Entries posted in December 2015

Like everybody else on the internet today was the day I started rolling out SSL certificates, via let's encrypt.

The process wasn't too difficult, but I did have to make some changes. Pretty much every website I have runs under its own UID, and I use a proxy to pass content through to the right back-end.

Running 15+ webservers feels like overkill, but it means that the code running start.steve.org.uk cannot read/modify/break the code that is running this blog - because they run as different UIDs.

To start with I made sure that all requests to the top-level /.well-known directory were shunted to a local directory - via this in /etc/apache2/conf-enabled/well-known.conf:

Alias /.well-known/ /srv/well-known/

<Directory "/srv/well-known/">
    ForceType text/plain
    Options Indexes FollowSymLinks MultiViews
    AllowOverride all
    AuthType None
    Require all granted
</Directory>

Then configured each proxy to avoid forwarding that path to the back-ends, by adding this to each of the individual virtual-hosts that run proxying:

<Proxy *>
  Order allow,deny
  Allow from all
</Proxy>
ProxyPass /.well-known !
ProxyPass        / http://localhost:$port/
..

Then it came to be time to actually generate the certificates. Rather than using the official client I used a simpler one that allowed me to generate requests easily:

CSR=/etc/apache2/ssl/csr/
KEYS=/etc/apache2/ssl/keys/
CERTS=/etc/apache2/ssl/certs/

# generate a key
openssl genrsa 4096 > $KEYS/lumail.key

# make a CSR
openssl req -new -sha256 -key $KEYS/lumail.key -subj "/" -reqexts SAN \
   -config <(cat /etc/ssl/openssl.cnf \
   <(printf "[SAN]\nsubjectAltName=DNS:www.lumail.org,DNS:lumail.org")) \
   > $CSR/lumail.csr

# Do the validation
acme_tiny.py --account-key ./account.key --csr $CSR/lumail.csr \
  --acme-dir /srv/well-known/acme-challenge/ > $CERTS/lumail.crt.new

And then I was done. Along the way I found some niggles:

• If you have a host that listens on IPv6 only you cannot validate your request - this seems like a clear failure.
• It is assumed that you generate all your certificates in their live-location. e.g. You cannot generate a certificate for foo.example.com on the host bar.example.com.
• If you forward HTTP -> HTTPS the validation fails. I had to setup rewrite rules to avoid this, for example lumail.org contains this:
  • RewriteEngine On
  • RewriteCond %{REQUEST_URI} !^/.well-known
  • RewriteRule ^/(.*) https://lumail.org/$1 [L]

The first issue is an annoyance. The second issue is a real pain. For example *.steve.org.uk listens on one machine except for webmail.steve.org.uk. Since there are no wildcards created a single certificate with Alt-names for a bunch of names such as:

• ..
• blog.steve.org.uk
• start.steve.org.uk
• ..

Then seperately create a certificate for the webmail host - which I've honestly not done yet.

Still I wrote a nice little script to generate SSL for a number of domains, with different Alt-Names, wrapping around the acme_tiny.py script, and regenerating all my deployed certificates is now a two minute job.

(People talk about renewing certificates. I don't see the gain. Just replace them utterly every two months and you'll be fine.)

Tags: letsencrypt, ssl | 10 comments

This week I'll be mostly doing drive-by bug-reporting.

As with last year we start by using the Debian Code Search, to look for obviously broken patterns such as "system.>./tmp/.*"

Once we find a fun match we examine the code and then report the bugs we find. Today that was stalin which runs some fantastic things on startup:

(system "uname -m >/tmp/QobiScheme.tmp")
(system "rm -f /tmp/QobiScheme.tmp"))

We can exploit this like so:

$ ln -s /home/steve/HACK /tmp/QobiScheme.tmp
$ ls -l /home/steve/HACK
ls: cannot access /home/steve/HACK: No such file or directory

Now we run the script:

$ cd /tmp/stalin-0.11/benchmarks
$ ./make-hello

And we see this:

$ ls -l /home/steve/HACK
-rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK

For future reference the lsat looks horrifically bad

• it writes multiple times to /tmp/lsat1.lsat and although it tries to detect races I'm not convinced. Something to look at in the future.

