> On Jun 13, 2023, at 7:59 AM, Theo de Raadt wrote:
>
> Thordur I. Bjornsson wrote:
>
>> On Mon, Jun 12, 2023 at 9:15 PM Bob Beck wrote:
>>>
>>> On Mon, Jun 12, 2023 at 11:01:18AM -0600, Theo de Raadt wrote:
>>>> + KASSERTMSG(1,
On Mon, Jun 12, 2023 at 11:01:18AM -0600, Theo de Raadt wrote:
> + KASSERTMSG(1, "Ich Habe eine Rotweinflarsche in meinem Arsche");
>
> That part of the diff is not OK. If everyone did this, we would have a
> mess on our hands.
Yeah, thats me nodding to my own past stupidity ;)
changed t
Minimal diff, further cleanup and dead code removal to follow.
---
sys/kern/vfs_syscalls.c | 7 +++
sys/sys/mount.h | 2 +-
sys/ufs/ffs/ffs_softdep.c | 2 ++
sys/ufs/ffs/ffs_vfsops.c | 16 +++-
4 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/sys/ker
On Fri, Apr 28, 2023 at 10:23:15AM +0200, Theo Buehler wrote:
> The behavior of BPSW for numbers > 2^64 is not very well understood.
> While there is no known composite that passes the test, there are
> heuristics that indicate that there are likely many. Therefore it seems
> appropriate to harden
Tried it out here with my gimpy little test setup and your suggested repro
case.
Seems to be more sane to me in this case, and looks like the right thing to do,
So ok beck@ for what that’s worth.
> On Jan 21, 2023, at 8:08 AM, Dave Voutila wrote:
>
>
> *bump*... Anyone able to test or rev
So isdigit(3) says in the first paragraph that
'The complete list of decimal digits is 0 and 1-9, in any locale.'
Later on it says:
'On systems supporting non-ASCII single-byte character encodings,
different c arguments may correspond to the digits, and the results of
isdigit() may depend on the
I have now been running it for two days, I *thought * had one hang a day ago,
with chrome and local building churning away with me mashing on the editor..
but I’ve now been doing the same thing with witness on for a day and had no
issues. So I think whatever I might have seen is not reproducibl
I keep reading these as "unused parts of dlg" and wondering
why he's not remoing them himself..
ok beck@
On Sat, Jun 25, 2022 at 08:48:48PM +1000, Jonathan Gray wrote:
> Index: lib/dns/gen.c
> ===
> RCS file: /cvs/src/usr.bin/dig/li
yes makes sense
ok beck@
> On May 11, 2022, at 07:53, Theo Buehler wrote:
>
> Some funky libcrypto business ahead.
>
> X509 API functions such as X509_check_ca() or X509_get_extension_flags()
> cache X509v3 extensions internally if they're not already cached. They
> make decisions based on (o
On Thu, May 05, 2022 at 10:16:23AM -0600, Bob Beck wrote:
> Ugh. You???re digging in the most perilous parts of the pile.
>
> I will go look with you??? sigh. (This is not yet an ok for that.)
>
> > On May 5, 2022, at 7:53 AM, Martin Pieuchot wrote:
> >
> > When
An ok beck@ from me with my usual curmudgeonly mutterings
about the people who made this necessary for isalnum(), walls,
and revolutions...
> On May 5, 2022, at 7:57 AM, Florian Obser wrote:
>
> On 2022-05-04 13:21 +0430, Ali Farzanrad wrote:
>> OK, I've tested following diff on my own domain
I like that.. LGTM
ok beck@
On Fri, Jan 21, 2022 at 08:37:27PM +0100, Theo Buehler wrote:
> > Lets start with that and optimize this in tree. I think we can rename the
> > function to something like rtype_from_mftfile(). In that case I would move
> > the function as well...
>
> Like this?
>
ok beck@
> On Nov 23, 2021, at 21:14, Theo Buehler wrote:
>
> Two small diffs now that beck has linked the certificate transparency
> code to the build.
>
> The diff for ext_dat.h links the CT methods to the standard extensions.
> This replaces the gibberish from the CT extensions which are no
ok
> On Jun 10, 2021, at 05:05, Theo Buehler wrote:
>
> On Thu, Jun 10, 2021 at 11:39:46AM +0100, Stuart Henderson wrote:
>> I was just reminded of the Apple cert problem with GeoTrust Global CA
>> and checked and they're using better intermediates for api.push.apple.com
>> now. OK to sync up w
Should be fixed. a bit of a pain because their new site has
an expired tls cert.
