OS X Server Security Update 2010-001 and Apache client authentication

So, it seems that Apple have disabled SSL renegotiation (CVE ID: CVE-2009-3555) in the latest security patch thanks to a man-in-the-middle vulnerability. All well and good.

Client authentication with Apache relies on renegotiating a connection (secure connection starts when the server presents the server certificate and is renegotiated when the client presents the client certificate) – which is now broken. My virtual host error logs were filling up with all sorts of completely useless and uninformative errors, such as:

[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Connection to child 1 established (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] Seeding PRNG with 144 bytes of entropy
[Mon Jan 25 16:01:57 2010] [info] Initial (No.1) HTTPS request received for child 1 (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Awaiting re-negotiation handshake
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation request failed

..and so on. Looks like a problem with the client end – but it’s actually on the server end. The fix? Er.. there isn’t one as yet. I’ll update this post if I work out how to fix it.

:(

- zac.

January 25, 2010 • Posted in: General • No Comments

Birthday drink

Another weekend, another party to bartend at! :)

This time around I had some fruit to work with – raspberries and blueberries. I didn’t touch the blueberries, but after a shaky start I’ve got the rough workings of a very tasty raspberry and orange drink:

Blend the vodka, Cointreau, raspberries and ice until smooth. Half fill a tulip glass, then top with orange juice and a little lemonade and garnish with a twist of orange rind.

It’s not a complete drink yet – my measurements were rough and the flavour is missing some of the tartness I was aiming for. Maybe needs some lemon juice? A project for another weekend! :D

- zac.

October 4, 2009 • Posted in: General • One Comment

Travel ahoy!

All flights for my November/December trip are finally locked and loaded. It goes something like..:

MEL-SYD-LAX//ONT-DFW-MIA-MEX-HAV-CUN-MEX-LHR-AMS-LCY-ZRH-LHR-MXP-LHR-AMS-LHR-MEX-MIA-DFW-ONT//LAX-SFO-SEA-SFO-LAX-SYD-MEL

I also really wanted to head to northern England and across to Ireland, but it wasn’t to be. Something for the next trip! :D

- zac.

September 30, 2009 • Posted in: General • No Comments

Wedding drinks

Was just over in Perth playing bartender at a wedding party – the hosts provided serious amounts of booze for me to cocktail it up with. I had every intention of following recipes, but that never lasts. Two new drinks – no names for them, not incredibly original flavour combinations but both proved really popular:

Muddle the tequila, Frangelico, sugar syrup and lime in a rocks glass. The idea is to balance the bite of the tequila and the zest of the lime against the sweetness of the Frangelico and sugar syrup – too much sugar syrup will wreck the drink, so don’t overdo it.

Top with crushed ice, add soda water to taste, stir and decorate with something floral if so inclined.

Coat the inside of a highball glass with syrup, top with crushed ice. Build vodka, cointreau and soda water. More for the sweet tooths – I like it with a little more vodka and a little less Cointreau. Might also be nice with a little grenadine syrup if you want something more colourful.

- zac.

September 28, 2009 • Posted in: General • No Comments

Ancient history

The final bit of my original computer system that I bought in 1998 finally gave up the ghost yesterday – my Altec Lansing ACS54 4.1 surround (!) speaker system.

The right channel in the amp stopped working properly a little while ago, but I couldn’t bring myself to part with it. When it stopped working altogether, it really had to go. I’m actually a bit amazed it lasted as long as it did!

I’ve replaced it with a set of Logitech X-210 speakers. Cheaper, more likely to break sooner – but it’s awesome being able to listen to music properly again. Vive la technology!

- zac.

September 14, 2009 • Posted in: General • No Comments

Guava Mojito

A tasty tasty recipe:

Muddle most of the mint and all of the lime, caster sugar and guava nectar in a highball glass – take care not to pulverise the mint completely (floaty bits of mint in the drink = not so good).

Top up with crushed ice and heaps of white rum, stir with a bar spoon and garnish with the remaining mint.

Enjoy! :)

- zac.

September 13, 2009 • Posted in: General • 2 Comments

Mac OS X and eToken PKI Client

I’ve also managed to get the Mac drivers for another of the common USB crypto tokens, this time from Aladdin Systems (who are now owned by SafeNet, but that’s neither here nor there).

