Category: Computers

Everything that has to do with, guess what, computers. :-)

Categories
Security

Enabling Forward Secrecy in Apache

I tried to follow the instructions given in this article by Ivan Ristic, but somehow it seems not to be working, or the test at https://www.ssllabs.com/ssltest/ might be broken… 🙁

Unfortunately I can’t seem to comment on Ivan’s article (I even registered just to reply), so I created this blog post, hoping that my trackback will work…

This is what I have in Apache:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

According to the output of openssl ciphers this should enable the following cipher suites (filtered by only those that contain ECDHE):

ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

As far as I can tell this should include the below cipher suites which supposedly enable forward secrecy:

    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Unfortunately the above SSL test shows the following when running towards my Apache:

Forward Secrecy 	No

Does anyone know what that means? Is the test just broken, or am I misunderstanding anything?

Categories
Debian

Debian 6.0 to 7.0 upgrade issues…

I upgraded from Debian 6.0 (Squeeze) to Debian 7.0 (Wheezy) today. In general the upgrade was relatively painless, but as always some things went worse than they could… 🙁

My local Subversion repository is using a Berkeley DB, and the underlying BDB version went up from 4.8 to 5.1. In consequence I got an error when I wanted to check in a changed config file:

svn: DB_VERSION_MISMATCH: Database environment version mismatch
svn: bdb: Program version 5.1 doesn't match environment version 4.8

I remember that this has already been an issue with the last major Debian upgrade… Did I miss something in the release notes or package doc, or did the Debian folks miss this one?!

Anyway, here’s how to repair the above (based on instructions found here). Install packages db4.8-util and db5.1-util and execute the following commands:

# cd /path/to/repo
# db4.8_checkpoint -1
# db4.8_recover
# db4.8_archive
log.0000000024
# svnlook youngest ..
746
# db5.1_archive -d

Afterwards you can remove the two packages again.

Next thing I noticed

Continue reading “Debian 6.0 to 7.0 upgrade issues…”
Categories
Ubuntu

Issues in Ubuntu 13.04 after machine froze…

I recently upgraded from Ubuntu 12.10 to 13.04, and everything seemed to be extremely smooth and painless.

However, a day or two later I suddenly noticed that the fan of my Ubuntu laptop (a Dell Latitude D630) was blowing like hell — the machine had stalled, I couldn’t wake up the desktop again, the screen remained black… I think the hang occurred after I had installed the first updates after upgrading to 13.04… Anyway, I had to hard-reboot the box… And this is when the trouble started… 🙁

Dunno what exactly happened, but the first thing I noticed was boot issues, something like “Cannot mount /boot; ext2: no such filesystem” or something close to that. And indeed the kernel in Ubuntu 13.04 seems to lack support for that admittedly ancient filesystem (cat /proc/filesystems). I fixed that by creating a journal on my /boot filesystem as follows (obviously if you have similar issues, you need to substitute your actual UUID in the command below), thereby migrating the filesystem to ext3:

sudo tune2fs -j UUID=b8ad9dbd-a514-46c8-86af-d2a9cafe3d0c

I also had to update /etc/fstab accordingly, of course:

UUID=b8ad9dbd-a514-46c8-86af-d2a9cafe3d0c /boot           ext3    defaults        0       2

Next thing I noticed that a couple of devices suddenly didn’t work: The touchpad, the touchpoint, my WiFi interface, etc. I quickly found out that obviously the modules required to support the devices weren’t loaded, and it was due to missing/broken modules dependencies. The following file which keeps those dependencies

/lib/modules/3.8.0-19-generic/modules.dep.bin

was truncated (size of 0 bytes).

So I removed it and recreated it by

sudo depmod -a

After I rebooted everything seemed to be fine again.

I hope that this concludes my negative experiences with 13.04, and that the laptop will runs as rock solid again as it used to be under 12.10.

Categories
Networking

OpenWRT on the TP-Link TL-WDR3500

I got myself a TP-Link TL-WDR3500 since it boasts great hardware (see below for detailed info), and at the same time is supported by OpenWRT which I easily found out by searching in the OpenWRT forums.

Here’s the direct link to the firmware image (current “unstable” or “bleeding edge” OpenWRT release “Barrier Breaker” — i. e. not current stable one, which is Attitude Adjustment — build r36486) which you can use to upgrade a device with the factory firmware still installed. (Update: The link refers to the “trunk”, i. e. the development branch, where daily builds are available.)

Installing OpenWRT using the stock firmware’s “Firmware Upgrade” function worked smoothly. Less than 5 mins. after I started the upgrade I had OpenWRT running (thanks, folks!).

Continue reading “OpenWRT on the TP-Link TL-WDR3500”
Categories
Networking Routers

OpenWRT and DNS UPDATE

I’m hosting my domain myself on a dedicated root server, and I wanted my Internet router to automatically update a hostname in my own domain (in a designated dynamic zone) with my current public IP. With OpenWRT this was easily accomplished. I used these instructions as a starting point.