On Thu, Oct 28, 2021 at 07:30:56AM +0200, Jan Johansson wrote:
> Hello!
>
> I write to you because I beleive that you are running the NiX Spam
> mirroring script for OpenBSD. The feed has been broken for some
> ti
ok beck@
On Thu, Sep 09, 2021 at 09:35:51AM +0200, Claudio Jeker wrote:
> While Connection: keep-alive should be the default it seems that at least
> some of the CA repositories fail to behave like that. Adding back the
> Connection header seems to fix this and delta downloads go faster again.
>
> > This work has been started by art@ more than a decade ago and I'm
> > willing to finish it
This is possibly one of the scariest things you can say in OpenBSD.
I am now calling my doctor to get a giant bag of flintstones chewable
zoloft prescribed to me just so I can recover from seeing yo
On Sun, Oct 25, 2020 at 01:43:10PM -0600, Bob Beck wrote:
>
>
>
> On Fri, Oct 23, 2020 at 09:13:23AM +0200, Theo Buehler wrote:
> > On Thu, Oct 22, 2020 at 08:44:29PM -0700, Jeremy Evans wrote:
> > > I was trying to diagnose a certificate validation failure in Rub
On Fri, Oct 23, 2020 at 09:13:23AM +0200, Theo Buehler wrote:
> On Thu, Oct 22, 2020 at 08:44:29PM -0700, Jeremy Evans wrote:
> > I was trying to diagnose a certificate validation failure in Ruby's
> > openssl extension tests with LibreSSL 3.2.2, and it was made more
> > difficult because the v
Yeah, it's just a number.
But it's been a pretty wild ride. Thanks everyone for 25 years.
-Bob
On Sun, Sep 27, 2020 at 02:46:39PM +1000, Duncan Roe wrote:
> The motivation for this is to make debug logs less confusing.
What is this fixing and what behavior are you changing?
>
> All changed lines have previously demonstrated the problem.
>
> Signed-off-by: Duncan Roe
> ---
> usr.bin/nc/
On Tue, Sep 15, 2020 at 11:08:04AM +0200, Martijn van Duren wrote:
> There are 3 things that actually look like valid complaints when running
> clang's static analyzer.
>
> 1) A dead store in agentx_recv.
> 2) sizeof(ipaddress) intead of sizeof(*ipaddress). Since this is ipv4,
>this is only a
But what if I like json and I am already set up to be a hipster and
feed all the untrusted inputs through jq..
(ok beck@)
On Mon, Sep 14, 2020 at 03:37:25PM +0200, Florian Obser wrote:
> not helpful:
> $ doas acme-client $(hostname)
> acme-client: https://api.test4.buypass.no/acme-v02/new-acct:
ok beck@
On Mon, Sep 14, 2020 at 12:45:55PM +0200, Jasper Lievisse Adriaanse wrote:
> Hi,
>
> Whilst analyzing the cleaner I added tracepoints called 'cleaner' and
> 'bufcache_take' to
> track its behaviour.
>
> For the sake of symmetry I've added one in bufcache_release() too and moved
> th
ok beck@
On Sat, Sep 12, 2020 at 05:42:39PM +0200, Claudio Jeker wrote:
> extern.h uses stuff from openssl/x509.h so put that include in there
> and remove all the various other openssl includes in other files that
> actually don't need x509 functions.
>
> --
> :wq Claudio
>
> Index: as.c
> =
In the spirit of be careful what sticks to you,
this has ok beck@
On Mon, Jul 13, 2020 at 11:56:18AM +0200, Gerhard Roth wrote:
> tmpfs_reclaim() has to make sure that the VFS cache has no more
> locks held for the vnode. Else vclean() could panic because v_holdcnt
> is non-zero.
>
> I know
On Mon, Jun 29, 2020 at 03:56:43PM -0400, sven falempin wrote:
> On Mon, Jun 29, 2020 at 12:58 PM sven falempin
> wrote:
>
> It works in the original problematic setup.
>
> Will it go to base ?
>
Yes.
revision 1.201
date: 2020/07/14 06:02:50; author: beck; state: Exp; lines: +9 -3;
commit
> Awesome, thanks!
