Author Archives: Paul Kehrer - Page 10

Find A Matching Certificate And Key Pair

Posted by on November 8, 2009 No comments

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1

#!/bin/bash
for i in `ls *.key` 
do
key_mod=`openssl rsa -noout -in $i -modulus`
for j in `ls *.cer`
do
x509_mod=`openssl x509 -noout -in $j -modulus`
if [ "$x509_mod" == "$key_mod" ]; then
echo "$j matches $i"
fi 
done
done
  1. If bash allowed multidimensional or associative arrays this would be trivial to optimize.

SSL VHosting On The Same IP (aka SNI)

Posted by on November 3, 2009 2 comments

Server Name Indication (SNI), an extension to TLS, allows browsers that support it to connect to SSL hosts that do not have dedicated IPs (much like standard http virtual hosting has worked for years). This extension, however, must be supported on both the server and client side. Microsoft has not yet chosen to support it (maybe IIS 8?), but the Apache project did with the 2.2.12 release. Recently, Ubuntu 9.10 Server became the first server distribution to ship with Apache and OpenSSL built with the appropriate flags, so if you’d like to follow along you can use a 9.10 VM.

In the ideal case everything is the same as a regular vhost, but you’ll first need to enable SSL. On Ubuntu this requires you to run a2enmod and type “ssl”. After that you’ll need to add

NameVirtualHost *:443

to the root conf, then make your VirtualHost much like a normal one. A very basic pair of vhosts is seen below.

<VirtualHost *:443>
	ServerAdmin webmaster@localhost
 
	DocumentRoot /my/doc/root
	ServerName mydomain.com
	SSLEngine On
	SSLCertificateFile /path/to/domain.crt 
	SSLCertificateKeyFile /path/to/domain.key
</VirtualHost>
<VirtualHost *:443>
	ServerAdmin webmaster@localhost
 
	DocumentRoot /my/doc/root
	ServerName mydomain2.com
	SSLEngine On
	SSLCertificateFile /path/to/domain2.crt 
	SSLCertificateKeyFile /path/to/domain2.key
</VirtualHost>

These vhosts should be placed in different includes ideally, but it isn’t required. If you just want to test with a self-signed certificate you can create one with

openssl req -new -nodes -keyout mykey.key -out mycert.cer -days 3650 -x509

You’ll need to specify the domain name you want in the “Common Name” section.

Once you’ve got all this done you can restart apache and test it out! If you test on a browser that doesn’t support SNI (IE on XP) you’ll get the SSL cert for the first vhost apache parses. To disable accessing it on non-SNI hosts you can add

SSLStrictSNIVHostCheck on

to the root conf. This will cause a 403 error for those browsers.

If you’d like to see an example implementation of SNI you can check out my IDN domains https://☢.ws/ and https://☣.ws/. These sites are hosted on the same IP with different SSL certificates. I have strict host checking turned on so visiting them with a non-SNI capable browser will result in a 403 error.1

  1. See the Wikipedia article about Server Name Indication for more information on supported browsers.

More Useful Bash/Terminal Settings

Posted by on November 2, 2009 1 comment

A few more tricks to make your bash environment better. As always, add them to your ~/.profile or ~/.bash_profile to enable.

Disable the pagination of long lists when ambiguously tab completing.

bind 'set page-completions off'

Increase max returned items before being prompted. (ie, “Display all 380 possibilities? (y or n”). You can set the number to whatever you’d like.

bind 'set completion-query-items 300'

Show the list of autocompletion options after the first tab. This prevents the beep + second tab behavior.

bind 'set show-all-if-ambiguous on'

When autocompleting for cd or rmdir, list only directories as choices.

complete -d cd rmdir

Autocompletion for ssh known_hosts. Add this to your ~/.ssh/config (if the file doesn’t exist, create it)

Host *
HashKnownHosts no

Make grep highlight the matching terms in its output.

export GREP_OPTIONS='--color=auto'

Ignore case for case preserving but insensitive filesystems (like HFS+). I don’t personally use this, but perhaps some people will like it.

bind 'set completion-ignore-case on'

Don’t show hidden files when listing. Another option I don’t personally use.

bind 'set match-hidden-files off'

Create A 2048-bit Key Via OpenSSL

Posted by on October 31, 2009 No comments

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):

openssl req -new -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr

This command will make a 2048-bit key, run the interactive prompt to populate the fields of the certificate signing request, and leave the private key unencrypted (-nodes). You can remove -nodes if you wish, but encrypting the private key will require you to type the password every time you start an application (like apache) that uses it.

Improved Bash History

Posted by on October 30, 2009 3 comments

If you use multiple shells simultaneously (in my case with Terminal.app on OS X) you’ve undoubtedly noticed that the history of the last closed shell clobbers any commands you might have executed in others. This makes it difficult to use reverse-i-search to find commands you recall using. However, with a few modifications to your bash history you can greatly increase its utility.

export HISTCONTROL=erasedups
export HISTSIZE=10000
export HISTTIMEFORMAT="%D %T "
export HISTIGNORE="&:ls:exit"
shopt -s histappend

Save the above lines to your home directory’s .profile (or .bash_profile) and your shell history will now prevent duplicates, have a maximum of 10,000 items, append a timestamp to all new commands, exclude a list of commands, and append history between shells.

Upgrading Ubuntu Server to 9.10

Posted by on October 29, 2009 No comments

A quick reminder for those who don’t know or have forgotten how to upgrade an Ubuntu server:

sudo apt-get install update-manager-core
sudo do-release-upgrade

Follow the instructions, reboot, and you’re done!