Tags: codesearch, debian, security | No comments

I don't often do retrospectives, but this year has been an unusual one for me, as I moved to Finland almost six months ago.

The topic has come up in conversation a lot over the past few months, so when people ask me what I think I can give some simple answers without too much thought. Here's a brief summary.

There are some obvious changes:

The Traffic

The traffic drives on the right-hand side of the roads, which took a bit of getting used to, but isn't a huge surprise as I've travelled in Europe in the past. There aren't so many countries that drive on the left after all so most people probably wouldn't even notice this as odd.

When it comes to traffic one thing nice about Helsinki is that most junctions are "zebra crossings". Sure they don't have flashing lights, but they have shaded areas, and pedestrians have right of way.

As for transport the city of Helsinki has local trains, trams, buses and taxis. The trams and buses all use the same card for payment so transport is integrated very well. I buy a time-based card, spending about €50 for a month of unlimited travel. If you prefer you may add euros to your card and pay for distinct journeys - but that works out more expensive if you travel twice, or more, a day.

The Money

Finland uses the Euro these days, having switched from the Finnish markka in 2002.

Enough said.

Costs are largely in line with what I'd expect: Cigarettes are cheap, beer is expensive. Some things are very expensive, some things are very cheap. Largely the expensive things are those that are imported. It is a very small country after all.

The Language

Finnish is .. complex.

But I've not struggled too much. Mostly I can buy what I want without difficulty. There are weird exceptions though for example I went out to buy soup one day and had to return carrying only shame and disappointment: I can't read the language on the tins and what I thought was soup turned out to be a can of chopped tomatoes.

Food is good though, and available easily (!!). The only significant surprise when it comes to shopping is that loose goods must be weighed yourself. You pick up a bunch of bananas, take it to the scales, press the button that has a picture of a banana on it, and it prints out a label you attach to them - at the till the cashier will scan the label and charge you. If you forget, or don't know how to do it they'll tut and complain.

In daily life I use two phrases frequently and they are sufficient for communcation:

• "minua haluan ... kahvi|kakku|olut"
  • "I want ... coffee|cake|beer".
• "kiitos"
  • "Thanks"

Usually people speak to me in English, which is a little annoying as it means I'm not learning as much as I could. But that said over the past few months I've had proper conversations entirely in Finnish with shop-keepers, and similar. So I'm getting better.

The Culture

Finnish people are friendly, but terse. That's the reputation.

The Finnish people are alcoholics, and have high rates of suicide. Also the reputation.

Finally we know that the Finnish people consume more coffee than the rest of the world.

All those things are true, but they're not enough by far to describe the people. Obviously they're all different, and we have a lot of people from other parts of the world here too - Russians, Asians, Somalians. So culture is complex .. but markedly different than in the UK.

I could write more about this, but I think for the moment I'll just draw a line under culture and say that I'm enjoying the interactions with people here, and while many things are slightly "off", it's not bad. Just different.

Also saunas are fun. I've never had any qualms about being naked with strangers, so I don't really understand why Americans, and others, find this so difficult/surprising. But yeah, saunas are great.

Things that Finland is known for internationally: The invention of the molotov cocktail, rally-driving, hockey, world's strongest man, Moomins, Tom of Finland, Salmiakki.

The Weather

Not too hot. Not too cold. But that's largely because I'm one of those "hot" people who doesn't really get cold even at the best of times.

My ideal temperatures are about 13°C. My wife prefers 15°C, or more. We don't fight any more. Mostly.

Winter is apparently full of snow, but this year has been poor. We had the first snowfall yesterday, here in Helsinki, and we woke this morning a blanket of snow about two inches high. It looks pretty.

The biggest thing about weather in Finland is the constant darkness in winter, and the constant sun in Summer. In Summer there were like 22 hours of sunlight a day which made sleeping hard when we moved into our flat - with no curtains.

In winter it feels like there is 20 minutes of sunlight a day. It's not that bad here in the south, although I think it is something like five hours and less in the north. I've never had any real issues with depression, or similar: People have good days and bad days, I'd generally be "OK" or "great". In the darkness? I've been grumpy at colleagues, I've made bad choices, I've lapsed attention. I'm not sure I can blame it on the weather, or my reaction to the weather, but I know I've not been as "happy" as I "should".

