Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » geeklog

Differences

This shows you the differences between the selected revision and the current version of the page.

geeklog 2005/10/22 19:19 geeklog 2008/10/03 08:25 current
Line 1: Line 1:
-====== October, 21th ======+=====EasySSL ? A high level library to OpenSSL=====
-=====Firefox Protocol Handling======+I'm actually working with OpenSSL C API, to be able to add 
 +OCSP support to software like freeradius, maybe postfix, etc..  
 +While I'm writing more and more code to send an OCSP request (~400 lines) 
 +I'm thinking to start a high level library to OpenSSL (the name easyssl 
 +is just my first thought) to help developers to doesn't care really 
 +about the complex usage of OpenSSL.
-In order to have Firefox launch a gnome-terminal for url which begin in ssh/telnet, I wrote a little script and +For example, I recently check 
-made some changes in //about:config//+a well know software which can use certificates to authenticate users. After taking a look 
 +in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.
-//prefs.js// +Here the code of main function to check a certificate by OCSP (I removed  
-<code+checks code)
-user_pref("network.protocol-handler.app.telnet", "/home/asyd/bin/firefox-handler.zsh"); +
-user_pref("network.protocol-handler.app.ssh", "/home/asyd/bin/firefox-handler.zsh")+
-</code>+
-//firefox-handler.zsh// +<code c
-<code bash+ /* Create a new EasySSL configuration and initialize it */ 
-#!/bin/zsh+  config = malloc (sizeof (ssl_config)); 
 +  init_ssl_config(config);
-url=$1+  /* Add a certificate to the CA store */
-proto=${url//:*/} +  /* char *cacert : path of CA certificate file to load */ 
-data=${${url//*:\/\//}%/}+ add_cert_to_CAstore(config, cacert))
-/usr/bin/gnome-terminal -e "$proto $data" +  /* Load certificate to check from a file, since a file  
-</code> +  * may contains more than one certificates, we need to  
 +   * use a STACK_OF(X509), check its size, and pop the uniq element */
-[[geeklog:comments:20051020|Comments]]+  /* char *xfile: path of final certificate file to load */ 
 +  certificates = x509_load_certificates_from_file(xfile); 
 +  { 
 +    X509 *certificate = NULL; 
 +    int response = -1;
-====== October, 18th ======+    if (sk_num(certificates) != 1) 
 +        goto error;
-=====Certificates=====+    /* Pop the certificate from stack of X509 */ 
 +    certificate  = (X509 *) sk_pop(certificates);
-Now I found a **very** good PKI free software, I try to use it everywhere I need certificates. My first //difficult// task +    /*  
-was with IOS. You can find here some notes.+      * ssl_config *config: pointer to EasySSL configuration 
 +      * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp) 
 +     * X509 *certificate: certificate to check 
 +      * Return: 
 +      *    < 0: Internal error  
 +      *      0: The certificate is valid 
 +      *    > 0: The certificate is revoked, the return value stand for the reason 
 +      */ 
 +    response = ocsp_check_certificate(config, url, certificate)
-====EJBCA and IOS====+      /* Display status */ 
 +    printf("  certificate DN: %s\n", 
 +      certificate->name);
-Here my IOS config related to my CA :+    printf("  status: "); 
 + 
 +    if (response < 0) 
 +      printf("Internal error\n"); 
 +    else if (response == 0) 
 +      printf("OK\n"); 
 +    else if (response > 0) 
 +      { 
 + printf("revoked\n"); 
 + printf("  reason: %s\n", OCSP_crl_reason_str(response)); 
 +      } 
 +  } 
 +</code>
<code> <code>
-! +% ./ocsp certs/cacert.pem certs/test00.pem 
-crypto ca trustpoint FMSCA +   certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR 
- enrollment url http://pki.intranet.fimasys.fr:8080/ejbca/publicweb/apply/scep +   status: OK 
- serial-number + 
- source interface Ethernet0 +% ./ocsp certs/cacert.pem certs/test01.pem 
- auto-enroll regenerate +  certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR 
-!+   status: revoked 
 +   reason: certificateHold
</code> </code>
-Description / Notes +As you can see, it's **very simple**. I hope I'll have enough time to code the same 
 +simple function as SSL sockets frontend, but in a first time I'll add the validity 
 +check.
