From owner-freebsd-stable@freebsd.org  Mon Aug 26 20:59:14 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 278E2E519B
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Mon, 26 Aug 2019 20:59:14 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "pyroxene.sentex.ca",
 Issuer "Let's Encrypt Authority X3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46HPWN6hYbz3QRv;
 Mon, 26 Aug 2019 20:59:12 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from [IPv6:2607:f3e0:0:4:ccaa:bb1d:a627:21f9]
 ([IPv6:2607:f3e0:0:4:ccaa:bb1d:a627:21f9])
 by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x7QKx9tR052041
 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO);
 Mon, 26 Aug 2019 16:59:10 -0400 (EDT) (envelope-from mike@sentex.net)
Subject: Re: svn commit: r351246 - in stable: 11/sys/opencrypto
 12/sys/opencrypto
To: John Baldwin <jhb@FreeBSD.org>, freebsd-stable@freebsd.org
References: <201908200130.x7K1UajV079446@repo.freebsd.org>
 <c31bca3a-dd62-d828-5f57-30b4e210f084@sentex.net>
 <3101bd14-316a-baaa-6269-297903c45f23@FreeBSD.org>
 <eb53fa90-5dfb-8341-f402-d4b2f7a71b5e@sentex.net>
 <a2d1066a-a6e4-9316-4d5b-0bbe46e18c11@FreeBSD.org>
 <d249f301-a7dd-4ead-7599-026096c439cc@sentex.net>
 <a7a45784-5376-514a-026a-f6ba3cbcba9b@FreeBSD.org>
From: mike tancsa <mike@sentex.net>
Message-ID: <39c6d016-fecb-306e-32f2-7fdabad32122@sentex.net>
Date: Mon, 26 Aug 2019 16:59:10 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <a7a45784-5376-514a-026a-f6ba3cbcba9b@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 46HPWN6hYbz3QRv
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates
 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net
X-Spamd-Result: default: False [-1.48 / 15.00]; ARC_NA(0.00)[];
 RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.56), country:
 CA(-0.09)]; NEURAL_HAM_SHORT(-0.97)[-0.965,0];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA];
 HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2019 20:59:14 -0000

On 8/22/2019 6:51 PM, John Baldwin wrote:
> On 8/21/19 5:47 PM, Mike Tancsa wrote:
>> On 8/21/2019 6:38 PM, John Baldwin wrote:
>>> On 8/21/19 9:08 AM, mike tancsa wrote:
>>>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>>>> Thanks, I am not familiar with dtrace at all. This command gives a
>>>> syntax error
>>>>
>>>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>>>> @counts[curthread->td_proc->p_comm] = count()'
>>>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>>>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>>>> input
>>>> 1(cage)#
>>> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
>>> sure dtrace is loaded.  You should see something like this:
>>>
>>> # dtrace -l | grep _gone_in
>>> 87003        fbt            kernel                          _gone_in entry
>>> 87004        fbt            kernel                          _gone_in return
>>> 98682        fbt            kernel                      _gone_in_dev entry
>>> 98683        fbt            kernel                      _gone_in_dev return
>>>
>>> Then this should work:
>>>
>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>
>> Thanks!
>>
>> #  dtrace -l | grep _gone_in
>> 15632        fbt            kernel                          _gone_in entry
>> 22693        fbt            kernel                      _gone_in_dev entry
>>
>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
>> count() }'
>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>
>> However, It doesnt show anything after that even as I get the
>> deprecation messages in dmesg
> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
> show any results until you exit dtrace.

Hi,

    I am still having problems tracking it down via dtrace, but I am
able to create the problem on demand on sshd.  Whats odd is that if I
restrict the list of ciphers in sshd and even specify something like
aes-128 on the client, I still get warnings on the server.

e.g from a client,

% ssh -c aes128-cbc console1 uptime
 4:53PM  up  1:02, 3 users, load averages: 0.04, 0.08, 0.08

The server shows


Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto

Despite having

Ciphers       
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com


in /etc/ssh/sshd_config


Doing ssh -v from the client doesnt show any of the warning ciphers
being used or proposed at all.

Just wondering what the value of the warnings are if there is no way to
really deal with them or even track down where the issues are ?  Rather
than filling up the logs, would it be possible to have

kern.cryptodev_warn_interval=0

to disable ?


    ---Mike