A while after the Heartbleed SSL vulnerability made headlines, Wired.com ran an article titled "It's Time to Encrypt the Entire Internet" urging everyone to deploy SSL/TLS encryption on their sites.
SSL certificates tend to be pretty expensive, though, which is one reason I hadn't looked into it that closely in the past. In a Reddit comment thread about that Wired article some people mentioned Namecheap as a good option for simple SSL certs. So, I got a simple domain-level certificate for $9 for Kirsle.net. :) So all kirsle.net URLs are now running over https
! This blog post is about the experience of setting up SSL and wrestling with various applications in the process.
The simplest guide I found that I followed to make a certificate was Generate CSR - Apache OpenSSL. One command creates a passphrase-protected key file, the next one generates the signing request:
openssl genrsa –des3 –out kirsle.key 2048
openssl req -new -key kirsle.key -out kirsle.csr
You apparently need a 2048-bit RSA key these days before a Certificate Authority will consider your signing request. I pasted in my CSR file and filled out some forms, got an e-mail verification sent to the address on my WHOIS record for my domain, and before I knew it I was e-mailed a zip file containing my certificate and the Comodo CA certificates.
Various apps will need your Certificate Authority's chain to be in a single file. You can create this file by cat
ting the certificates into one file in "reverse" order, with your site's certificate on top, and the root certificate on bottom. Comodo gave me these files (and this is also the order for the chain file):
www_kirsle_net.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
So I generated the chain as follows:
cat www_kirsle_net.crt COMODORSADomainValidationSecureServerCA.crt \
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cacert.pem
I'm running a Debian server, so I just symlinked the ssl.load
and ssl.conf
files from my /etc/apache2/mods-available
into my mods-enabled
, and then edited the ssl.conf
. All I changed in it was to uncomment the SSLHonorCipherOrder on
line.
I removed the sites-enabled/default-ssl
and then edited my Kirsle.net config file to add a <VirtualHost *:443>
version. I had to look at the default-ssl
file to get an idea which options were needed (if I missed any, Apache would fail to start!)
Relevant SSL options for my VirtualHost:
# SSL
SSLEngine on
SSLCertificateChainFile /etc/ssl/crt/cacert.pem
SSLCertificateFile /etc/ssl/crt/www_kirsle_net.crt
SSLCertificateKeyFile /etc/ssl/crt/kirsle.key
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Note: if you leave out the chain file, web browsers will still behave fine (because they're smart enough to download the intermediary certificates themselves), but other things will break. For example, the Python requests
module will throw an SSL exception if the server doesn't give it the intermediary certificates!
After making sure https://www.kirsle.net/
was working, I made an update to my Rophako CMS to support SSL sites better and then made the switch-over. Any requests going to my HTTP Kirsle.net are redirected to the SSL version and given a Strict Transport Security header.
As a fun side note, Apache supports Perfect Forward Secrecy by default (using the default SSLCipherSuite option of HIGH:MEDIUM:!aNULL:!MD5
).
Starting or restarting Apache requires you to enter the SSL key's passphrase at the command line. For simple config updates, service apache2 graceful
will reload them without needing a full restart, so you don't need to enter the passphrase then.
I use Dovecot for my IMAP mail server on Kirsle.net, and I wanted it to use my shiny new SSL certificate. Before this, I was using a self-signed certificate, and apparently Thunderbird doesn't even warn you if that self-signed certificate changes at any point. After the Heartbleed vulnerability was fixed, I re-generated new self-signed certs and was shocked that Thunderbird happily accepted the new certificate without even telling me. It would've been extremely easy to Man-in-the-Middle my e-mail server. (I had since then installed an extension in Thunderbird to police SSL certificates for me as a workaround).
So, configuration is pretty simple, just edit /etc/dovecot/conf.d/10-ssl.conf
and enter in the new paths to your chain file
and private key. Note that if you use just your domain's certificate, clients like Thunderbird that support SSL properly will complain about the certificate being insecure, and unlike web browsers, Thunderbird doesn't bother downloading the intermediary certificates itself.
One catch with Dovecot is that if your private key file is encrypted with a passphrase like mine is, doing service dovecot restart
won't work. Dovecot will start in a way where it won't support TLS but will otherwise appear to function normally.
To start Dovecot with a passphrase, you need to run dovecot -p
(as root) to start the service. It will prompt for your passphrase at the command line and then start up. The service can be stopped normally using service dovecot stop
.
This one I'm a bit upset about. Postfix has absolutely NO support for using a passphrase protected TLS key file! Even their official documentation states that the key file must not be encrypted.
That is so full of wtf. Postfix is a widely deployed SMTP server for Linux, and it has to use insecure, unprotected TLS key files. So, I'm still using a self-signed certificate for Postfix (and my Thunderbird add-on will tell me if this certificate ever changes, so don't get any ideas!). I don't send outgoing mail very often, anyway, and if I care enough I'll PGP encrypt. But, I'll be looking into an alternative SMTP server sometime soon.
The reasons for the switch-over are numerous:
index.cgi
on Kirsle.net was sucking up so much memory. ;)I named the new project Rophako, because I was sitting at the Github "new repository" screen for a half hour trying to think of a name, and ended up just making use of my Azulian Translator to come up with a name. So, Rophako is Azulian for "Website." I'm a clever genius, I know. ;)
You can check out Rophako on Github: https://github.com/kirsle/rophako. The "default website" that comes with it isn't very polished yet; I literally just finished writing the code to support Kirsle.net. So, sometime later I'll tidy up the default website and have a working copy of it running on some subdomain like rophako.kirsle.net.
