Category Archives: Computer

All Computer Stuff

Frontend for openssl to check key chains

Since checking SSL key chains with openssl is sometimes a bit tricky, I have written a little perl script as wrapper around it.

Just download check_chain.zip, unzip it and run it as follows:

./check_chain.pl -p server port

-p (optional) prints out the certificates as well
server is the server to check
port (optional) is the port to connect to.

Here is the code:

#!/usr/bin/perl -w

use strict;

my $has_date_parse = 1;
eval {
	require Date::Parse;
	Date::Parse->import( qw/str2time/ )
};

if ( $@ ne "" ) {
	print "Module Date::Parse not found! Skipping expiration date calculation!\n";
	$has_date_parse = 0;
}

my $print_cert = 0;
my $host = shift || &usage();
if ( $host eq '-p' ) {
	$print_cert = 1;
	$host = shift;
}
my $port = (shift || 443);


my $output = `echo "\t" | openssl s_client -host $host -port $port -showcerts 2> /dev/null`;

my $cert_num = 0;

my $line;
my @certs;
my %certs;

foreach $line ( split /\n/, $output ) {
	if ( $line =~ /BEGIN CERTIFICATE/ .. $line =~ /END CERTIFICATE/ ) {
		$certs[$cert_num] .=  "$line\n";
	}
	$cert_num += 1 if $line =~ /END CERTIFICATE/;
}

my $i;
my $serial;
my $attribute;
foreach $i ( 0 .. scalar @certs -1 ) {
	$serial = qx{echo "$certs[$i]" | openssl x509 -serial -noout};
	$serial =~ s/serial=//;
	chomp $serial;
	$certs{$serial}{'certificate'} = $certs[$i];

	foreach $attribute ( qw/issuer subject issuer_hash subject_hash enddate/ ) {
		$certs{$serial}{"$attribute"} = qx{echo "$certs[$i]" | openssl x509 -$attribute -noout};
		chomp $certs{$serial}{"$attribute"};
		$certs{$serial}{"$attribute"} =~ s/notAfter=//;
	}

	# Certificate stored, reuse @certs to keep order with serial number
	$certs[$i] = $serial;
	$certs{$serial}{"order"} = $i;
}

print "\nChecked server: $host on port $port\n";

my $found;
foreach $i ( 0 .. scalar @certs -1 ) {
	print "\nCertificate $i:\n";
	$serial = $certs[$i];
	print "\t", $certs{$serial}{"subject"}, " (hashed: ", $certs{$serial}{"subject_hash"}, ")\n";
	print "\tserial number (check in browser): $serial\n";
	print "\texpires: ", $certs{$serial}{"enddate"};
	if ( $has_date_parse == 1 ) {
		print " (in ", int ((str2time($certs{$serial}{"enddate"}) - time) /60/60/24  ), " days)" ;

	}
	print "\n";
	print "\t", $certs{$serial}{"issuer"}, " (hashed: ", $certs{$serial}{"issuer_hash"}, ")\n";
	print "\tissuer found in chain: ";
	$found = "NO - should be root certificate";
	if ( $certs{$serial}{"issuer_hash"} eq $certs{$serial}{"subject_hash"} ) {
		$found = "SELF SIGNED CERTIFICATE";
	} else {
		foreach ( keys %certs ) {
			if ( $certs{$serial}{"issuer_hash"} eq $certs{$_}{"subject_hash"} ) {
				$found = "YES";
			}
		}
	}
	print "$found\n";
}

if ( $print_cert == 1 ) {
	foreach $i ( 0 .. scalar @certs -1 ) {
		print "\nCertificate $i:\n";
		$serial = $certs[$i];
		print $certs{$serial}{"certificate"}
	}
}

sub usage {
	print "Usage: $0 [-p] server_name [port]\n";
	print "\t-p : also print certificates\n";
	print "\tserver_name : server to check, mandatory\n";
	print "\tport : port to check, default: 443\n";
	exit;
}

Its output is as follows:

$ ./check_chain.pl www.lavalite.de

Checked server: www.lavalite.de on port 443

Certificate 0:
	subject= /C=DE/OU=Domain Control Validated/CN=www.lavalite.de (hashed: dad54aee)
	serial number (check in browser): 11213FB18C3CEF8B39A731AB874D155363F2
	expires: Dec  8 11:13:28 2015 GMT (in 318 days)
	issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 (hashed: 79701ca5)
	issuer found in chain: YES

