer) db-4.6.21v0 Berkeley DB package, revision 4 openldap-client-2.4.33 open-source LDAP software (client) partial-openldap-client-2.4.33.1 pcre-8.31 perl-compatible regular expression library quirks-1.80 exceptions to pkg_add rules Here is my log messages just after installing Cyrus-imapd and Cyrus-sasl packages and reboot the mail server as usual: *1. From maillog* Oct 7 14:26:19 mail sendmail[23998]: r97AQJsw023998: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=138497, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/Sendmail.conf) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libldapdb.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libanonymous.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libcrammd5.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libdigestmd5.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libgssapiv2.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/liblogin.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libntlm.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libotp.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libplain.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libsasldb.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[22717]: error: safesasl(/usr/local/lib/sasl2/libscram.so) failed: Permission denied Oct 7 14:26:20 mail sm-mta[9277]: starting daemon (8.14.6): SMTP+queueing@00:30:00 *2. From imapd.log (level 6 logging by syslog)* Oct 7 14:24:14 mail master[9219]: service pop3 pid 2816 in READY state: terminated abnormally Oct 7 14:24:14 mail master[26230]: about to exec /usr/local/libexec/cyrus-imapd/pop3d Oct 7 14:24:14 mail master[9219]: process 26230 exited, status 4 Oct 7 14:24:14 mail master[9219]: service pop3 pid 26230 in READY state: terminated abnormally Oct 7 14:24:14 mail master[7816]: about to exec /usr/local/libexec/cyrus-imapd/pop3d Oct 7 14:24:14 mail master[9219]: process 7816 exited, status 4 Oct 7 14:24:14 mail master[9219]: service pop3 pid 7816 in READY state: terminated abnormally Oct 7 14:24:14 mail master[4168]: about to exec /usr/local/libexec/cyrus-imapd/pop3d Oct 7 14:24:14 mail master[9219]: process 4168 exited, status 4 Oct 7 14:24:14 mail master[9219]: service pop3 pid 4168 in READY state: terminated abnormally Oct 7 14:26:21 mail master[13820]: process started Oct 7 14:26:21 mail master[10318]: about to exec /usr/local/libexec/cyrus-imapd/ctl_cyrusdb Oct 7 14:26:21 mail master[13820]: process 10318 exited, status 4 Oct 7 14:26:21 mail master[20790]: about to exec /usr/local/libexec/cyrus-imapd/idled Oct 7 14:26:21 mail master[13820]: process 20790 exited, status 4 Oct 7 14:26:21 mail master[13820]: ready for work Oct 7 14:26:21 mail master[25347]: about to exec /usr/local/libexec/cyrus-imapd/ctl_cyrusdb Oct 7 14:26:21 mail master[13820]: process 25347 exited, status 4 *3. From imapd-auth.log* ./imapd-auth.log[6]: Oct: not found ./imapd-auth.log[7]: Oct: not found ./imapd-auth.log[8]: Oct: not found ./imapd-auth.log[9]: Oct: not found ./imapd-auth.log[10]: Oct: not found ./imapd-auth.log[11]: Oct: not found *Just after first imap client connection (I use Thunderbird v17.0.9) the imapd.log grows so rapidly that after 2 minutes I have about 200mb of text with the same error like this:* Oct 7 14:46:52 mail master[13820]: process 1668 exited, status 4 Oct 7 14:46:52 mail master[13820]: service imap pid 1668 in READY state: terminated abnormally Oct 7 14:46:52 mail master[3217]: about to exec /usr/local/libexec/cyrus-imapd/imapd Oct 7 14:46:52 mail master[13820]: process 3217 exited, status 4 Oct 7 14:46:52 mail master[13820]: service imap pid 3217 in READY state: terminated abnormally Oct 7 14:46:52 mail master[7262]: about to exec /usr/local/libexec/cyrus-imapd/imapd Oct 7 14:46:52 mail master[13820]: process 7262 exited, status 4 Oct 7 14:46:52 mail master[13820]: service imap pid 7262 in