When trying to check whether everything was set up correctly I always got some strange error from the following command:

# ACTION=update INTERFACE=wan /sbin/hotplug-call iface

It turned out that the following statement

config_get ipaddr wan ipaddr

did not return the currently assigned IP address in my case, but just an empty response, so I got the following error message:

could not read rdata
syntax error

(For testing I hooked a spare router with a fresh OpenWRT install with the WAN port into my LAN, and configured the WAN interface to receive its IP address via DHCP from out of the LAN. In “production” the WAN interface receives its IP via PPPoE.)

Some friendly guy in the OpenWRT forum suggested I try the following instead:

. /lib/functions/network.sh
network_get_ipaddr ipaddr wan

And indeed this worked well.

Categories
Security

PayPal-Sicherheitsschlüssel

Gestern wollte ich während eines Bestellvorgangs mit PayPal bezahlen als ich feststellte, dass mein PayPay-Sicherheitsschlüssel nicht mehr funktionierte. Egal wie oft ich den Knopf zur Anzeige eines Sicherheitscodes drückte, das Display blieb ohne Funktion, das Gerät war wie “tot”.

Es handelt sich bei meinem Modell noch um den ursprünglichen Schlüssel (und nicht den neuen im Kreditkartenformat), der eine gewisse Ähnlichkeit mit den ersten RSA SecurID-Tokens hat:

Das Teil war jetzt über sechs Jahre alt, daher ging ich davon aus, dass schlicht und einfach die Batterie leer war. Da ich nicht riskieren wollte dass mein Bestellvorgang wegen Inaktivität abgebrochen wurde, wollte ich den Schlüssel möglichst schnell “reparieren”.

Continue reading “PayPal-Sicherheitsschlüssel”
Categories
Debian

Solved: WordPress on Debian and media uploads not working

I was struggling with a problem that I couldn’t upload media files to my blog — which I host myself on a Debian box in a multi-site configuration. When I tried to do so I got an error message saying that WordPress couldn’t write to the directory. Actually I had this very problem since 2005 when I started this blog — I never took the time to really investigate it (but used the work-around to refer to static content I manually uploaded to my web-server document directory)… 😉

Now that my wife wanted to start blogging, I finally had a good reason to fix this issue. It took me about an hour, and it was done. What I had to do was just two entries in my admin’s Settings (I might not have set up WordPress cleanly when I started it, so you might not have to manually set this) as follows:

And then I needed one Alias in my Apache configuration to redirect the URL prefix to a directory under my web-server document root:

# "Intercepts" files prefix and redirect to "local" (user's) directory
Alias /blog/files /home/rabe/var/www/bergs.biz/blog/files
# This is the prefix to the root of my blog
Alias /blog /usr/share/wordpress

That’s it! Sometimes things are so easy, and it only takes a short while to fix them… 😉

Categories
Computers Windows

How to add another language to Microsoft Office 2010…

I usually prefer to use English versions of all operating systems and applications I use — simply because the German translations are usually horrible, plus very often updates for English versions become available much earlier (if at all!) than for localized versions.

Now I just bought myself Office 2010 and found that it lacked proofing tools for German — call me naive but I expected that these “common” tools were available in all or at least major languages. Duh! 🙁

So what I did is to download the German office installation package from Microsoft and started SETUP.EXE. To my surprise adding German as a proofing language was simpler than I even thought. After a while Setup properly showed me

  • all the components I had already installed,
  • the language English I had installed, plus
  • German as an optional (UI!) language to install, and
  • in the packages section another German proofing tools package appeared that I could then install.

Maybe the above is obvious to all or most of you, but I thought it’s not exactly that so I’d create a post about it to help people who are in the same situation as I was.

Enjoy!

Categories
Security

Data Privacy issue: Your Android phone might leak your IMEI…

Just played around with a new home router and noticed that my HTC Desire S Android phone sends the following hostname when requesting an IP address with DHCP in a wireless network:

Android_3567080XXXXXXXX

Why is this is a problem? Because the trailing part of that hostname is your IMEI, which is a unique number identifying your device. It’s normally only seen on radio-network level, so can normally be considered “private” (because your operator can’t disclose it to anyone).

The IMEI also contains a component called “TAC” (type allocation code) which identified the exact handset model you have.

So if you regularly visit Internet cafes or the like, these guys know how often and when you are there.

Please let me know whether you consider this a problem or not — I do think it is one.

Categories
Computers Debian Linux Security

Integrate “AVG Anti-Virus Free Edition” into Exim with ExiScan patch

If you would like to integrate “AVG Anti-Virus Free Edition” into Exim, using the ExiScan patch, this is actually quite easy.

Just insert the following fragment into your Exim config:

  # Reject virus infected messages.
  # Add message to implicit X-ACL-Warn: header
  warn  message         = This message contains malware ($malware_name)
        set acl_m0      = cmdline:\
                          /usr/bin/avgscan --arc %s; echo -e \N"\navg_retval $?"\N:\
                          avg_retval 5:\
                          \NVirus identified *(.*)$\N
        malware         = *
        log_message     = This message contains malware (avg:$malware_name)

Let me know if this works for you — I hacked this up quite quickly, but it seems to do its job…