Certificate 1:
	subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 (hashed: 79701ca5)
	serial number (check in browser): 040000000001444EF03E20
	expires: Feb 20 10:00:00 2024 GMT (in 3314 days)
	issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA (hashed: b0f3e76e)
	issuer found in chain: NO - should be root certificate

Install most basic Debian Jessie container for use as a template for LXC or similar

To create a most basic Debian Jessie container, you can follow these steps:

mkdir jessie
cd jessie
mkdir rootfs
cd rootfs/
debootstrap jessie . http://ftp.de.debian.org/debian/
chroot .
passwd

You should not forget to set the root password as it is good to have a known value later.

Now that we are within the container, we can configure the most basic settings that we will need for all containers:

tasksel --task-packages standard | xargs apt-get install -y
dpkg-reconfigure locales

Here I am usually generating

  de_DE.ISO-8859-1
  de_DE.UTF-8
  de_DE.ISO-8859-15@euro
  en_US.ISO-8859-1
  en_US.ISO-8859-15
  en_US.UTF-8

and set the default to en_US.UTF-8 .

To get the full repository contents, you should change your repository sources to look as below:

deb http://ftp.de.debian.org/debian jessie main contrib non-free
deb http://ftp.de.debian.org/debian-security jessie/updates main contrib non-free

and then do an aptitude update .

You should also install an SSH server by entering

aptitude install openssh-server

Enable root logins via SSH by changing one line in its configuration:

PermitRootLogin yes

Unfortunately systemd is not yet working easily with LXC, so it should be replaced by the old sysvinit:

aptitude install sysvinit-core
dpkg -P systemd

Edit initial DNS resolver configuration so it looks like this:

search yourdomain.com
nameserver ip.of.your.namserver

Then also configure the main network interface configuration:

auto eth0
iface eth0 inet static
	address 192.168.168.100
	netmask 255.255.255.255
	gateway 192.168.168.1

iface eth0 inet6 static
        address 2001:aaaa:bbbb:0168::2
        netmask 64
        gateway 2001:aaaa:bbbb:0168::1

Replace /etc/inittab with the following short version which is enough for a container:

id:2:initdefault:
si::sysinit:/etc/init.d/rcS
~~:S:wait:/sbin/sulogin
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty --noclear 38400 console
p0::powerfail:/sbin/init 0
p6::ctrlaltdel:/sbin/init 6

Should the network not come up automatically, you can set the IP address in the config file of the container:

lxc.network.ipv4=192.168.168.100/24

After a first start, you should also configure the mail server so it can send all system mail to your main mail server:

dpkg-reconfigure exim4-config

and answer all the questions.

Shut the machine down again, cleanup all the log files and make a copy which you can then use as your template for further containers.

Remotely disabling Firewall of Mac OS X

I just happened to be unable to log in to my Mac using ScreenSharing (VNC). It is enabled, but probably the firewall is asking if ScreenSharing should be allowed to receive incoming connections… Bummer!

If at least SSH is working, it is possible to disable the firewall completely from the command line. Please be sure to only do this in a secured environment:

sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

After this you will have to restart the firewall agent:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist

You should now be able to use ScreenSharing.

Do not forget to re-enable the firewall again after you have finished your work, same procedure, but with 1 instead of 0, of course 🙂

To enable ScreenSharing in general, please read this older post: Activate screen sharing on Mac OS X when you only have SSH enabled

FhGFS glitches

Installing FhGFS leads to little glitches. I am installing on Debian 7.0 running XQuartz on Mac OS X.

  • to avoid the XTEST error message when starting the Java GUI, follow the instructions on http://xquartz.macosforge.org/trac/ticket/414 and enter defaults write org.macosforge.xquartz.X11 enable_test_extensions -bool yes in a terminal window before starting the GUI
  • if you are using a proxy, be sure to define it in /etc/environment before starting the admon process or else the automatic wget downloads will fail

IPSEC using Strongswan for iPhones and Mac computers

If you want to use the built-in IPSEC VPN clients of iPhones and Mac computers, there is a very good documentation at the Strongswan site itself.

Most important are two things – you have to make sure your binaries have been built using the --enable-cisco-quirks option. Then it will behave like a Cisco router and you can make an IPSEC only tunnel. [This is not necessary anymore.]

