Category: Linux

IT

How to use chained SSL certificates

What are chained SSL certificates?

Normal "single root" certs are only certified by one single parent which is recognised by clients immediately. Chained certs on the other side are signed by a parent which itself is signed by another parent. This effectively makes your cert a "grandchild" of the CA root. In the image attached you'll see a cert that is chained by two intermediate certs.

How to use chained SSL certificates?

The several server software distributions require different types of configuration. This page is not telling you how to set up ssl for your software, I'm just telling how to use chained certs with the different programs.

Apache

Apache has quite some SSL functionality on board. I'm not gonna discuss it all, just want to say that the words you're looking for are:

SSLCertificateFile [path to crt file here]
SSLCertificateKeyFile [path to key file here]
SSLCACertificateFile [path to intermediate ca certs bundle here]

I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.

PureFTPd

My PureFTPd key and cert are all located in /etc/pure-ftpd/pure-ftpd.pem. In order to make ftp clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test it: openssl s_client -connect [your-hostname]:21 -starttls ftp

Dovecot

My dovecot SSL key is located in /etc/pki/dovecot/private/dovecot.pem and my SSL cert is /etc/pki/dovecot/certs/dovecot.pem. In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I added the contents of the intermediate CA certs to /etc/pki/dovecot/certs/dovecot.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: YourDomain.com, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test pop3s: openssl s_client -connect popserver:995
  4. Test imaps: openssl s_client -connect imapserver:995

Postfix

My postfix key and cert are all located in /etc/postfix/ssl/smtpd.pem.
In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test smtps: openssl s_client -connect [your-hostname]:465
  4. Test smtp with starttls: openssl s_client -connect [your-hostname]:25 -starttls smtp
© GeekLabInfo How to use chained SSL certificates is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 3.88 out of 5)
Loading...
Linux

Blocking .wwf attachments

Some idiotic german 'invented' a way to 'save trees'. By converting your attachments to .wwf format - a special .pdf format that blocks printing. While this may be a great feature to block printing of contracts etcetera if you're running a malicious company, most people simply don't want this.

So the big question is: How do I block .wwf files?

Postfix

In /etc/postfix/main.cf uncomment or add the following line
header_checks = pcre:/etc/postfix/header_checks

Then edit /etc/postfix/header_checks and add the following line:
/Content-Disposition: .*\.wwf"/ REJECT Please don't send .wwf files.

Exchange

Attachment blocking in exchange is usually performed by a virusscanner/spamfilter. You could use for example Trend Micro or GFI to block .wwf files.

Sendmail

Depending on your setup, you could use amavisd-new, mailscanner or procmail to block out .wwf files.

qmail

To block attachments with qmail, you'll need Simscan. Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum. The project is open source and uses other open source components. Small, very efficient and written in C.

© GeekLabInfo Blocking .wwf attachments is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
Linux

Google Talk on Fedora 13

Since a few days, Google has this great feature that allows you to dial land lines from your gmail account. Unfortunately, they are only shipping a Linux client for Debian/Ubuntu. I'm using a custom repository with a lot of custom-build RPMs, and I really don't feel like switching away from RedHat-style for servers and clients.

How to use the .deb file on Fedora?

  • First, go to gmail and click on the "call" icon in the left sidebar
  • Download the .deb file offered. I use x86_64, so I get the file google-talkplugin_current_amd64.deb
  • Start a shell
  • mv [filename] /tmp
  • mkdir /tmp/googletalk
  • cd /tmp/googletalk
  • now, extract the file: ar vx ../google-talkplugin_current_amd64.deb
  • you get 3 files, control.tar.gz data.tar.gz and debian-binary
  • extract data.tar.gz: tar zxvf data.tar.gz
  • I don't want the google crontab, which of course is debian-based, so I only copy relevant files: cp -R opt usr /

Now, on a Debian based system, we would be ready. But on Fedora, some lib versions are incorrent. Link to the correct files:

  • cd /lib
  • ln -s libssl.so.1.0.0a libssl.so.0.9.8
  • ln -s libcrypto.so.1.0.0a libcrypto.so.0.9.8

Restart Firefox. Now you're done.

© GeekLabInfo Google Talk on Fedora 13 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
Linux

PCL to PDF conversion on CentOS 5.5

yum -y install libXt-devel libXext libXext-devel gcc
cd /usr/src
wget http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-8.71.tar.bz2 http://mirror.cs.wisc.edu/pub/mirrors/ghost/AFPL/GhostPCL/urwfonts-8.71.tar.bz2
for i in ghostpdl* urwfonts* ; do otar jxvf $i;done
mkdir -p /usr/share/ghostpdl/fonts
mv urwfonts-8.7.1/*.ttf /usr/share/ghostpdl/fonts
cd ghostpdl-8.71
sed -i "s|/windows/fonts/;/win95/fonts/;/winnt/fonts/|/usr/share/ghostpdl/fonts|g" pl/pjparse.c
make

It's all pretty much the default stuff, except for the required libs and the fonts. If you don't have the -devel packages, you get weird errors while compiling that don't show exactly what is missing.

To generate A4 output, add @PJL SET PAPER=A4 to the pcl input file.

© GeekLabInfo PCL to PDF conversion on CentOS 5.5 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Useful VPN Services

Say you're living in China, and you have no web freedom whatsoever. Or in the Netherlands, and your favorite linux distro download site has been blocked by the corrupt "elite". Then having a tunnel to outside the country could be very useful.

I found two VPN services that seem very promising:
ItsHidden.com
MacroVPN.com

© GeekLabInfo Useful VPN Services is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
Linux

MS Core fonts on Fedora 13

Due to copyright issues, Fedora cannot include the "core" fonts Arial, Times, Verdana etc. Instead, Fedora offers an alternative under the name "Liberation fonts". Well, great. Except that 99,9% of all documents received use these core fonts, and I'm not planning to do a find and replace with each and every document I open.

So, I'm sorry to say this: I think trying to replace the core fonts is simply stupid.

How to build your own font package

wget https://www.geeklab.info/wp-content/uploads/2010/06/msttcore-fonts-2.0-3.spec
yum install rpm-build cabextract
rpmbuild -ba msttcore-fonts-2.0-3.spec

Now install your package

sudo rpm -i ~/rpmbuild/RPMS/noarch/msttcore-fonts-2.0-3.noarch.rpm

© GeekLabInfo MS Core fonts on Fedora 13 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...