-  * The enrollment line tell how (the method, here an url -> http) to contact the PKI software. Note: you **must** omit the pkiclient.exe filename at the end which is automagically add by IOS. 
-  * serial-number tell to IOS to include the serial number  
-  * The name of the trustpoint you use **MUST MATCH** exactly the shortname of your CA in ejbca 
-One you have that, use the command :+//[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]//
-<code> 
-# crypto ca authenticate FMSCA 
-</code> 
-to fetch the CA certificate. Then, set the password enrollment with the command :+===== Interview =====
-<code> 
-# crypto ca enroll FMSCA 
-</code> 
-Then, login to EJBCA, and create a new entity profile looks like :+//[[geeklog:2006/12/04:interview|Permanent link and discussions]] //
-{{ios-profile.jpg}} 
-Check your ejbca logs, you shoud see something like :+===== Logicial if solaris =====
-<code> 
-ERROR [PKCS10RequestMessage] No CN in DN: SN=12013150+unstructuredName=saroumane.nanthrax.net 
-ERROR [Log4jLogDevice] October 19, 2005 9:48:33 AM CEST, CAId : 0, CA, EVENT_ERROR_USERAUTHENTICATION, Administrator : PUBLICWEBUSER, IP Address : 192.168.134.1, User : 12013150, Certificate : No Certificate Involved, Comment : Got request for nonexisting user: 12013150 
-</code> 
-So, you know you must add an entity using the serial Number as username, the password you define in IOS, and serialNumber / unstructuredNamed as subject DN fields.+//[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] //
-<code> 
-saroumane#sh crypto ca cert 
-Certificate 
-  Status: Available 
-  Certificate Serial Number: 426FA96340F5D2CA 
-  Certificate Usage: General Purpose 
-  Issuer: 
-    c=FR 
-    o=Fimasys 
-    cn=Fimasys Security CA 
-  Subject: 
-    Name: saroumane.nanthrax.net 
-    Serial Number: 12013150 
-    serialNumber=12013150 
-    hostname=saroumane.nanthrax.net 
-  Validity Date: 
-    start date: 08:58:28 CET Oct 19 2005 
-    end  date: 09:08:28 CET Oct 19 2007 
-  Associated Trustpoints: FMSCA 
-CA Certificate +===== Solaris zsh ===== 
- Status: Available + 
- Certificate Serial Number: 7AA2B9942CD0D362 + 
- Certificate Usage: Signature +//[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] // 
-  Issuer+ 
-   c=FR + 
-   o=Fimasys +===== Pkgsrc pgsql ===== 
-   cn=Fimasys Security CA + 
-  Subject: + 
-    c=FR +//[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] // 
-    o=Fimasys +
-    cn=Fimasys Security CA +
- Validity Date: +
-   start date: 07:29:35 CET Oct 17 2005 +
-   end  date: 07:39:35 CET Oct 15 2015 +
- Associated Trustpoints: FMSCA +
-</code>+
-[[geeklog:comments:20051018|Comments]] 
-====== September, 30th ======= 
-=====About AIX===== 
-Now I have a "good" a SNMP, I want that all my server are SNMP aware, and for all interesting MIB, 
-like HOST-RESOURCES, which allow me to check CPU and memory utilization, etc.. That's why I tried 
-to configure the AIX snmp agent correctly. After spent few minutes to read snmpd.conf and mib.defs,  
-I was able to query the host-resources MIB OID (take a look in [[docs:aix]]). **But**, there is //funny// 
-bug in the AIX version I use for my server, just look : 
-<code> 
-% snmpwalk -v1 -c public 192.168.1.48 .1.3.6.1.2.1.25.3.3.1.2 
-HOST-RESOURCES-MIB::hrProcessorLoad.1 = INTEGER: -2147483648 
-HOST-RESOURCES-MIB::hrProcessorLoad.2 = INTEGER: -2147483648 
-</code> 
-Very funny, isn't it ? Funny, but annoying too. So, I look for why I had such values : it's a bug. 
