I had a problem with phpMyAdmin not using encrypted connections.
My server was correctly configured for SSL as indicated by:
SHOW VARIABLES LIKE '%ssl%'
However when I ran:
SHOW STATUS LIKE 'Ssl_cipher'
I got back a null result, indicating that the connection was not encrypted.
Eventually I figured out that the problem was caused by using the ‘mysqli’ provider for my connections in phpMyAdmin. When I switched my connections to use ‘mysql’ instead then encryption started working and an Ssl_cipher was reported.
I’d love to know what the actual problem is, but for now I’m just happy that my connections are actually encrypted. I spent a while hacking on the mysqli dbi interface to try and get it to play nice with SSL but I didn’t make any progress.
“Someone has almost certainly never spoken this sentence before.”
“Someone has probably never spoken this sentence before.”
“No-one has spoken this sentence before.”
I win. :)
Found some discussion on dealing with “fail2ban.actions.action: ERROR” errors from fail2ban. Basically there’s a race condition and a few suggestions to deal with it. One is to modify /usr/bin/fail2ban-client like this:
def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)
But the other one, that I think I like better, is to edit /etc/fail2ban/actions.d/iptables-multiport.conf to include a call to sleep for a random time up to three seconds:
actionstart = sleep `perl -e 'print rand(3);'` iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
I was writing a shell script and I wanted to change directory. But before I changed directory I wanted to get the absolute path to a file relative to the current directory so that I could access the file again later. I learned that you can do this in Bash with the readlink facility, passing in the -f command line switch, i.e.:
$ readlink -f ./some/path
Found a list of MySQL Encryption and Compression Functions today. Handy.
I’m half-way through setting up my web-server for client certificate authentication. Have to get a few other things done first so I’m going to come back to this. Here are my notes so far.
I read this article on Email Certificates but that wasn’t that useful for what I’m doing.
I learned a little bit about the update-ca-certificates command that is part of the ca-certificates package, and maybe that will be useful down the track.
In my travels I discovered NSS and SSL Error Codes, but that’s probably not too useful either.
The OpenSSL FAQ was a really useful read. I’ll probably be referring back to that.
I learned about cacert.org which is interesting but probably something I won’t be using.
There’s an SSL Certificates HOWTO over on TLDP and if I can find the time I’d like to read that whole thing, although from what I’ve read so far it’s not complete.
The mod_ssl project has a really handy Reference for all the Apache configuration options, worth a read of.
And that’s it for now. I’ll pick this up again in a day or two.
Reading the OpenSSL FAQ I learned that you can issue the following command to get a list of the acceptable client certificate CA names from a server:
openssl s_client -connect test.jj5.net:443 -prexit
Obviously you replace ‘test.jj5.net’ with whatever server you’re interested in.
I have a hosts file that defines IP addresses on the LAN for all of my virtual hosts. The good thing about using the LAN IP addresses for inter-host communication is that it’s free bandwidth. I had a problem with Postfix though, because Postfix does a reverse lookup on IP addresses to get the corresponding hostname, and the IP address Postfix has for local addresses is the LAN IP address, not the public IP address. The public IP addresses are configured with proper reverse DNS PTR records, but the local addresses weren’t. So I decided to fix that.
Basically I installed bind and configured it with PTR records for the 10.0.0.0/8 network. Now when Postfix asks for the RDNS of a LAN IP address it should get the corresponding hostname. I didn’t need to configure bind with zones for the local IP addresses, because those are all specified in my /etc/hosts file. At least I hope I don’t have to configure DNS zones for my local IP addresses in bind, because that’d just be a pain in the arse.