It requires effort to be enthusiastic in a way I've never experienced before. Thankfully once I (slowly) realized this I took action and I think I'm good now.

Unlike the UK the buildings here are relatively modern. I think that's the biggest contributing factor to how houses are "warm". Houses have all been built in the last 50-100 years, so you have proper insulation. Even though it might be very very cold outdoors indoors you can be naked without heating. Try that in the UK and you might freeze in some of the older leakier houses!

You do have to laugh, though, when people point out "the oldest pub" in the city though. Where I come from if I pub isn't 500+ years old you wouldn't give it a seconds thought - places like The Golden Fleece, etc.

I could write more. I probably should. But it has been an interesting year, and although there are things I miss about the UK, and Edinburgh specifically, I have no regrets. I'm glad I came.

What triggered this post? I said "Some things are universal" to my wife, when I saw a child riding a bicycle they'd obviously just received for Christmas. Her reaction "No Finnish person would buy a bicycle at Christmas - they'd expect too much snow!". So perhaps it was another immigrant family.

Christmas bicycles universal, or not, it doesn't really matter.

Tags: finland, life, relocatoin | 5 comments

In my old flat I had a couple of simple radio-controlled switches, which allowed me to toggle power to a pair of standing lamps - one at each side of the bed. This was very lazy, but also really handy and I've always been curious about automation..

When it comes to automation there seems to be three main flavours:

X10

The original standard, with stuff produced by many vendors and good Linux support.

X10 supports two ways of sending/receiving commands - over the electrical wiring, and over RF.

Z-Wave

This is the newcomer, which despite that seems to be well-supported and extensible. It allows "measurements" to be sent/received in addition to the broadcast of events like "switch on", and "switch off".

Other systems - often lighting-centric

There are toy-things like the previously noted power-controlling things, there are also stand-alone devices from people like Philips with their philips hue system, but given how Philips recently crippled their devices to disable third-party bulbs I've no desire to use them.

One company caught my eye though, Osram make a smart lightbulb and mini-hub to work with it.

So I bought one of the osram lightify systems, consisting of a magic box and a pair of lightbulbs. The box connects to your wifi, and gets an IP address. The IP address is then used by the application on your mobile phone (i.e. the magic box does the magic, not the bulbs). The phone application can be used to trigger "on", "off", "dim", "brighter", and the various colour-changing commands, as you would expect.

You absolutely must use the phone-based application to do the setup, but after that the whole point was that I could automate things. I wanted to be able to setup my desktop computer to schedule events, and started hacking.

I've written a simple Perl module to let me discover bulbs, and turn them off and on. No doubt it'll be on CPAN in the near future, once I can pick a suitable name for it:

$ ol --bridge=192.168.10.136 --list
hall       MAC:8418260000d9c70c RGBW:255,255,255,255 STATE:On
kitchen    MAC:8418260000cb433b RGBW:255,255,255,255 STATE:On

$ ol --bridge=192.168.10.136 --off=kitchen

$ ol --bridge=192.168.10.136 --list
hall       MAC:8418260000d9c70c RGBW:255,255,255,255 STATE:On
kitchen    MAC:8418260000cb433b RGBW:255,255,255,255 STATE:Off

The only niggle was the fiddly pairing, and the lack of any decent documentation. The code I wrote was loosely based on the python project python-lightify written by Mikael Magnusson. Also worth noting that the bridge/magic-box only exposes a single port so you can find the device on your VLAN by nmapping for port 4000:

$ nmap -v 192.168.10.0/24 -p 4000

The device doesn't seem to allow any network setup at all - it only uses DHCP. So you might want to make sure it gets assigned a stable IP.

Anyway I'm going to bed. When I do so I'll turn the lights off with my mobile phone. Neat.

In the future I will look at more complex automation, and I think Z-wave is the way I'll go. Right now I'm in a rented flat so replacing wall-switches, etc, is something I can't do. But the systems I've looked at seem neat, and this current setup will keep me amused for several months!

Tags: automation, lighting, osram lightify | 2 comments