In his "Burning Apple" story Triv wrote:
I ran downstairs to get the fire extinguisher. You do have one right? Don’t be a statistic!
I did not have one. Now I do. I also decided I will buy a smoke detector.
In his "Burning Apple" story Triv wrote:
I ran downstairs to get the fire extinguisher. You do have one right? Don’t be a statistic!
I did not have one. Now I do. I also decided I will buy a smoke detector.
I have one server that goes by the hostname of "bert.secret-wg.org". It has other identities too; "www.trend-watcher.org" and "www.net-dns.org" are examples.
The Apache documentation claims that name-based virtual hosting and SSL can not work
Fortunately there is a hack that works. There is an X509 extension called subjectAltName that can be used to create one certificate that can be used for the many identities that your server uses.
There are a couple of things that I stumbled upon that might be nice to know if you try to set this up yourself.
In order to be compatible with Firefox you will need to specify the hostname in your subjects common name (CN) but you will also need to specify your hostname in the set of subjectAltNames
In order to have your "CSR" carry all the subject altnames you need you will need to hack your openssl.conf file.
What follows are the relevant portions or the openssl.conf. First the [req] section that includes the "req_distinguished_name" sections
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
here is the "req_attributes" section. For each subjectAltName you want to use you will have to add two lines to the conf file.
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Holland
localityName = Locality Name (eg, city)
localityName_default = Amsterdam
0.organizationName = Organization Name (eg, company)
0.organizationName_default = The Secret Working Group
# we can do this but it is not needed normally 🙂
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Web ServercommonName = Common Name (eg, YOUR name)
commonName_default = bert.secret-wg.org
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = olaf@dacht.net
0.subjectAltName = Subject altname
0.subjectAltName_default = DNS:www.net-dns.org
1.subjectAltName = Subject altname
1.subjectAltName_default = DNS:www.secret-wg.org
2.subjectAltName = Subject altname
2.subjectAltName_default = DNS:www.trend-watcher.org
3.subjectAltName = Subject altname
3.subjectAltName_default = DNS:bert.secret-wg.org
Once you have this in place you run openssl:
openssl req -config special.conf -new -key private.key -out certificat_sign_request.crs
It is this beast that you want to get signed by your certificate authority. Which gets us to the next problem
There is a feature (bug) in openssl. Even if your "copy_extentions" directive in the openssl.conf file reads "copyall" the CA fails to copy the subjectAltNames. You will have to configure the subjectAltNames that need to appear in the signed certificate into your openssl.conf otherwise they will be stripped.
So in your CA’s openssl.conf you will have to put somewhere in the ‘[usr_cert]‘ section:
subjectAltName=DNS:www.net-dns.org,DNS:www.secret-wg.org,DNS:www.trend-watcher.org,DNS:bert.secret-wg.org
Off course you should not forget to remove this line once you signed the certificate.
In theory you can off course skip hacking the openssl configuration for the certificate signing request and just have the CA introduce the subjectAltNames, that is what is effectivly being done now. But remember, setting the subjectAltNames by the CA is a workaround that should not be needed in the future.
The apache configuration is trivial. For each virtual name you will have to setup a virtual host both on port 80 as well as on port 443.
# Wherever you see square brackets you should see angle brackets,
# plog just does not accept them …
[VirtualHost 192.168.0.1:80]
ServerName www.net-dns.org
(… the usual cruft …)
[/VirtualHost];[VirtualHost 192.168.0.1:443]
ServerName www.net-dns.org
(…exactly the same the usual cruft …)
# use exactly the same SSL key and CERT for each of the virtual SSL servers
SSLCertificateFile /usr/local/certs/bert.secret-wg.org-http.pem
SSLCertificateKeyFile /usr/local/certs/bert.secret-wg.org-http.key[/VirtualHost]
So now I can securely set up a connection without all the warning boxes. That is, as long as the proper CA root certificate has been loaded into my browser.
I never, in my wildest imagination, figured how Stan and Eric would look in a manga. http://daisy44.deviantart.com/art/Stan-Kyle-Eric-Kenny-153223432Â 
features a couple of images.
Now I did try to imagine what Kyle, Stan, Eric and Kenny would be doing as adults. My guess would be loitering chain-smokers and alcoholics… (on the other hand Kenny might not live to be 26).
I have not yet started to get my finger behind Plog’s plugins—This evenings project was was not Blog but Mail. I finally gotaround to have my home-gateway talk SASL/TLS to my main server thatacts as a relayhost so that all my mail leaves from one server. — butthe templates stucture is cool enough in itself. Its one of thoseappealing little features of the plog architecture.