>
> I will test that, ASAP,
> do not hesitate to slay dragon,
> i heard the bathing in the blood pool is good for the skin
>
> Little concern, I did the test without the MFS and ran into issues ,
> anyway i get back to you (or list ?) when i have test report with patched
> ke
On Sun, Jun 28, 2020 at 12:18:06PM -0400, sven falempin wrote:
> On Sun, Jun 28, 2020 at 2:40 AM Bryan Linton wrote:
>
> > On 2020-06-27 19:29:31, Bob Beck wrote:
> > >
> > > No.
> > >
> > > I know *exactly* what needbuf is but to attempt to d
No.
I know *exactly* what needbuf is but to attempt to diagnose what your
problem is we need exact details. especially:
1) The configuration of your system including all the details of the filesystems
you have mounted, all options used, etc.
2) The script you are using to generate the proble
On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote:
> OK to drop the expired AddTrust cert from cert.pem?
yes, thanks.
>
> I checked against the firefox set, there are no new/removed certs that
> work with libressl there. There are now two with GENERALIZEDTIME notAfter
> dates from
On Mon, Jun 01, 2020 at 07:17:28PM +0200, Theo Buehler wrote:
> On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote:
> > OK to drop the expired AddTrust cert from cert.pem?
>
> Thanks for taking care of this (and for checking the firefox set). I see
> no reason to keep it.
>
> ok
>
looks good to me
ok beck@
On Sun, May 31, 2020 at 03:38:00PM +0200, Sebastien Marie wrote:
> Hi,
>
> updated diff after millert@ and beck@ remarks:
> - use union to collapse in_addr + in6_addr
> - doesn't allocate buffer and directly use s->relay->domain->name
>
> Thanks.
> --
> Sebastien Mari
On Sat, May 30, 2020 at 05:40:43PM +0200, Sebastien Marie wrote:
> Hi,
>
> I am looking to make smtpd to set SNI (SSL_set_tlsext_host_name) when
> connecting
> to smarthost when relaying mail.
>
> After digging a bit in libtls (to stole the right code) and smtpd (to see
> where
> to put the sto
> (iirc python does something strange)
Inconcievable!
On Fri, May 29, 2020 at 06:14:44PM +0200, Marc Espie wrote:
> In a trace:
>
> > > > #3 0x15e48c95459e in WebVfx::shutdown ()
> > > > at /usr/obj/ports/webvfx-1.2.0/webvfx-1.2.0/webvfx/webvfx.cpp:193
>
> Now, this is NOT the default location for WRKOBJDIR, but we are shipping
> packages
> On May 8, 2020, at 03:00, Stuart Henderson wrote:
>
> On 2020/05/08 06:58, Florian Obser wrote:
>> I'm running this for about 2 weeks or so.
>> Tests, OKs?
>
> Just off to look at a radio link in a church tower that I suspect a pigeon
> may have knocked out of alignment,
This is possibly
So, as some of you know the installer hits ftp.openbsd.org during the
install process to query a CGI to provide you with a list of nearby mirrors
and some other useful things.
I've recently made some changes to modernize and improve this after
the retirement of the GEO:IP module
On Mon, Apr 13, 2020 at 09:23:23PM -0600, Todd C. Miller wrote:
> On Mon, 13 Apr 2020 20:27:30 -0600, Bob Beck wrote:
>
> > In my hearts desire I'd love for "R" to be chosen for each line once at
> > start
> > up. (so in
> > the above example the th
ffort I really think this is only useful for hours and
minutes
On Mon, Apr 13, 2020 at 12:54:34PM -0600, Todd C. Miller wrote:
> On Mon, 13 Apr 2020 10:00:52 -0600, Bob Beck wrote:
>
> > +1000. a new random time chosen at cron start.
> >
> > We see this all the time, and
On Mon, Apr 13, 2020 at 09:56:52AM -0600, Todd C. Miller wrote:
> On Mon, 13 Apr 2020 09:37:14 -0600, "Theo de Raadt" wrote:
>
> > While I understand what RANDOM is trying to do, I am not a fan. I've
> > thought often of an improvement, where the minute marker in a crontab
> > file could be a let
yes you are seeing the limitation of 6.4 unveil as mentioned at the bottom
of the man page. this should be fixed in current
On Sun, Feb 3, 2019 at 03:29 Kristaps Dzonsons wrote:
> When I unveil(2), fts doesn't behave well. But only in a subtle way.
