asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

Trace:

Differences

This shows you the differences between the selected revision and the current version of the page.

--- geeklog 2005/08/27 20:58
+++ geeklog 2008/10/03 08:25 current
@@ Line 1: / Line 1: @@
-===== August, 26th ======
+=====EasySSL ? A high level library to OpenSSL=====
-==== mpd/mpc patch for scoring ====
+I'm actually working with OpenSSL C API, to be able to add
+OCSP support to software like freeradius, maybe postfix, etc..
+While I'm writing more and more code to send an OCSP request (~400 lines)
+I'm thinking to start a high level library to OpenSSL (the name easyssl
+is just my first thought) to help developers to doesn't care really
+about the complex usage of OpenSSL.
-I'm happy, after only few hours (~4h) I wrote a patch for mpd/mpc to add the scoring feature.
+For example, I recently check
-I'll send it in few minutes to the upstream, I hope it will include !
+a well know software which can use certificates to authenticate users. After taking a look
+in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.
-Anyway, mpd patch is [[http://www.asyd.net/code/mpd.diff|here]], mpc one is [[http://www.asyd.net/code/mpc.diff|here]]
+Here the code of main function to check a certificate by OCSP (I removed
+checks code)
-[[geeklog:comments:20050826|Comments]]
+<code c>
+  /* Create a new EasySSL configuration and initialize it */
+  config = malloc (sizeof (ssl_config));
+  init_ssl_config(config);
-===== August, 23th ======
+  /* Add a certificate to the CA store */
-====Desktop====
-It's funny to notice my different behavior with desktop now. For few years (2,3 maybe more)
+  /* char *cacert : path of CA certificate file to load */
-I just used sawfish as window manager, and none desktop manager. I tried gnome every 3 months,
+  add_cert_to_CAstore(config, cacert))
-but I was bored about crash, useless stuff, etc... One week ago, after play a bit with JDS
-(The new Solaris gnome based desktop/window manager) I decide to try again Gnome. Wouaah,
-I was really surprised. First, it's now very beautiful, just take a look into my screenshot.
-Second, since I begin to be tired to type lot of commands to fetch a simple file via FTP, or Samba
-I begin to like the Gnome VFS stuff (and connected servers). Even nautilus, in spatial mode,
-is cool (after reading the bindkeys though, otherwise I can understand it's boring.)
-[[http://www.asyd.net/stuff/shots/20050823.jpg|Gnome 2.10 + Sawfish]]
+  /* Load certificate to check from a file, since a file
+   * may contains more than one certificates, we need to
+   * use a STACK_OF(X509), check its size, and pop the uniq element */
-Now I'm running Gnome, I was looking for nice gnome applications. And I have some really nice !
+  /* char *xfile: path of final certificate file to load */
-The first one is gcfilms (you can see it in the shot). This applications manages Video collection.
+  certificates = x509_load_certificates_from_file(xfile);
-I found another one (alexandria) which do the same thing for books.
+  {
+     X509 *certificate = NULL;
+     int response = -1;
-[[geeklog:comments:20050823|Comments]]
+     if (sk_num(certificates) != 1)
+         goto error;
-===== August, 14th ======
+     /* Pop the certificate from stack of X509 */
-====Zonestats (aka blatant plug)====
+     certificate  = (X509 *) sk_pop(certificates);
-If you like Solaris 10, you like zones, and probably prstat -Z too. Since I like
-graphics too, I try to write a script to graph CPU and memory usage per zone. But
-the only way I found to have such stats, is prstat which is interactive and can't
-be used for scripting. That's why I wrote a little .c based on prstat sources. For
-such things at least, OpenSolaris really rulez.
-This //project// is now available, read more detais [[projects:zonestats|here]]
+     /*
+      * ssl_config *config: pointer to EasySSL configuration
+      * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp)
+      * X509 *certificate: certificate to check
+      * Return:
+      *    < 0: Internal error
+      *      0: The certificate is valid
+      *    > 0: The certificate is revoked, the return value stand for the reason
+      */
+     response = ocsp_check_certificate(config, url, certificate)
-By the way, I don't know at all if some people read my geeklog, so, if you read
+      /* Display status */
-these lines, please add a little comment ! :)
+    printf("   certificate DN: %s\n",
+    	   certificate->name);
-[[geeklog:comments:20050814|Comments]]
+    printf("   status: ");
-===== August, 12th ======
+    if (response < 0)
+      printf("Internal error\n");
+    else if (response == 0)
+      printf("OK\n");
+    else if (response > 0)
+      {
+	printf("revoked\n");
+	printf("   reason: %s\n", OCSP_crl_reason_str(response));
+      }
+  }
+</code>
-Yesterday, I bougth a lot of Sun hardware, here the list :
-   * Ultra30 / 512MB
-   * SS 20
-   * SS 10 (x3)
-   * SS 4
-   * lot of wires, external scsi bay, etc..