The AmIAScreenSaverOrNot screensaver is a funny screensaver is very nice hack. It just grabs pics from http://www.hotornot.comand displays them, one by one. While trying to figure out how that hackworked I noticed that HotorNot has an RSS feed nowadays. That makeshacking up a template that shows the latest 10 girls on HotorNot a trivial excercise.
The result can be found at http://www.trend-watcher.org/static/ladies.
The core of the template only counts a few lines:
{include file="trend-watcher/header.template"}
{if $rss->parse("http://services.hotornot.com/rss/girls/")}
{assign var=channel value=$rss->getChannel()}
<a href="{$channel->getLink()}">{$channel->getTitle()}
{$channel->getDescription()}
{foreach name=articles from=$rss->getItems() item=rssItem}
{if ($smarty.foreach.articles.iteration < 10)}
getLink()}">{$rssItem->getTitle()}
{$rssItem->getDescription()}
{/if}
{/foreach}
{/if}
{include file="trend-watcher/panel.template"}
{include file="trend-watcher/footer.template"}
Today I made an announcement on our internal maillinglist. I told my colleagues that I walked into an irresistible opportunity and that I will be leaving the organization.
It is the sort of announcement over which you should be happy but wich brings you mixed feelings. Perhaps because I still feel part of a very good team.
Anyway, the dice has rolled (*). It is now public knowledge that I’ll be joining NLnet Labs as of September 1 with the intend to take over responsibilities as a director per January 1, 2006.
But I am not gone yet. I still have things to do and projects to finish. So although I announced that I’ll be going, I’m not ready to leave yet.
* that’s the second time today I use that term today.
I just upgraded this blog from plog 0.3 to version 1.0. The upgrade procedure works like a charm and the admin interface and the xmlrpc are improved. Its worth the step and its worth not to wait for the FreeBSD port to be available.
The events in Rome made me dig up a little avant-garde masterpiece from my vinyl collection.
Blessed Easter Track 2 from “Rome Remains Rome” by Holger Czukay (1987) (also available on Amazon)
The credits on the cover read: We were blessed by the appearance of his holyness popestar Woytyla and is swining nuns during the easter ceremonies.
3 Songs that start with the cry of a cock.
Are there more?
Earlier I wrote that Bert submitted an April 1 RFC. Unfortunatelly it will not be published. The reason given is its length, and I must admit it was somewhat bulky. Below is the response from the RFC Editor. I obfuscated parts of the mail so that the members of the Secret Working Groups are not disclosed and we still have a possibility to publish the idea in a condensed form somewhere else.
We feel that this is too large and ponderous to fit into the
mold of April 1 RFCs. We do appreciate the satire on ******
****, but publication as an RFC does not seem like the
right venue for this. For one thing, it would be hard to
justify the resources for publishing a 36 page April 1 RFC.
Thank you for your submission.
RFC Editor
Bert just received his first job-offer. I guess that Sandy googled a bit and mailed the addresses she harvested. I considder to have Bert reply and see if we can get him to fly over (Fedex?) for an interview… Suggestions are welcomed.
I work in the staffing department at Infoblox. We are looking for a Senior Software DNS Internals expert to join our company. I would appreciate any referrals you might have.
Infoblox www.infoblox.com designs, develops and sales DNS/DHCP, Radius and LDAP appliances. Founded in 1999, Infoblox has shipped over 2000 products to over 400 customers with over 50 fortune 500 companies as customers.
The technical team combines next generation database experts with notable contributors to key internet technologies including: Cricket Liu, author of O’Reilly’s "DNS and Bind"; Stu Bailey, former tech lead at National Center for Data Mining at University of Illinois, Chicago; Alan Dekok, principal contributor to FreeRadius.
Location: Sunnyvale, CA (Silicon Valley)
Title: Senior Software DNS Internals Engineer
The key responsibilities:
_ Design and implement Secure DNS (DNS-SEC)
_ Provide extensions, enhancements, transitions from current products to nextgen products
_ Analyze customer and marketing requests for feasibility, costs and effort
_ Provide input to project schedules and report progress
_ Analyze defect reports, provide patches when required
_ Write technical specification and internal operation guides
If you have any questions or would like to apply, please send me your resume or give me a call.
For a complete list of positions visit: http://www.infoblox.com/company/careers.cfm
Sandy Perlman
Technical Staffing Manager
408-331-6945 Desk
408-483-1122 Cell
408-331-6971 Fax
www.Infoblox.com