> Enclosed is a demonstration. I found this
ok beck@ as well
On Wed, Oct 24, 2018 at 06:13 Todd C. Miller wrote:
> On Wed, 24 Oct 2018 08:05:11 +0100, Ricardo Mestre wrote:
>
> > The only file that spamlogd needs to access after calling pledge is
> > PATH_SPAMD_DB, so unveil it with O_RDWR permissions.
>
> Looks good. OK millert@
>
> -
works here and I like it. but probably for after unlock
On Sun, Oct 7, 2018 at 22:11 Mischa Peters wrote:
> No idea if the code works yet.
> Hopefully I can try later. But love the idea.
>
> Mischa
>
> > On 8 Oct 2018, at 04:31, Ori Bernstein wrote:
> >
> > Keep a list of known vms, and reuse
I'm generally opposed to breaking stdout compatibility with the
"openssl" command tools because we have no clue what shell scripts and
other applications this will break.
with a *very good reason* I think it's ok, but this (I think this
looks better) isn't one of them. the "openssl" command is ke
So this gets rid of unveil's PLEDGE_STAT.
Instead we use UNVEIL_INSPECT which is set by the stat and access opeerations
that are needed for realpath() type traversals that effectively call stat/access
for each component of a pathname before doing a final operation on the end.
The intended semant
> Some examples that will need consideration for unveil(2):
> - mount(2)
> - unmount(2)
> - quotactl(2)
> - chroot(2)
> - getfh(2)
> - acct(2)
> - coredump()
> - loadfirmware() - I think ifconfig(1) could make the kernel loading a
> firmware for some network card
>
> so having ni_unveil separa
> On Sat, Aug 04, 2018 at 10:40:11AM -0600, Bob Beck wrote:
> > On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote:
> > > On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote:
> > > > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wr
> > + nd.ni_unveil = 0; /* XXX No flags == allow it */
>
> see my comment about ni_unveil != 0.
>
> as you still have check on (ni_pledge & PLEDGE_STAT), it should be still
> ok.
>
It doesn't actually do this yt.. this comment was a reminder for me
and should have had allow it? for my deali
On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote:
> On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote:
> > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wrote:
> > > yeah the latter will be the way to go
> > >
> >
> &g
yeah the latter will be the way to go
On Mon, Jul 30, 2018 at 06:02 Sebastien Marie wrote:
> Hi,
>
> I think unveil_flagmatch() isn't complete and/or has not the right
> semantic.
>
> A bit of internals for starting (I will speak about ni_pledge, people
> that know what it is and how it works wi
ok beck@
On Mon, Jul 16, 2018 at 15:53 Sebastien Marie wrote:
> Hi,
>
> While reviewing unveil(2) code, I found an incorrect type on
> unvname_new() function: flags argument should be uint64_t.
>
> It is called by unveil_add_name() which uses uint64_t for flags, and
> store the value in struct u
ok
On Sat, May 12, 2018 at 13:14 Theo Buehler wrote:
> Here's another straightforward batch. As usual, it's been tested in a
> bulk by sthen and there was no fallout.
>
> Index: lib/libcrypto/asn1/ameth_lib.c
> ===
> RCS file: /var/
So, related to this topic, Apparently BitPay has now fixed us up again.
I have put the button back on the web site, if anyone wants to try a
bitcoin donation is is supposed to be possible again
So, as some of you may know, the OpenBSD Foundation has accepted BitCoin
donations
for some time via BitPay.com
BitPay was convenient for us since they will sell the BTC donations
immediately, and
convert to Canadian Dollars. We then periodically get bank transfers of
the balance,
and this works
why AA? why not just choose two random ascii salt chars at that point? or
since this is effectively a failure case encrypt a random ascii salt and
random string?
using AA will produce a usable result based on the original string.
encrypting a random string with a random salt means the failure r
ok beck@
On Wed, Nov 29, 2017 at 02:17:21AM +0100, Claudio Jeker wrote:
> On Wed, Nov 29, 2017 at 01:59:06AM +0100, Claudio Jeker wrote:
> > Seen in my log file:
> > Nov 28 17:47:22 dramaqueen iked: vfprintf %s NULL in "%s: %s %s from %s to
> > %s ms gid %u, %ld bytes%s"
> >
> > and
> >
> > Nov
So, the only 6.2 set to be produced is up for auction, featuring hand-drawn
artwork by Theo.
