How to eavesdrop on HTTPS traffic

I had an intermittent problem with my web app: a test suite intended to verify that client-cert SSL* worked was failing. It wasn't failing because the client-cert SSL auth was broken. It was failing because of a 400 Bad Request with the message:

Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.

Of course, since the connection was SSL encrypted, I couldn't easily to see what was going on.

Fortunately, wireshark has SSL decoding built in. It's a bit tricky to use, but this wiki page and this mailing list post explain what to do. Here's the short version:

1. If your server's SSL key isn't in a .pem file already, make one. Here's what I did:

openssl pkcs12 -export -in server.crt -inkey server.key -name "Server Certificate" -out server.p12 -passin pass: -passout pass:
openssl pkcs12 -in server.p12 -out server.pem -nodes  -passin pass: -passout pass:

Note that there are no passwords on these keys -- this is my testbed server. If you have passwords on your keys, the steps may be different.

2. Tell wireshark about the .pem file. Go to Edit->Preferences, expand the protocols menu, and
pick SSL from the list. If your https server is running on localhost, port 443, enter "127.0.0.1,443,http,/path/to/your/server.pem" in the "RSA keys list" box.

3. Assuming that you don't have SSLCipherSuite defined elsewhere (in which case, you might want to temporarily comment it out if it contradicts this one), add the following entry to your apache2.conf and restart apache:

SSLCipherSuite kRSA!DH:aRSA!DH:RC4+RSA!DH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

That turns off Diffie-Hellman key negotiation.

4. Make sure that your browser is opening a fresh connection. In Firefox, closing the tab and opening a new one appeared to be sufficient.

5. Start the capture on the appropriate interface. If everything works, Wireshark will decode it. If not, go back to the preferences dialogue, set a debug file, and try again. Look in the debug file for clues---perhaps Wireshark couldn't read your key, for instance.





* It tried to read a trivial CGI script that just echoed back the SSL environment variables like SSL_CLIENT_M_SERIAL and SSL_CLIENT_VERIFY.

Epic link of the day

http://whatdoesgodneedwithastarship.com/

If you've never played Xenogears, it won't make any sense, btw.

Naming and Necessity

I think Microsoft Security Essentials is a great idea. However, one would think that when Microsoft added a feature that they admit might "unintentionally" send your personal information to their computers, they would call it something other than "SpyNet":

Switch

By the way, the suggestion to switch Linux distrubutions in order to get a single app to work might sound absurd at first. And that's because it is. But I've been saturated with Unix-peanut-gallery effluvia for so long that it no longer even surprises me when every question -- no matter how simple -- results in someone suggesting that you either A) patch your kernel or B) change distros. It's inevitable and inescapable, like Hitler. --JWZ

I've been a Debian user since 2002. To get a single app to work, I just switched to Ubuntu.

The app was openssl. I'm building VMs using Ubuntu's vmbuilder, because there's no obvious equivalent for Debian. Unfortunately, the openssl/libssl0.9.8 that ships with Ubuntu (0.9.8k) has some bizarre, inexplicable incompatibility with the openssl/libssl0.9.8/mod_ssl that ships with Apache on Debian (0.9.8n). I was trying to do a SSL client-certificate authentication from the Ubuntu VM to a Debian server. Using a Debian client (openssl s_client or just Python's HTTPS support) and a Debian Apache2 server worked fine. Using an Ubuntu client and an Ubuntu Apache2 worked fine. But the Ubuntu client and the Debian Apache2 failed.

The Right Thing to do would be to come up with a minimal case demonstrating the bug and post it in the appropriate bug tracker, but since I wasn't even sure if the bug was in Apache2 or in openssl, it would have taken some time to find the right place to report it. I was pressed for time and decided to punt by switching everything to Ubuntu.

I backed up my laptop's /var, /etc, and /home to a second computer via rsync. I burned the Ubuntu installer, which turned out to be a coaster: I wanted to encrypt my disk, and only the "alternate" installer supports that. I burned and booted the alternate .iso, erased my original Linux and swap partitions, created an encrypted partition, layered LVM on top of that, created new linux and swap partitions inside the LVM, and started the installation. The install took what seemed like hours longer than a Debian install -- I'm not sure if that's simply because Ubuntu Desktop is much bigger than a minimal Debian install or or because the crypto slowed down disk I/O. Possibly both. But the installer worked perfectly---it even recognized my Vista partitions and added them to the grub menu.

Ubuntu's wireless support is thousands of times more wonderful than Debian's: instead of writing shell scripts to connect to open and WEP networks and having to run them from the command line every time I woke the computer from sleep and being completely unable to connect to WPA networks (the wpa_supplicant manual could double as creepypasta), Ubuntu has NetworkManager and a lovely GUI widget to control wireless connectivity. I don't particularly like always-on GUI widgets, but you can easily hide the Ubuntu widget/menu bar by right-clicking it, choosing 'Properties', and ticking "Auto-hide". I installed enlightenment (packaged as e16) and chose E16-Gnome at the login screen. I switched off all the iconboxes, virtual desktops (I want _multiple_ desktops, not virtual ones), tooltips, and pagers. I made one small change to e16's configuration, editing /etc/e16/bindings.cfg to open gnome-terminal rather than Eterm when I hit Ctrl-Alt-Insert (change "KeyDown CA Insert exec Eterm" to "KeyDown CA Insert exec gnome-terminal"). The result: wonderful.

Oh, and SSL client-auth now works.

debhelper help

If you want to install a cron.d file using a debian/ubuntu package and you're using debhelper, you can just leave a file called package-name.cron.d in the debian/ directory. The manual explains this. The manual doesn't mention (maybe it's obvious to people other than me) that you have to make sure dh_installcron is in your debian/rules in the appropriate place (for instance, perhaps after dh_installdocs in binary-indep, depending on what kind of package you're building.)

