I had to compile a 32-bit version of openssl at a 64-bit server today. Took me a while to figure it out but you simple must use the configure script when you compile 32-bit at 64-bit. Example:
./Configure no-zlib no-krb5 enable-tlsext shared -m32 linux-generic32 --prefix=/home/peter/32bitopenssl-install
onsdag 15 juli 2015
Converting .p12 file to a pem
In some cases you want to convert p12 certificate files (PingFederate uses p12 files for example) to PEM files instead. This is easily done with openssl commands:
Certificate conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.crt -clcerts -nokeys -passin pass:YourSecretPassword
MAC verified OK
Key conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.key -nocerts -nodes -passin pass:YourSecretPassword
MAC verified OK
Done!
Certificate conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.crt -clcerts -nokeys -passin pass:YourSecretPassword
MAC verified OK
Key conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.key -nocerts -nodes -passin pass:YourSecretPassword
MAC verified OK
Done!
tisdag 14 juli 2015
Openssl, recompile with -fPIC
Today I got the following error when compiling Openssl 1.0.2d:
/usr/bin/ld: libcrypto.a(x86_64-gcc.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
I simple solved this by compiling openssl this way:
However, important to make clean before compiling again.
/usr/bin/ld: libcrypto.a(x86_64-gcc.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
I simple solved this by compiling openssl this way:
However, important to make clean before compiling again.
Disable Secure Client-Initiated Renegotiation in PingAccess
If you have a system running PingAccess you have maybe notices when scanning the system with ssllabs scanner that it supports Secure Client-Initiated Renegotiation which is not good in a security point of view.
So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:
"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
-Djavax.net.ssl.sessionCacheSize=5000 \
-Djava.net.preferIPv4Addresses=true \
-Djava.net.preferIPv4Stack=true \
-Djava.net.preferIPv6Addresses=false \
-Djava.awt.headless=true \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dpa.jwk="$pajwk" \
-Dblitz4j.configuration="$BLITZ_PROPS" \
-Drun.properties="$runprops" \
-Dbootstrap.properties="$bootprops" \
-Dpa.home="$PA_HOME" \
com.pingidentity.pa.cli.Starter "$@"
By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.
So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:
"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
-Djavax.net.ssl.sessionCacheSize=5000 \
-Djava.net.preferIPv4Addresses=true \
-Djava.net.preferIPv4Stack=true \
-Djava.net.preferIPv6Addresses=false \
-Djava.awt.headless=true \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dpa.jwk="$pajwk" \
-Dblitz4j.configuration="$BLITZ_PROPS" \
-Drun.properties="$runprops" \
-Dbootstrap.properties="$bootprops" \
-Dpa.home="$PA_HOME" \
com.pingidentity.pa.cli.Starter "$@"
By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.
OGNL script in PingFederate for allowing different OAuth scopes depending on groupmembership
When configuring OAuth 2.0 in PingFederate you can by issuance criteria demand that a user must be a member of an LDAP group to be able to get a OAuth 2.0 token. But in some cases you have a mobile application with several scopes. And in some of those cases you do not want to give access to all scopes to all users in one group. So here is a little OGNL sample on how to give access to different scopes depending on groupmember ship in LDAP.
#this.get("context.OAuthScopes").toString().matches("(?i).*scope1*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope1group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:#this.get("context.OAuthScopes").toString().matches("(?i).*scope2*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope2group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:@java.lang.Boolean@FALSE
Hopefully this is useful for someone out there!
måndag 13 juli 2015
Getting D-Link DWA-525 RT5360 working in Ubuntu 14.04, 14.10 and 15.04
I have been struggling a while with getting my D-Link DWA-525 with the chipset RT5360 working.
After quite a bite of investigation I found that there are many links to a ralink website where you should be able to download drivers and compile. However, you can no longer download that driver from the site. Thankfully there is now support for this device in Ubuntu with the rt2800pci module.
However, neither Ubuntu 14.04, 14.10 and 15.04 managed to get the wireless network up and running after the installation.
So I was have to do the following below. I have been running this solution for a couple of days and I find it stable.
iwconfig wlan0 power off
modprobe rt2800pci
wpa_passphrase wirelessnetwork password >> /etc/wpa_supplicant.conf
After that I edited the file and added some lines:
vi /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="wirelessnetwork"
scan_ssid=1
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
group=CCMP
psk=a37cd5be4e6d5215d467d08e6bc08b6d179195ec973e8f23c8bbbfa000f8b768
}
wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -B
dhclient wlan0
ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr c8:be:19:14:70:25
inet addr:192.168.1.187 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::cabe:19ff:fe04:7025/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3434 errors:0 dropped:32 overruns:0 frame:0
TX packets:4544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7621658097 (0.1 GB) TX bytes:1280056191 (0.1 GB)
After quite a bite of investigation I found that there are many links to a ralink website where you should be able to download drivers and compile. However, you can no longer download that driver from the site. Thankfully there is now support for this device in Ubuntu with the rt2800pci module.
However, neither Ubuntu 14.04, 14.10 and 15.04 managed to get the wireless network up and running after the installation.
So I was have to do the following below. I have been running this solution for a couple of days and I find it stable.
iwconfig wlan0 power off
modprobe rt2800pci
wpa_passphrase wirelessnetwork password >> /etc/wpa_supplicant.conf
After that I edited the file and added some lines:
vi /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="wirelessnetwork"
scan_ssid=1
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
group=CCMP
psk=a37cd5be4e6d5215d467d08e6bc08b6d179195ec973e8f23c8bbbfa000f8b768
}
wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -B
dhclient wlan0
ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr c8:be:19:14:70:25
inet addr:192.168.1.187 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::cabe:19ff:fe04:7025/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3434 errors:0 dropped:32 overruns:0 frame:0
TX packets:4544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7621658097 (0.1 GB) TX bytes:1280056191 (0.1 GB)
torsdag 9 juli 2015
Connect to a SSL protected site with openssl using tls
Since many have started removing SSLv3 many now receive this error when connecting to SSL sites using openssl:
# openssl s_client -connect www..example.com:443
CONNECTED(00000003)
25370:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
This is easily solved by forcing openssl to use tls instead:
# openssl s_client -connect www.example.com:443 -tls1
# openssl s_client -connect www..example.com:443
CONNECTED(00000003)
25370:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
This is easily solved by forcing openssl to use tls instead:
# openssl s_client -connect www.example.com:443 -tls1
Prenumerera på:
Inlägg (Atom)