Installation is about the same, however having a “proper” graphical token management utility (eToken Properties) is much much nicer than having to use a command line based utility. The installer logs you out after it’s done its’ thing, however it took a full reboot before the token was recognised.

I didn’t have the doco handy, so I don’t know if it goes in to detail on how to configure Firefox to use the token; but the process is basically the same as for the SafeNet iKey — go in to the Firefox preferences, Advanced > Encryption > Security Devices > Load, given the module a name (like “eToken PKI” maybe) and point to the following file location:

/Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib

Restart Firefox just to be sure, but everything should just work. Attempting to use Keychain Access to manage the token is just as pointless an activity as with the iKey token, though at least the Keychain Access app doesn’t crash. In any case, it’s easy enough to use the token management tool to import and delete certificates – that is, unless you’re trying to import CA certificates on to the token, because the only format it can cope with importing is PKCS12 (which is retarded, because the Windows version of the same utility has no problems importing CA certificates). If the PKCS12 file has CA certificates, they do get imported properly.

Key generation is a bit faster than with the iKey token — though whether that is due to better hardware/drivers, I don’t know.

What will be very interesting to see is whether these drivers (and the iKey drivers) work at all with Mac OS X Snow Leopard. I’m guessing they will (at least, with Firefox) – but I’m still waiting on my copy of Snow Leopard to show up, so it’s a bit of a mystery to me for now.

- zac.

August 29, 2009 • Posted in: General • 7 Comments

Mac OSX and SafeNet iKey tokens

I finally managed to get my hands on the SafeNet iKey token drivers for Mac OSX. For reasons I still don’t entirely understand, SafeNet have seen fit to make the Windows drivers freely available – but the Mac drivers need $$ spent and CDs shipped from the United States.

The driver CDs that I ordered finally made their way to my desk today – was entertained by the amount of packaging they deemed necessary; 5 CDs came in individual envelopes inside a box that could have easily held 100 CDs! Not very environmentally friendly.

Installing the drivers is simple enough, but configuring Firefox is a little more complicated (you have to configure the PKCS11 security device in the advanced preferences by hand). Instruction manual reading required.

First attempt to get things going (on an ancient Graphite Power Mac G4) was filled with fail; the token utility program couldn’t see the token I was trying to use. I suspect the problem was more related to dodgy USB ports than anything else, but no way to test properly. Second installation attempt on my MacBook Core Duo worked properly – token was now recognised, but I couldn’t do anything with it. Pro tip #1: use a token that isn’t damaged.

Once configured, the token needs to be removed and reinserted before Keychain Access can see it and interact with it. Pro tip #2: don’t expect much from Keychain Access. You can’t import PKCS12 files to the token and it crashes if you look at it the wrong way. :( Use Firefox instead.

Once configured, Firefox handles certificate imports quite nicely – and enrolling/installing certificates using our regular enrollment pages works properly as well (albeit key generation takes a very long time indeed). During enrollment, you’re first prompted to choose a security level (key size) and then the security device, which will allow you to select the token for key storage (the token label is what appears in the dropdown). During certificate installation, Firefox automagically works out where the certificate should live and asks for the token password if needed.

The one annoyance is that any CA certificates are copied to the browser store and not the token store; Firefox won’t have it any other way. There doesn’t appear to be any method of moving CA certificates to the token on a Mac, whether by using Firefox or the included token utility.

Exciting stuff.

- zac.

August 18, 2009 • Posted in: General • 6 Comments

Exporting certificates from a Java keystore

Busy day at work filled with a number of disappointments, however one thing which made my day – I found that there is a patently easy way to convert JKS keystores to PKCS12 certificate bundles (and vice versa). It’s a keytool command that was introduced with JDK 6:

Convert JKS to P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

Convert P12 to JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

Mucho gratitude to tomas at EJBCA for blogging about this last year .. I’m just annoyed at myself for not having found the post earlier.

- zac.

July 6, 2009 • Posted in: General • No Comments

Christchurch

Some trip notes that are a few weeks late now:

- zac.

July 6, 2009 • Posted in: General • 2 Comments