Note that you will also need an explicit username in cron.d, e.g.,

30 12 * * * someuser /usr/sbin/someprogram

M-x awesome-mode

Since James Fallows mentioned how much he liked full-screen mode in his word processor. Since I use the best text editor known to man, I thought I'd try it. Here's what I added to my ~/.emacs.el. Like all of my .emacs.el, it's cribbed from various places on the 'net, mostly here:

(defun switch-nerd-mode ()
(interactive)
(menu-bar-mode)
(scroll-bar-mode)
(shell-command "wmctrl -r :ACTIVE: -btoggle,fullscreen"))
(global-set-key [f11] 'switch-nerd-mode)

(Note that this assumes you'll have the menu bar and scroll bar switched on when you're not in full-screen mode. It also assumes that you switched off the toolbar, which is on by default.)

Now, this _almost_ works. But there's one problem:


For whatever reason, there's a thin strip of desktop peeking through. I'm not sure why: Firefox fullscreens perfectly. But Gnome Terminal has the leftover strip. (I don't use any other programs, really.)

I was too lazy to actually debug it, so I did what any respectable nerd would do: I set the desktop background to the same color as my emacs window. I set the desktop to solid black, installed the emacs-goodies-el Debian package, which includes a bunch of color themes, ran M-x color-theme-select, and picked Retro Green, which looks like this:



Yes, that's my whole display. No title bars, scroll bars, task trays, menus, clocks, widgets, heatmaps, thermometers, netload meters, mail indicators --- nothing.

One problem with Retro Green is that its narrow color selection (green and black) mean that fancy major modes with lots of colors are less useful: for instance, in python-mode, I typed os.exec instead of os.system and was wondering why pylint was throwing a syntax error on that line. If I'd been using the standard mode, the exec keyword would have been purple.

One last tip: if you launch ediff, the ediff control window might sometimes appear under your main window, or somewhere off-screen entirely. If you're using Enlightenment 0.16 (which is the least terrible WM I've used), just hit Ctrl+Alt+Home and E will move it to the front so you can put it somewhere sensible.

If someone has a more awesome Emacs windowing setup than this, I'd like to see it. (Note that I'll probably copy it.)

Update: Since I switched to Ubuntu, switching to full-screen mode actually gives me the full screen in both Emacs and gnome-terminal. Win.

Booting a .vmdk with VirtualBox

I have a VMware .vmdk+.vmx image created with ubuntu's wonderful vmbuilder. I wanted to boot it with VirtualBox (since I didn't see an easy way to install VMware on the Debian box I was using, and didn't think it was necessary). Unfortunately, every time I tried to boot, the system complained that it couldn't find the root filesystem and dropped me to an initramfs busybox shell.

ALERT! /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx does not exist. Dropping to a shell!

I tried editing the root= parameter in grub to change it from a UUID to /dev/sda1 or /dev/hda1, to no avail. Flailing, I reconfigured Virtualbox: I deleted the SATA controller, added an IDE controller, and attached the .vmdk to it. I rebooted. It worked!

Midafternoon diversion

Result of running a word-based Markov chain text generator on the Craigslist personals:

Men seeking women:

I know you ask; me.  I am a message And take control.  I also like
older than me each one.  I'm adventure and have a vast knowledge of
further: conversation.  I would appreciate your highest goals in lieu
of a date this post is consistent actually an issue.  Geographic
location open to you after a up my terrible ego jumps out more Please
be cute, woman between ish who's interested.  If a normal guy on it is
easy to Hold a normal relationship with dark hair i go to plead with
the contrary.

Women seeking men:

I love to land in quincy.  Hi, so I don't forget I am saying
certain to chat and I love type a friend long time with.  Life
has a light brown hair, blue eyes.  I love?  You're not thin,
or maybe a Great day, that is this is kind, of yourself in size
work day and just be athletic is your parents, must not for
work out with photos get I Am a spider.  He life I am not much
more than dwell on your my own my group or go to cook, wrestle,
go out or ROBOTS Please be greatly appreciated with you like to
be become been to all I'm one of chick this?

Women seeking women:

Someone who is just so not?  I am looking; for me A the Trina Hamlin
figthing didnt want someone who has in a little experience, a person
but know me and I'll send me an unfortunate circumstance since middle
school and therefore often in College student but it's pretty hard at
least for?  It is there. 

Men seeking men:

Older guy here looking for if you must big jock looking for details to
travel.  I'm masc or an oler guy here: and here (to party and also be
Very private very goodlooking and me beg)?  I am masculine hairy fit,
maybe your hot?  Wm looking to try it slow with a time, for games Yr
old asian guys interested?  

Django CSRF gotcha

Django contains a decorator, @csrf_exempt, that you can apply to a view function to tell the anti-CSRF CsrfViewMiddleware to ignore that view. While it's obvious in retrospect, make sure you apply the decorator to the actual view (e.g., the function listed in urls.py); otherwise, if you apply it to a function called by that view function, CsrfViewMiddleware will merrily ignore it and raise a CSRF error.

FUSE confusion

The FUSE error

fuse: device not found, try 'modprobe fuse' first

...is misleading. You might actually have the FUSE module loaded (check with lsmod|grep fuse), but the device doesn't exist. Check for the presence of /dev/fuse. In my case, it was never created because udev wasn't running when I installed FUSE or loaded the fuse module (or possibly both). Some combination of /etc/init.d/udev start and /etc/init.d/udev stop and /etc/init.d/udev reload got udev to create /dev/fuse.

That meant that I graduated to the next peanut-gallery error:

mount: unknown filesystem type 'ext4'

(I'm running Debian Lenny, so ext4 is only supported if you ignore the dire warnings.)

gah.