Artisanally Made in Canada!
All proceeds of the sale to fund OpenBSD development.
Go have a look at
http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606
effectivelyu providing a limitless OCSP staple is kind of stupid - you may
as well simply *not staple*
On Wed, Sep 6, 2017 at 8:23 AM, Bob Beck wrote:
> I'm not super inclined to make this "flexible" unless we see this used int
> the wild, which I have not. We are
I'm not super inclined to make this "flexible" unless we see this used int
the wild, which I have not. We are more restrictive than
OpenSSL in many areas.
On Wed, Sep 6, 2017 at 1:31 AM, Andreas Bartelt wrote:
> On 09/06/17 04:40, Bob Beck wrote:
>
>> Andreas where a
Andreas where are you seeing this as being a real issue - who is shipping
out OCSP responses without a next update field?
On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt wrote:
> ocspcheck effectively treats a missing nextUpdate like an error, i.e., it
> always provides a warning and no stapl
>
> With the new define (SMALL_TIME_T) enabled, a 32-bit time_t build
> using "openssl s_client -connect" can successfully connect to a server
> and verify its certificate chain when one or more notAfter dates after
> 2038 are present.
>
> However, using "nc -c" fails to connect to the same
https://github.com/openbsd/src/commit/b943944faeecf3a978bf3f57df1b35335ffecbec
On Tue, Jul 11, 2017 at 4:23 AM, Stuart Henderson
wrote:
> On 2017/07/11 01:55, Kyle J. McKay wrote:
> > 2) 32-bit systems are going to be around for many years still; 32-bit ARM
> > platforms are everywhere
> ..
> >
On Thu, May 18, 2017 at 7:31 AM, Kyle J. McKay wrote:
> RFC 5280 section 4.1.2.5 states:
>
> To indicate that a certificate has no well-defined expiration date,
> the notAfter SHOULD be assigned the GeneralizedTime value of
> 1231235959Z.
>
>
True enough.
> Unfortunately, if si
> As you all might have gathered by now Amit has jumped the gun
> but was wrong to do so. His setup is not affected by this change.
> That was expected so please don't get distracted by this as I'm
> still looking forward to replies to the original set of changes.
> beck@?
>
> > diff --git sys/k
- ok mike, I'm looking at it.. Allow me a short while to beat my
head against a wall for a bit to get it into readahead mode...
On Wed, Jun 14, 2017 at 3:56 AM, Mike Belopuhov wrote:
> On Thu, Jun 08, 2017 at 11:55 +0200, Mike Belopuhov wrote:
> > On Wed, Jun 07, 2017 at 23:04 -0500, Amit Ku
You are correct.
Patch committed. Thanks!
-Bob
On Mon, May 08, 2017 at 08:20:57PM +0200, Jonas 'Sortie' Termansen wrote:
> Hi,
>
> When upgrading to libressl-2.5.4 I noticed a couple -Wformat errors due
> to this code assuming size_t is of type long when it was actually int on
> this 32-bit
So. There *Is* an official OpenBSD 6.1 CD
Just One.
If you are interested, please bid on ebay :
http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452?hash=item3ae2a74df4:g:SJQAAOSwrhBZBqkd
(It's a pretty cool little CD set!)
On Mon, May 01, 2017 at 04:07:27PM -0600, Theo de Raadt wrote:
>
> Let me stop here and ask if the pattern is: "always explicit_bzero
> a password field once it is used"? It might make sense, but some
> of these are heading straight to exit immediately. Is it too much
> to do it then, or is the
> Note that I have noatime on this FS.
then turn that off, or understand that things will not behave as you expect
them to with it on.
There will be some libtls api additions post 6.1 to get the peer cert in
PEM format
In the meantime, testing snaps prior to 6.1 should be the priority. not a
talkathon.