Anyway, this is the new CMS. I ported over all my old blog posts, comments, comment subscriptions, and things of the sort. All the old URLs should work too, due to my kirsle_legacy.py module in Rophako. If anybody finds any broken links or issues with the site, let me know. :)
Update (4/9/14):
I've polished up Rophako's default site and have an example running here: http://rophako.kirsle.net/
That's the site you'd get if you download and install Rophako (minus the blog posts and photos ;) ). So... the project is officially in "beta" status now and is usable!
That's right, the Windows Live Messenger protocol is still perfectly alive and well today. A while back, I booted my Windows OS on my PC where I still had Pidgin set up to sign me into MSN, and surprisingly it still worked. One of my Skype contacts sent me a message over Pidgin, and their "MSN e-mail address" had an "@SkypeDomain.fakedomain" domain part. It seems that now, though, while the MSN servers are still up, they at least block non-Chinese users from authenticating (Pidgin says "invalid response from server").
The Skype/MSN merger was done in a pretty half-assed way by Microsoft:
I don't get why Microsoft doesn't just pull the plug on MSNP completely, and force everyone to get a Skype name if they don't already have one linked with their MSN accounts.
My Minecraft servers are being rearranged as well. This new machine has 5 IPv4 addresses, and each of my MC servers will get its own IP and hostname instead of having to juggle port numbers.
See the comment privacy policy for details and a global unsubscribe form.
If anyone's interested, I wrote a Perl script that downloads and installs Firefox Nightly on a Unix-like operating system.
By default, it installs the application into /opt/firefox-nightly
, with a link to run it at /usr/bin/firefox-nightly
. This way, it doesn't conflict with your already-installed version of Firefox. Furthermore, it will put a launcher item in your Applications/Internet menu.
You can get it from here: http://sh.kirsle.net/ffnightly
$ mkdir ~/bin
$ wget http://sh.kirsle.net/ffnightly -O bin/ffnightly
$ chmod +x bin/ffnightly
$ ffnightly
This command will turn off the monitor on a Linux box from the command line (sorta like what happens when you have your power saving options configured to do this automatically after a length of time):
xset dpms force offThe monitor turns off until you hit a keyboard button or move the mouse. With this info you could set up a keyboard shortcut to run this command and have something like a "lock screen button" on your netbook, to turn off the display on command and conserve battery life for a little bit longer than usual.
For a "lock screen button" that also locks the screen in addition to turning it off, a pair of commands like this may be handy:
xset dpms force off; xscreensaver-command --lock
It is now running on the same code that Siikir runs on. I did this for a few reasons:
/blog.html?u=kirsle&id=114
you get nicer looking URLs like /blog/kirsle/kirsle-cms-upgrade
.All the old links to old pages on kirsle.net will now automatically redirect to their new locations.
Back when I was about 16 or 17 years old, I created a gay social networking site named RainbowBoi. I later rebranded it to XYBois before losing interest in it entirely, and now it's called Siikir. Anyway, I decided to dig up my old backups of this site to dig up the picture of the guy I think I'm talking to. It was him.
But poking around at the user profile data for the old sites, I got the idea to try dusting the code off and get it running again on my local web server... just for nostalgia's sake. Get the site up, dos2unix convert all its data files so that I can log into it, and just click around and see how the site used to be back in its day, back from 2005-06.
Throughout this blog post, all the small screenshot thumbnails can be clicked to view the full size.
(the homepage. click for bigger screenshot)
This version of the site was in the middle of being rebranded. The Perl source code that powers the site is also the same code I had written for my old AiChaos site, which you can see here on my archive subdomain. The code is ugly to look at, because I was relatively new to programming.
But newbie as I was, I was apparently quite ambitious. This site was very featureful: it had social networking features (including photo comments and private messaging and search and friend lists), it had helpful articles to read about coming out of the closet and topics like that, it had some public photo albums which were surely pretty popular, it had a "straight-acting" quiz. It even had a chat room, where I had programmed my own chat protocol, client program and server from scratch.
It even had used Image::Magick to scale the user photos down, and calculated ages based on birthdates, and syndicated RSS feeds for display on the site. I definitely knew my stuff back then, even if I didn't have a good coding style down yet.
I miss the days when I used to have this kind of free time on my hands. Whenever I dust off my old projects and play around with them, I keep seeing really ambitious ideas. The code may not be pretty, but it is featureful. I don't create anything nearly this cool nowadays. I just don't have the free time or the motivation to do it.
Maybe this is the consequence of doing what you love as a job. As a software developer, I spend all day long writing code to get paid and by the time I'm done, I don't feel like writing any more code for the day. And then on the weekends I just wanna relax and try to have a social life, or else just watch TV and play videogames.
/sigh
Here are 6 more screenshots of the old RainbowBoi/XYBois.
It would basically be a miniature PC that resembles an Android phone, but which isn't a phone, but which you can just install Skype on if you really need to make a phone call, since it could still get cellular data service.
And, being like a miniature PC, it would be as open to operating systems as a real PC; it would be just as easy to install and reinstall Android firmwares (or any compatible OS) to it as it would reinstalling your operating system on your laptop.
I imagine Dell would be a good manufacturer for such a device; they would market it just like they market netbooks, as being just a mini PC that happens to run Android (preferably the stock vanilla Android as Google intended it, but being open you could flash any version of Android you want).
If such a device existed I would buy it as soon as it came out. I'm quite sick of the way phone carriers abuse the Android OS and wish there could just be a seriously open device.
0.0025s
.