
OpenBSD 5.7 highlights - smhenderson
http://www.tedunangst.com/flak/post/OpenBSD-57-highlights
======
ghshephard
That is one incredibly annoying web site.

[edit - it stops after a while]

Regarding: _" The etc sets are now gone. All the sample /etc files are now
included in the base set. This should make sysmerge must [sic] easier and
faster in the future, since there will be many fewer conflicts to resolve. On
the other hand, even rc and rc.conf are now overwritten, so it’s not possible
to maintain local mods without additional work. This makes sense, though,
since /etc/rc is as much a part of the base system as /sbin/init. You don’t
want to be running a five year old edition."_

I thought (and the manpages always indicated) that the rule was that /etc/rc
and /etc/rc.conf were fair game, and that if you wanted to make changes that
weren't overwritten by a system upgrade, to put them in /etc/rc.local and
/etc/rc.conf.local. I'm unclear why this is considered a problem.

~~~
peatmoss
I'm thinking that might be an April Fools design. I've been to his site before
and never got the giant animated text-blocking overlays.

~~~
smhenderson
It is, I read flak as often as Ted publishes something new and I never saw
that. Couple that with the fact that Ted loves to rant[1][2] about bad UI
design, especially on the web, and it becomes obvious that his latest
"feature" will be gone tomorrow.

1 [http://www.tedunangst.com/flak/post/the-wiki-box-is-out-
of-c...](http://www.tedunangst.com/flak/post/the-wiki-box-is-out-of-control)

2 [http://www.tedunangst.com/flak/post/no-im-not-running-
git](http://www.tedunangst.com/flak/post/no-im-not-running-git)

------
cauterize
According to [http://www.openbsd.org/57.html](http://www.openbsd.org/57.html)
"IPv6 router solicitations are now sent by the kernel ("inet6 autoconf");
rtsol(8) and rtsold(8) are no longer necessary and have been removed."

Does this mean we might finally get IPv6 and DHCP support enabled by default?
Currently dhcpd does not support IPv6

~~~
marios
IPv6 is not enabled by default. It is compiled in the kernel, but interfaces
don't get an IPv6 link-local address if you don't explicitely say so. When you
enable IPv6, you get a link-local address, send router solicitations and
process router advertisements ("IPv6 autoconfiguration"). Router
advertisements carry the prefix information, and the gateway address, as well
as a DNS resolver. The latter is not always processed. It does not happen on
Windows 7, on Linux you need to install rdnssd and I'm fairly sure it's the
same case with the various BSDs.

Sometimes, this is not enough to get global IPv6 connectivity. The router
advertisement has a flag that can indicate that the host must/can request
additional information through DHCPv6. While similar to DHCP, DHCPv6 is quite
a different protocol; therefore you need a separate client (or you need to
merge it in your DHCP implementation; much like ISC's dhclient does with the
-4/-6 command line flag).

So no, OpenBSD ships with IPv6 support as well as DHCP support. it's just that
IPv6 is not configured by default, and IPv6 and DHCP have little to do with
each other.

~~~
cauterize
Thank you for the clarification.

------
wglb
I think I will wait a day or two, hoping the seriously annoying pop-over is
gone on April 2.

~~~
clarry
Actually you only need to wait a few minutes. Or use a simpler browser such as
links.

~~~
wglb
Kept coming back.

------
slasaus
I really like the support for tls in syslogd. Unfortunately it looks like it
is not yet supported server-side. At least in current, syslog.conf(5) doesn't
mention anything about specifying a private key.

------
cbd1984
If the person is engaging in April Fool stuff, we obviously can't take any of
this information seriously anyway.

------
zumtar
My UX - click, _ugh!_ ,back.

------
wolf550e
Why is SCSV a sucky feature?

~~~
smhenderson
I don't know too much about it but it's a LibreSSL compatibility feature to
stay compatible with OpenSSL. Basically it's a mechanism for client software
to fall back to reduced encryption when better options fail. Considering their
stance on security I can see why the OpenBSD guys look at this as a bad idea.
But on the other hand if they want people to adopt LibreSSL some
"compatibility over maximum security" choices have to be made.

More here... [https://github.com/libressl-
portable/portable/issues/36](https://github.com/libressl-
portable/portable/issues/36)

~~~
wolf550e
It's not a way to fall back, it's a way to detect fallback and prevent
downgrade attacks.

[https://tools.ietf.org/html/draft-ietf-tls-downgrade-
scsv-05](https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05)

A client sends a ClientHello trying to connect with TLS 1.2, MITM does not let
that through, the client sends a ClientHello for TLS 1.0 with a signal that
means "this is a fallback", the MITM lets that through, the server sees this
and does not allow a connection, foiling the attempted downgrade attack.

I know that, that's why I asked: "Why is SCSV a sucky feature?".

~~~
smhenderson
OK, my bad, I just checked the RFC[1] and reading it agrees absolutely with
what you are saying.

I am probably misunderstanding the thread I linked to in my OP but reading
through it (I remembered seeing this a while ago when I read your question) I
got the impression that the LibreSSL guys looked at it from the opposite
angle.

From my link:

 _TLS_FALLBACK_SCSV is only useful in the case where a client willingly
chooses to do a downgrade and attempts to establish a second connection at a
lower protocol after the previous one unexpectedly failed. In short, the
client should not do this - client-side fallback is dangerous ( "a landmine"
to quote agl). TLS_FALLBACK_SCSV only works if both ends support it and it is
largely a case of adding a workaround to support/enforce insecure behaviour.
Unless you control both ends, you cannot be sure TLS_FALLBACK_SCSV is
available and if you do control both ends you can either force TLS 1.2 and/or
avoid client-side downgrade._

And the final reply: _Server-side TLS_FALLBACK_SCSV support has reluctantly
been added to LibreSSL._

I guess in the end the reluctance is more about it being new and untested and
not so much a bad security practice.

[1] [https://tools.ietf.org/html/draft-ietf-tls-downgrade-
scsv-00](https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00)

------
cbd1984
This is obviously incorrect, and a seizure trigger to boot.

------
cbd1984
The site is a possible seizure trigger.

------
cbd1984
This site is still totally unreadable.

------
cbd1984
Flagged as seizure trigger.

------
_mikz
Great marketing! I liked you on facebook.