The second issue (which is important for the Mac computers, iPhones seem to ignore this) is the server certificate. You must add the server’s full qualified domain name as it is seen by the clients to the certificate’s common name (which is normal) and the “X509v3 Subject Alternative Name” as “DNS:your.domain.tld”. Otherwise you will get the message that your server’s certificate is not correct.

Since my ipsec binaries were unable to add the “Subject Alternative Name”, I went back to good old openssl to create my CA and certificates. It is all standard, but you have to add the option “subjectAltName = DNS:copy:commonName” to openssl.cnf (server_cert section).

If you follow the documentation mentioned above and the two issues explained here you will be able to use the tunnel for both iPhones and Macs!

Mophie!

Today I can report another story of excellent customer service!

Last year in November I have ordered a Hip holster directly from Mophie since it was not directly available within Europe. Unfortunately this raised UPS fees and import taxes which almost doubled the price.

Last week I found the holster was broken – and I asked the people at Mophie if they now had a German distributor doing warranty exchanges – and guess what, they asked for a more detailed description. Once they received that, they sent out a replacement for free which I just received today.

No need to send the broken holster back – which would have been expensive again.

This is what I call service. Extraordinary good service. Thanks, David Hertz!

Temporary IPv6 address not MAC based

If you want to get a temporary IPv6 address which is not MAC based (so you do not always surf with the same address and can be tracked), you should enter

sudo sysctl -w net.inet6.ip6.use_tempaddr=1

on your Mac’s commandline. You will then get an additional temporary IPv6 address which does not reveal your network card’s MAC address as part of it. This gives a bit more privacy!

Should also work on iPhone/iPad in case of a JB!

Great support for my Berofix ISDN-to-SIP card

Today I need to tell you about some great support experience I had with a Berlin company called beroNet. They are manufacturing all kinds of telecommunications hardware, I personally run multiple ISDN BRI cards at home and at work for years now, no problems at all.

Yesterday, on Sunday, I plugged in my currently unused berofix card to try it out with new versions of Asterisk or FreeSwitch. This card appears like a network card (from the OS point of view) and does all the work on its own (ISDN to SIP and back). All you need in your OS is a simple network driver which is available for all OSes I know of and usually already included. No special ISDN drivers and timing modules required under Linux.

The card is running its own (Linux-) OS which I haven’t upgraded for more than 15 months I guess – so I had a very early release on it. In fact I was beta testing the card before its official release and still had the beta software on it. I decided to upgrade the card to have a current version for my tests. Flashing the card is very easy, just upload the update file with a web browser, wait a bit – and – usually – all is done. My software release was so old that the current version just did not expect the very different file system structure from the beta test on my old card – and failed. No GUI anymore. And the entire card can be configured via its GUI.

After a trying around a bit (getting only GUI errors) I decided to ask the beroNet support for help – and got a first answer at noon today. I could have repaired the card myself (by following this procedure) but when I mentioned that my card OS was really very old, Christian Richter, one of their support specialists, offered to have a look at the card if I could just give him access to a special port. I opened my firewall for him – and an hour later my card was up and running again.

That’s what I call support. All I had to do was asking for help – and it was fixed the easiest way possible for me. Thanks for the fast and competent support!

iPhone Certificates

Today I was worrying how to get my own CA’s root certificate AND a certificate signed by my own CA into my iPhone.

After reading lots of stuff I finally made it:

First, send an email containing your CA’s root certificate (the .crt file) to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that Certificate. Do it 🙂

Your “Identity” – which consists of your client’s .crt and .key files need to be converted into a single PKCS12 .p12 file to be understood by the iPhone.

This conversion can be done by the following command (taken from http://shib.kuleuven.be/docs/ssl_commands.shtml):

openssl pkcs12 -export -in your_iphone_s.crt -inkey your_iphone_s.key -out your_iphone_s.p12 -name “name_of_your_iphone” -CAfile your_ca_s.crt -caname “your_ca_s_name” -chain

You will be asked for an export password which will protect your identity during transmission via email later. If your_iphone_s.key is protected with a password you will probably be asked for that one, too – but this was not the case with my file, so I cannot tell you.

Again, mail the resulting your_iphone_s.p12 to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that PKCS12 identity. Do it 🙂

You will be asked for the export password which you entered when creating the .p12 file.