Archive for March, 2009

Back online, part 2

I’ve officially learnt the hard way that backups are really, really important. :(

The hard drive in the server that currently hosts this website died while I was overseas – I was hoping to fsck my way out of trouble, but it wasn’t to be. So, I have spent this evening restoring my website from a combination of a really old backup and a Google cache of the site (!) .. I love Google even more now!

The trip was really good – the highlight was going to Toronto, and going to Napa Valley (wine country) in a limo was pretty awesome as well. :) Also, on the flight back we scored an upgrade to Premium Economy, which is definitely a pleasant way to fly. While we were at the airport in San Francisco, I managed to get in to the BA Terraces first class lounge, where I was able to enjoy quite a bit of the Pommery Brut Royal NV prior to the flight. :D

- zac.

2009
03/29
CATEGORY
General
Write comment

Back online

Domain transfer finally completed. DNS updated and propagated. Unbroke database configuration. Blog back online. :)

- zac.

2009
03/15
CATEGORY
General
Write comment

Travel toys

I decided to get myself something to make the flight on Sunday a little easier; I’ve already got sleeping tablets and QF will be laying on the booze (so all the important boxes are ticked) – but the headphones they hand out in Y suck pretty badly. Solution – I now own a pair of Sennheiser PXC250’s. :)

Initial reaction – packaging was easy to open, instructions are pretty sparse, carry case is nice, adapters are a nice touch, headphone plug is slim enough to plug in to my iPhone without an adapter or extension lead.

The frequency response is pretty flat (quite unlike what i’m used to – currently using pretty bassy Sony earphones), so music sounds a little weird through them at the moment. I walked in to a datacentre at work with them on; not perfect but a definitely noticeable difference with the noise-canceling circuitry switched on. Very keen to see how well they work at 39000 feet!

- zac.

2009
03/12
CATEGORY
General
Write comment

Exchange Server 2007 – troubleshooting SSL

Some points to troubleshoot an Exchange Server 2007 SSL configuration. For god knows what reason, Microsoft decided that everything needed to be command line, so it’s pretty easy to get stuck.

Starting point – find what certificates are installed

Run the following cmdlet from the Exchange Shell:

Get-ExchangeCertificate

You should see output similar to:

Thumbprint                Services Subject
----------                -------- -------
1B5667CCB803BC4AD13E7E51A .IP.W    CN=mail.example.com....
103F3F32814A48D2416ECC5DB S....    CN=exch-07
43C6A1548782A25ABA425B471 ....W    CN=exch-07.example....

The Thumbprint is the identifier used in other cmdlets when referring to a specific certificate. The Services are what the certificate is enabled for; each letter indicates what service(s) are configured:

Letter Service
S SMTP – outbound e-mail secured with TLS
I IMAP – inbound e-mail
P POP3 – inbound e-mail
U Unified Messaging – I believe this is for Outlook Anywhere
W Outlook Web Access / IIS – webmail

You can also get more detailed information about a specific certificate with the following command:
Get-ExchangeCertificate [thumbprint] | fl

Are the certificates enabled for the right things? Are there double-ups (as per the example above)? Is the right certificate installed at all? Has the certificate expired? Does the certificate have incorrect or misspelt details in the DN? Etc..

Handy commands -

Turn a specific service on (Outlook Web Access in this example):
Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services IIS

Disable a certificate:
Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services None

Remove a certificate:
WARNING this command does what it says on the tin – there is no undo!
Remove-ExchangeCertificate -Thumbprint [thumbprint]

Aside from using the above to fix obvious problems, the Event Viewer contains very useful error codes and explanatory messages in well-formed English (which is just about a first for any Microsoft product, I think). Combination that + Google will provide fixes for most problems.

One thing I’ve seen once or twice is a certificate that the customer swears black-and-blue has been installed and it’s just not showing up in the Get-ExchangeCertificate output. If you look in (the Certificates snap-in in) MMC, it’s there. What’s happened? The customer requested the certificate in Exchange, but imported the certificate response in to MMC directly. Ergo, public and private keys not matched up and certificate not available to Exchange. Delete certificate from MMC, import in to Exchange instead.