On Sat, Apr 1, 2017 at 10:49 Joerg Sonnenberger wrote:
> On Sat, Apr 01, 2017 at 07:53:05PM +1030, Jack Burton wrote:
> > One
On Thu, Mar 23, 2017 at 17:48 Bob Beck wrote:
> Honestly, anyone who gets one of these should say no
>
> what would you all think if people quietly took derived works of software
> licensed under one license and took silence as assent to relicense
>
> Does this mean that with a
Honestly, anyone who gets one of these should say no
what would you all think if people quietly took derived works of software
licensed under one license and took silence as assent to relicense
Does this mean that with an unanswered email i can now release my re
licensed as ISC version of gcc? o
And as joel mentioned, a fix is already arriving for this - there was a bug
in SSLv2 compatible handshake initiation,
and Paypal still has it enabled... (yeeuch)
On Mon, Mar 6, 2017 at 3:48 PM, Bob Beck wrote:
>
> Move it to tech@ from misc.. not libressl.. libressl is not special ;)
Move it to tech@ from misc.. not libressl.. libressl is not special ;)
On Mon, Mar 6, 2017 at 3:21 PM, Kirill Miazine wrote:
> Moving to libressl@ from misc@, as it's a LibreSSL issue.
>
> * Joel Sing [2017-03-05 23:01]:
>
> On Thursday 02 March 2017 13:28:08 Kirill Miazine wrote:
>>
>>> Recentl
Go for it mpi.. move forward.
ok beck@
On Mon, Feb 6, 2017 at 7:48 AM, Martin Pieuchot wrote:
> On 24/01/17(Tue) 13:35, Martin Pieuchot wrote:
> > Userland threads are preempt()'d when hogging a CPU or when processing
> > an AST. Currently when such a thread is preempted the scheduler looks
>
ok beck@
On Sun, Feb 5, 2017 at 22:53 Theo Buehler wrote:
> On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote:
> > On Sun, 5 Feb 2017, John McGuigan wrote:
> > > I've noticed something strange in adduser -- when attempting to add a
> > > user completely though command line argument
ok beck@
On Sun, Feb 05, 2017 at 12:27:19AM +0100, Jeremie Courreges-Anglas wrote:
>
> The colons used in IPv6 addresses conflicts with the proxy port
> specification. Do the right thing for -x ::1:8080, [::1] and
> [::1]:8080.
>
> ok?
>
>
> Index: netcat.c
> =
On Sat, Feb 04, 2017 at 01:52:14PM -0700, Bob Beck wrote:
>
> Presented without further comment.
>
> ok?
>
Or maybe this is more appropriate:
Index: calendar.history
===
RCS file: /cvs/src/usr.bin/cal
On Sat, Feb 04, 2017 at 12:59:53PM -0800, Philip Guenther wrote:
> On Sat, Feb 4, 2017 at 12:52 PM, Bob Beck wrote:
> >
> > Presented without further comment.
> >
> > ok?
>
> NACK. Obsolete 32bit time_t OSes can track their own damn holidays.
But how wi
Presented without further comment.
ok?
Index: calendar.usholiday
===
RCS file: /cvs/src/usr.bin/calendar/calendars/calendar.usholiday,v
retrieving revision 1.9
diff -u -p -u -p -r1.9 calendar.usholiday
--- calendar.usholiday 19 J
try connecting with openbsd nc rather than s-client
On Sat, Feb 4, 2017 at 09:13 Bob Beck wrote:
>
> On Sat, Feb 4, 2017 at 07:51 Andreas Bartelt wrote:
>
> On 02/04/17 05:26, Joel Sing wrote:
> > On Wednesday 01 February 2017 15:41:29 Andreas Bartelt wrote:
> >> Hel
An issue has been identified whereby httpd(8) could be subject to a denial
of service attack. Repeated crafted requests could be made from a client
using file-range requests, making the server consume excessive amounts of
memory.
This issue has been fixed in current. For 5.9 and 6.0 the following
Sooo..
Pretty sure mlucas has uncovered a problem with the ocsp interface.
Basically I didn't attach it to the keypair, (yes Joel, I think you
told me so) so it only works with the master keypair.. OK, but the
problem is that it also returns the staple for other keypairs which is
wrong.