-Well, I really can't understand why such things like snmp can be bugged. Seem we are only few 
-system administrator who use SNMP... Anyway, it's a good way to learn more about AIX (I'm a noob 
-with this OS), specially about patch management. 
-[[geeklog:comments:20050930]] 
-====== September, 28th ======= 
-=====Cisco and multicast===== 
-Since I create few VLAN at work, the servers and (NOC) workstations are no longer in the same  
-IP subnet (I don't even understand how the previous sys/net admin can leave servers 
-and workstations in the same LAN). So, a java admin ask me why he can't setup a weblogic 
-cluster with one node in our LAN (the NOC one), and one node in the LAN server. I just told him 
-"hold on few mintes". Well, ok, few hours after, it still doesn't working... But It's now ok, 
-I use the following config : 
-<code> 
-! 
-interface Vlan1 
- ip address 192.168.1.4 255.255.255.0 
- ip pim dense-mode 
- ip igmp join-group 232.168.34.65 
- ip igmp join-group 237.0.0.9 
- ntp multicast key 1 
-end 
-! 
-interface Vlan34 
- ip address 192.168.34.1 255.255.255.0 
- ip helper-address 192.168.1.6 
- ip pim dense-mode 
- ip igmp join-group 232.168.34.65 
- ip igmp join-group 237.0.0.9 
- ntp multicast key 1 
-end 
-! 
-ip multicasting-routing 
-! 
-</code> 
-But **the more important point is the TTL** which is set by the multicast application. IT **MUST BE GREATER** 
-than one (1) if you want forwarding multicast. 
-Example : 
-<code> 
-% sudo udp-sender  --file docs/CompilingBinaryFilesUsingACompiler.pdf --mcast-all-addr 232.168.34.65 --ttl 64 
-Udp-sender 2004-05-31 
-Using mcast address 232.168.34.65 
-UDP sender for docs/CompilingBinaryFilesUsingACompiler.pdf at 192.168.34.65 on eth0 
-Broadcasting control to 232.168.34.65 
-New connection from 192.168.1.50  (#0) 00000019 
-Ready. Press any key to start sending data. 
-Starting transfer: 00000019 
-bytes=        67 278 re-xmits=000000 (  0.0%) slice=0202          67 278 -  0 
-Transfer complete. 
-Disconnecting #0 (192.168.1.50) 
-</code> 
-<code> 
-% sudo udp-receiver --ttl 64 --mcast-all-addr 232.168.34.65 --file /tmp/output 
-Udp-receiver 2004-05-31 
-UDP receiver for /tmp/output at 192.168.1.50 on eth0 
-received message, cap=00000019 
-Connected as #0 to 192.168.34.65 
-Listening to multicast on 232.168.34.65 
-Press any key to start receiving data! 
-Sending go signal 1 Success 0 
-bytes=        67 278  (  1.05 Mbps)        67 278 
-Transfer complete. 
-</code> 
-As you can notice, I use udp-receiver / udp-sender - available [[http://alain.knaff.lu/udpcast/|here]], or maybe with your distrib (Debian  
-include it) - to test the multicast. 
-I just wondering why it doesn't work if the Cisco is not a member of the group, I probably need to check docs again and again. 
-===== OpenLDAP ===== 
-Well, by mischance, I need to use OpenLDAP.. So I begin to put all my notes about this 
-(crappy) software. Their will available [[docs:ldap:openldap|here]]. 
-[[geeklog:comments:20050928|Comments]] 
-====== September, 19th ======= 
-=====Small useful applications====== 
-  * [[http://freshmeat.net/redir/brack/55828/url_homepage/programs|Brack]] is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack. 
-  * [[http://www.redferni.uklinux.net/dia/|Colour Cisco's shapes for Dia]] (I don't understand why this package is not include in the upstream) 
-Here a little patch to Brack's CSS to ensure all racks have the same size : (replace td.space with the following one) 
-<code> 
-td.space { 
-  font-size: small; 
-  font-family: sans-serif; 
-  padding: 0 5px; 
-  background-color: white; 
-  border-style: solid none none none; border-width: thin 
-} 
-</code> 
-(Very thanks to Cesar for his help) 
-[[geeklog:comments:20050919|Comments]]