- zac.

2009
03/12
CATEGORY
General
Write comment

Apache 2 client authentication

Client certificate authentication for Apache 2 is a pain. Quick cheat sheet, assuming SSL is already configured for the VirtualHost and working properly:

<Directory /path/to/directory>
  Order Allow, Deny
  Allow from All
  SSLRequireSSL
  SSLVerifyClient require
  SSLVerifyDepth x
  SSLCACertificateFile /path/to/client-ca-file.pem
</Directory>

Quick explanations of each directive:

  • SSLRequireSSL – only allows SSL’ed connections. Note this doesn’t redirect HTTP requests to HTTPS.
  • SSLVerifyClient require – server requires a valid (e.g., within validity period, issued by a trusted CA) client certificate.
  • SSLVerifyDepth x – where x is the maximum length of the certificate chain from the client certificate to the Root CA certificate.
  • SSLCACertificateFile /path/to/client-ca-file.pem – the PEM-formatted CA certificates (concatenated if there are more than one) trusted by the server that can ultimately validate the client certificate being presented. Must be self-signed (e.g., Root CA certificates) – Intermediate CA certificates, if used, aren’t specified here. (Note this directive is not used for specifying SSL Intermediate CA certificates; SSLCertificateChainFile should be used for that purpose.)

Additionally, there are other options -

  SSLOptions +FakeBasicAuth
  SSLRequire expression
  SSLCADNRequestFile /path/to/issuing-ca-file.pem

Explanations:

  • SSLOptions +FakeBasicAuth – turns the DN from the client certificate in to a HTTP basic authorisation username, with a password of ‘password’ – configure as per normal http user auth, encrypt the password with DES/MD5 as required.
  • SSLRequire expression – a complicated directive that allows for very specific access controls – e.g., requiring specific elements of the client certificate or issuer DN to match, etc. See linked documentation and examples!
  • SSLCADNRequestFile /path/to/issuing-ca-file.pem – the PEM-formatted CA certificates (concatenated if there are more than one) that directly issue client certificates; these should be sent in the SSL handshake as acceptable client certificate CA names. Very important note the certificate(s) in this file are not used for validation purposes – they are just used to send a list of acceptable CAs to the client. New in mod_ssl 2.2.something and poorly documented. Doesn’t appear to work inside of a Directory or Location section; it only seems to work in the top-level VirtualHost (which is annoying and has been submitted as a bug to Apache). I haven’t been able to make it do anything useful as yet; that said I’ve only played with it briefly so I can’t be certain if I’m doing something retarded or not.

- zac.

2009
03/04
CATEGORY
General
4 comments

Champagne list

Champagnes I’ve tried and liked, those that I haven’t and some that I want to try – if nothing else, this gives me a bit of a shopping list:

Stuff I really like

  • Billecart-Salmon – Brut Reserve NV
  • Taittinger – Brut Reserve NV
  • Perrier-Jouet – Grand Brut NV

Stuff I like

  • Ruinart – Blanc de Blancs Brut NV
  • Charles Heidsieck – Mis En Cave Brut Reserve NV
  • Pommery – Brut Royal NV
  • Dom Perignon (unsure of vintage, I think it was the 2000)

Stuff I don’t mind

  • Veuve Clicquot – Yellow Label NV
  • Louis Roederer – Brut Premier NV

Stuff I don’t particularly like

  • Piper Heidsieck – Brut NV
  • Moët et Chandon – Brut NV

Stuff I want to try
(not including stuff I’ll never afford)

  • Nicolas Feuillatte – Brut Reserve NV
  • Pol Roger – Brut NV

- zac.

2009
03/01
CATEGORY
General
Write comment

Hidden prefs for Safari 4

http://swedishcampground.com/safari-4-hidden-preferences

Some Random Genius has worked out how to de-uglify the new Safari 4 beta release, which makes me happy.

Moving the tabs back to where they belong has a side effect of moving the lock symbol (for SSL’ed pages) back to where I expect it to be. This also makes me happy.

- zac.

2009
03/01
CATEGORY
General
Write comment

Advert