-I'm currently installing Solaris 9 in the SS20. I think I will only
-install Solaris 10 in the Ultra30
-===== August, 8th =====
-====Debian Repository====
-Since I now use sudo with LDAP support, I need to rebuild the debian package in order to
-add the --with-ldap configure's option. Build it and install it on each server via scp or other
-will be a waste of time. That's why I'm trying to setup a clean repository, it's not really
-easy.
-Anyway, here what I done :
-   * apt-get install debpool dupload devscripts
-   * mkdir /mnt/debian
-   * Edit /etc/debpool/Config.pm
-   * Run debpool (it will create all directories the first time)
-   * Get sudo's sources
-   * Edit debian/changelog debian/rules files
-   * Build the package running debuild
-   * Configure /etc/dupload.conf
-   * Run dupload (which puts new .deb in /mnt/debian/incoming/
-===== August, 1st =====
-==== cfengine ====
-Today, after wrote a small script (related to my previous one, about zones backup), to clean
-a FTP server which contains lot of archived filed, I decide to try [[http://www.cfengine.org|cfengine]].
-This tool help sysadmin to maintain a collection of server (config files for example) updated.
-Even if it seem interesting, it's not a trivial tool, especially for the begins. Though, I success
-to copy files via cfengine from a server to a client, after few hours wasted about the //undocumented//
-authentication stuff.
-Here what I done :
-=== Server side ===
-(Non global zone running on Solaris 10)
-   * Build cfengine 2.1.15
-   * Run cfkey
-   * Write a small cfagent.conf
-   * Write a small cfservd.conf
-   * Copy client's localhost.pub to /var/cfengine/ppkeys/root-<ip of client>.pub
-   * Run cfservd
-__cfagent.conf__
 <code>
-control:
+% ./ocsp certs/cacert.pem certs/test00.pem
+   certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR
-        actionsequence = ( links copy )
+   status: OK
-        cfengineserver = ( cfengine.asyd.net )
-links:
-        /root/tmp/titi  ->      /root/tmp/prout
-        /root/tmp/toto  ->      /root/tmp/prout
-copy:
-        /etc/ldap.conf          dest=/etc/ldap.conf
+% ./ocsp certs/cacert.pem certs/test01.pem
-                                mode=644
+   certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR
-                                owner=root
+   status: revoked
-                                group=root
+   reason: certificateHold
-                                server=$(cfengineserver)
 </code>
-__cfservd.conf__
+As you can see, it's **very simple**. I hope I'll have enough time to code the same
-<code>
+simple function as SSL sockets frontend, but in a first time I'll add the validity
-control:
+check.
-  AllowUsers = ( root )
-  domain = ( asyd.net )
-  HostnameKeys = ( false )
-  AllowConnectionsFrom = ( 192.168.34.0/24 )
-  TrustKeysFrom = ( 192.168.34.0/24 )
-  solaris::
+//[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]//
-     cfrunCommand = ( "/usr/pkg/sbin/cfagent" )
-  linux::
+===== Interview =====
-     cfrunCommand  = ( "/usr/bin/cfagent" )
-  any::
+//[[geeklog:2006/12/04:interview|Permanent link and discussions]] //
-  IfElapsed = ( 1 )
+===== Logicial if solaris =====
-  MaxConnections = ( 10 )
-#########################################################
-admit:   # or grant:
+//[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] //
-        /etc                    *.asyd.net
-        /var/cfengine/inputs    *.asyd.net
-</code>
-=== Client side ===
+===== Solaris zsh =====
-Debian GNU/Linux (sid), cfengine v2.1.15
-   * Install cfengine (via debian packages)
+//[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] //
-   * Write update.conf
-   * Copy server's localhost.pub to ppkeys/root-<ip of server>.pub
-<code>
-control:
-    actionsequence = ( copy )
+===== Pkgsrc pgsql =====
-    domain = ( fimasys.fr )
-    policyhost = ( cfengine.intranet.fimasys.fr )
-    workdir = ( /var/cfengine )
-linux::
-    destdir = ( /var/lib/cfengine2 )
-solaris::
+//[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] //
-    destdir = ( /var/cfengine )
-copy:
-    $(workdir)/inputs       dest=$(destdir)/inputs
-                            r=inf
-                            mode=600
-                            server=$(policyhost)
-</code>
-=== Description ===
-Let me explain all this stuff. The file //cfagent.conf// is read by cfagent to execute some
-operations. On clients, the first one is to synchronize cfengine's configuration file (including
-cfagent.conf). The file //update.conf// describe how contact the cfengine server. On server,
-cfservd must run, it use //cfvserd.conf//. One section of this file stand for ACL files access.
