Fun hacks, WP plugins, photography, and PKI junk. Languishing since 2008.
Archive for March, 2009
Delete Sends Ctrl-H
Mar 30th
If you’re a Mac user who utilizes Terminal.app with any regularity you have probably run into some Linux servers where the Mac Delete key behaves as forward delete instead of backspace (Ubuntu, Debian, and a few other distributions have this issue). This is a really obnoxious problem, but fortunately there is an easy global fix.
To repair the problem you’ll need to go to the Terminal.app preferences, select settings, then under the default theme you’re using click the advanced tab. Now you can check the “Delete Sends Ctrl-H” option and close the prefs. Any existing windows will retain the old behavior More >
Using OpenSSL s_time
Mar 28th
Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, or none at all if you simply want to test connections.1
openssl s_time -www /index.php -new -connect www.trustwave.com:443
Your result will look something like this:
No CIPHER specified Collecting connection statistics for 30 seconds ttttttttttttttttttttttttttttttttttttttttttttttttttttttttt 159 connections in 5.82s; 27.32 connections/user sec, bytes read 62328 159 connections in 31 real seconds, 392 bytes More >
RSA Encryption and Signing
Mar 21st
OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et cetera) key to do symmetric encryption thereafter.1
Generate a private key. You can change the last number to the preferred modulus size. Keys greater than 4096-bit will take a long time to generate.2
openssl genrsa -out private.pem 4096
With the private key we can now encrypt the data.
openssl rsautl More >
Creating a PKCS7 (P7B) Using OpenSSL
Mar 20th
Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. If you need to generate a PKCS12 then head to that article instead.
This example assumes that you have 2 different certificate files, each in PEM (Base64) format. You can add as many -certfile elements as you want to package in the file. Additionally, concatenated certificate chains are supported. More >
Fidgetr 1.0
Mar 15th
As promised, Fidgetr 1.0 has been released. Here are the improvements since the last time I posted about it:
- Incremented version to 1.0 to catch users stuck at versions earlier than 0.6.1. Welcome back to the cutting edge!
- Reworked the crossfade theme JS to fix some bugs and dramatically simplify the code.
- Photoset support! Display your latest photos or photos from a photoset.
- Removed requirement for allow_url_fopen. Fidgetr now tries to use the cURL libraries first.
- Added an AJAX check to warn the user if their Flickr username/email is invalid.
- Added some advanced CSS in the default theme (visible in Safari 4 only)
- Fixed a quote issue More >
Checking A Remote Certificate Chain With OpenSSL
Mar 14th
If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1
First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates themselves for more extensive parsing if you desire. The output below snips them for readability.):
openssl s_client -showcerts -connect www.domain.com:443
CONNECTED(00000003) --snip-- --- Certificate chain 0 s:/C=US/ST=Texas/L=Carrollton/O=Woot Inc/CN=*.woot.com i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA -----BEGIN CERTIFICATE----- --snip-- -----END CERTIFICATE----- 1 s:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure More >