This
On Fri, Jan 27, 2017 at 15:23 Stuart Henderson wrote:
> On 2017/01/27 22:09, Bob Beck wrote:
>
> > I think you have more issues than ocsp. if thats the same host you can't
>
> > have two different tls certs on the same ip. and you have them both on
>
> > *4
I think you have more issues than ocsp. if thats the same host you can't
have two different tls certs on the same ip. and you have them both on
*443
try using a separate ip for each
On Fri, Jan 27, 2017 at 15:03 Michael W. Lucas
wrote:
> On Fri, Jan 27, 2017 at 09:53:25PM +0000,
On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas
wrote:
> On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote:
>
> > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote:
>
> > > That looks like a web server bug, it shouldn't return a staple
>
>
> Or a misconfiguration. sh
On Sat, Jan 07, 2017 at 03:52:04PM -0700, Theo de Raadt wrote:
> > What workarounds would be reasonable and approriate? and does it
> > make sense for OpenBSD to support such scenarios out-of-the-box to
> > promote wider adoption of better software?
>
> If you want buy the OpenBSD-installer-for-d
On Sat, Jan 07, 2017 at 05:42:24PM -0500, Jacob L. Leifman wrote:
> Most of the time I agree with this particular attitude and it is indeed
> appropriate for the OP case. However, there some major networks such as
> various governments (or for example .mil) that do not participate in
> the p
On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote:
> On 01/06/17 06:28, Stuart Henderson wrote:
> > Related to this (and particularly thinking about autoinstalls),
> > would it make sense to allow explicit protocols in the hostname?
> >
> > some.host -> https with http fallback
> > http:/
No objection in principle.. although since some of us depend on this we
might either need warning and/or a small period of overlap where the old
stuff works and then we can move to the new stuff without things blowing
up.
On Sun, Jan 1, 2017 at 1:59 PM, Sebastian Benoit wrote:
> start using the
> Or do not call tls_configure_ssl_verify() if verification is turned
> off.
This makes sense to me.
>
> Index: lib/libtls/tls_client.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
> retrieving revisi
This is now working on www.openbsd.org. I upgraded my
6.0 system to current today off the latest snap and httpd would
not start, same problem.
This diff lets current httpd start again.
ok beck@
On Tue, Oct 04, 2016 at 11:54:37PM +0200, Rafael Zalamena wrote:
> On Tue, Oct 04, 2016 at 07:46
BTW I'm not picking on you.. my DNS setup blew up this week for local
resolution and I've been dealing with the fallout - so the topic
is relatively near and dear to my heart.
On Wed, Sep 14, 2016 at 10:07 PM, Bob Beck wrote:
>
> Yep. and now you need to solve the problem that
resolv.conf normally
then nothing changes at *all* when it's not there.
On Wed, Sep 14, 2016 at 8:39 PM, Ted Unangst wrote:
> Ted Unangst wrote:
> > Bob Beck wrote:
> > > how is rebound going to handle a change in resolv.conf? thats still a
> > > problem here
>
rebound to make it useful and then
look at libc which might need slightly more cleverness than just adding
localhost unconditionally.
On Wednesday, 14 September 2016, Ted Unangst wrote:
> Bob Beck wrote:
> > how is rebound going to handle a change in resolv.conf? thats still a
> &g
how is rebound going to handle a change in resolv.conf? thats still a
problem here
On Wednesday, 14 September 2016, Ted Unangst wrote:
> So the plan is for rebound to be the 'system' resolver, with libc talking
> to
> rbeound and rebound talking to the cloud. The main wrinkle is how does
> rebou
I really dislike "CHEAP".
and it almost seems like these should actually be NOCACHE.. why the heck
can't they be?
On Thu, Sep 8, 2016 at 7:49 PM, Ted Unangst wrote:
> Currently, the bufcache doesn't know that mfs is backed by memory. All i/o
> to
> mfs ends up being double cached, once in the
I am in agreement in principle, but please coordinate with bcook@ and/or
jsing@ who were possibly doing
some related adjustments.
On Mon, Sep 5, 2016 at 4:44 AM, Ted Unangst wrote:
> Bob Beck wrote:
> > >
> > > Agreed, I was also a bit unclear on payload at first (thoug
ok beck@
On Sun, Sep 4, 2016 at 9:54 AM, Theo Buehler wrote:
> use the libc interface instead of rolling it by hand.
>
> Index: parse.c
> ===
> RCS file: /var/cvs/src/usr.bin/hexdump/parse.c,v
> retrieving revision 1.21
> diff -u -p
1 - 100 of 497 matches
Mail list logo