-The others are about clients's authentication.
-As explain above, the //cfagent.conf// contains some actions to process. Lot of options are
-available, for example : copy, links for files managements, but also process, packages,
-shellcommands are available.
-[[geeklog:comments:20050801|Comments]]
-===== 2005/07/29 =====
-==== About VFS ====
-These last days, I wrote few scripts to make backup and send them to a FTP server. So, I have a lot file
-like //something-YYYYMMDD.tar.gz// which are not deleted, except by hand at this time. That's why
-I want write a script which can access to the FTP server, and remove old archives. Since I want allow
-this script to access local (FS, or even zip/tar.gz) or remote (FTP, Samba, etc..) files, without writes
-code for each way, I'm looking for a VFS system.
-=== Perl ===
-   * There is one VFS module, but there is no code.
-   * There is the gnome vfs module, but it requires GTK and X (for both versions 1 and 2)
-=== C# ====
-   * Found nothing at the moment
-How such thing is possible ? The only language I find which implement such VFS is Java !! I don't understand
-why it's not available for each language, I thought an universal API to access local/remotes files was so
-useful that is available for most high level language, but I'm wrong, that really sux. @#$@
-==== JXplorer ====
-Note: the password setting feature seem broken, and jxplorer can't set password in {CRYPT} format :/
-[[geeklog:comments:20050728|Comments]]
-===== 2005/07/28 =====
-==Funny time==
-Ok, let me introduce something. Guess you have your own website, like http://www.asyd.net/ with some pictures, (ex http://www.asyd.net/docs/laptop/laptop.jpeg). Some <whatever> (sth like mormons) people use this picture in their
-(fucking) web forum profiles. I don't like such things, because my stats are not correct ;p So, I just fetch a
-//funny// picture from [[http://sam.zoy.org/fun/goatse/|goatse]], and add the following rewriterules :
-<code>
-RewriteEngine On
-RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g|png)$ [NC]
-RewriteCond %{REQUEST_FILENAME} !/gfx/goaste.jpg
-RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !asyd\.net [NC]
-RewriteRule (.*) http://www.asyd.net/gfx/goaste.jpg [R,NC,L]
-</code>
-and now, each time someone link a picture from my website, it will redirect to goaste.jpg \o/ (except from my own site, for sure)
-==Zones backup==
-I wrote a small Perl script to backup zones (via ufsdump) and send them to FTP :
-   * [[http://www.asyd.net/scripts/solaris/zones-backup.pl|zones-backup.pl]]
-   * [[http://www.asyd.net/scripts/solaris/backup.conf|backup.conf]]
-==bmon==
-Just a little note to talk about a little tool I discover yesterday : bmon.
-{{geeklog:bmon.jpg}}
-As you can see, this tool monitor network traffic. One of its advantages, that is
-it can run on Solaris, which doesn't include such tool.
-[[geeklog:comments:20050728|Comments]]
-----
-=====2005/07/26=====
-Long time ago I didn't add a geeklog entry. Well, long time ago I hadn't
-real geek activities. Anyway, just a little note to talk about ext FS label,
-which allow to use label in /etc/fstab. Just an example :
-<code>
-# e2label /dev/sda1 data1
-# grep data1 /etc/fstab
-LABEL=data1       /mnt/usbkey auto     noauto,defaults   0  0
-# mount /mnt/usbkey
-</code>
-Thanks to sam
-Since the Debian's GQ is broke, I'm looking for a new LDAP Browser. I think I find a cool one, a GUI java based : [[http://jxplorer.sf.net|JXplorer]]
-[[geeklog:comments:20050726|Comments]]
-----
-===== 2005/05/08 =====
-Well, today it was a very good day. I'm up at 8h, begin
-with rollerblading for an hour, made some houseworks. Then,
-my geeklife started. I was very disappointed about my dotfiles management,
-because I don't use any system to manage it. I don't like CVS - though
-we use it at work - that's why I start to play with subversion.
-At this, it seem really interesting. I create a project for my dotfiles,
-my scripts, and my working directory. The only bad point I notice at this
-moment is the write mode needed to have access via websnv or viewcvs.
-Anyway, I also tried some features like externals, and I definitively
-adopt it for the moment. I also made a package for Solaris 10 !
-[[:asyd|up]]