exporting IIS SSL certificates for use in Apache

I didn’t think you could do this, but it is possible to export SSL certificates creating under a Windows IIS environment for use in Apache. Here’s how to do it:

  1. On the Windows box, fire up Microsoft Management Console (mmc.exe) and add the Certificates snap-in. Choose Computer Account and then Local Computer.
  2. Find the certificate that you want to export and choose All Tasks > Export. Follow the Export wizard and make sure you export the private key too. You’ll be asked for a passphrase to use to encrypt the key.
  3. Take the PFX-format file that was created by the wizard and copy it to your UNIX machine.
  4. Use OpenSSL to convert the PFX file into a PKCS12 format: 
    $ openssl pkcs12 -in whatever.pfx -out pfxoutput.txt
  5. The PKCS12 output file is basically a concatenation of the private key and the certificate, so use vi to slice it up into two files, a .crt for the cert and a .key for the private key.
  6. If you want to remove the passphrase from the key (highly recommended in a production environment where Apache must start up unattended) then just run: 
    $ openssl rsa -in encrypted.key -out unencrypted.key

That’s it! You can now use the key and cert in your Apache config files.

provisioning a new SPA-941 IP phone with Asterisk

I recently returned my fancy-pants Cisco 7960G IP phone to Devlin, and in its place I purchased a Linksys (formerly Sipura) SPA-941. I’d spoken with my friend & colleague Dan Fraser over at One Stop Media who are using these handsets quite successfully in conjunction with an Asterisk PBX system, so I decided to pick one up. Dan specifically recommended against the SPA-841, saying the voice quality was poor, and although he said the Grandstream sets (such as the GXP-2000) have decent sound quality, they are really ugly, and I have to agree. I wanted a decent-looking set that I could also autoprovision using TFTP and evangelize to people on the road about VoIP.

Continue reading

toothpaste for dinner RSS workaround

Those of you who know me know that I am a huge fan of the online comic Toothpaste for Dinner. Drew’s brand of humour matches mine very closely, only he has far funnier jokes. Often they hit pretty close to home, if you’ve worked in IT for any length of time. For example, I often read Infoworld‘s "Off The Record" for horror stories — there was one in February about a boss telling an employee to "take it to the next level" (which usually means some kind of a death march). Now check out this cartoon — spot on!

Unfortunately TPFD’s RSS feed has been broken for some time, and even though I emailed Drew about it, I don’t really expect him to fix it. After all, his FAQ says the following:

24. You should make a search engine. You should make an RSS feed.

I already did, you just didn’t even bother to look around to find them. WHY DIDN’T YOU SPEND ONE MINUTE CLICKING ON MY WEBSITE BEFORE WRITING ME?! If you know what RSS is (don’t worry if you don’t, it is actually pretty useless, but nerds get mad if you don’t have an RSS thing on your site) then you know how to find if a site has an RSS feed.

Not that I care — I’d rather that he make funny cartoons rather than worry about broken RSS feeds. Edit: I had taken it upon myself to create an on-demand fix of the RSS feed, but Drew expressed consternation in private correspondence that I appeared to be creating a public RSS feed of his content, and while I don’t agree with him for a number of reasons, I’m abiding by his wishes and removing the public link to my RSS re-feed.

Those of you who are programmers can simply write your own script to s/&date/&date/g; his RSS feed on the fly.

on hacking the Unisys ICON

Some time ago I had promised to reminisce a little bit about the Unisys ICON terminals that I used through elementary school and high school, and some of the fun things we did with them (not all of them sanctioned by the school, of course). After reading in ;login: magazine about Dru Lavigne’s efforts [USENIX members only] to catalogue old protocols, I’ve been inspired to add a few words about the trusty old ICON.

Continue reading

visiting the Canadian Clock Museum

Today I’m going to digress a bit from modern IT topics and talk about an aspect of turn-of-the-century IT that many of us have forgotten about: the venerable analog clock. It was less than 100 years ago that a wall-mounted, spring-driven, windup analog clock was still considered a major appliance. Salesmen used to go door-to-door and sell clocks; sometimes they would loan one to a household for a month to see how they liked it, and many times a household would find that they couldn’t do without it and would purchase it.

How do I know all of this? Because I recently visited the Canadian Clock Museum in my home town of Deep River, Ontario. Both Meredith & I expected to be underwhelmed, as many small-town museums are poorly-lit, haphazardly organized, and with little regard to proper museum cataloguing and preservation techniques. However, we were duly impressed with the clock museum, which has over 1000 artifacts, bootstrapped by more than 600 clocks from owner Allan Symons’ personal collection. The story goes that Allan retired from the local AECL research facility after 27 years, and once he hit 600 clocks his wife made him move the collection out of the basement, and so the museum was born.

The $5.00 admission fee includes a tour by Allan himself, which is well worth the money. Allan’s visibly passionate about the clocks that he has collected, preserved and/or restored, and it shows — he stayed over an hour past closing time to answer our questions and lead us through the museum. He has an intimate knowledge of clock machinery and clock history in Canada — he has an extensive collection of clocks from the now-defunct Western Clock (a/k/a Westclox) company based out of Peterborough, among other artifacts.

The museum also has a handful of other interesting artifacts, such as a collection of windup gramophones. Among them is an original Edison wax-cylinder gramophone with a number of four-minute (!!!) records. For a device that’s over 100 years old, the sound quality is actually surprisingly good.

If you’re ever in the Deep River area or even just driving through Deep River along Highway 17, I highly recommend dropping into the clock museum for a tour to learn about this fascinating piece of our history.

configuring amavisd-new and ClamAV always pisses me off

For about the tenth or fifteenth time in my career, I’m (re-)configuring a virus and spam scanning gateway machine using amavisd-new and ClamAV as the virus filter. This process has admittedly gotten easier over the years, but by no means is it totally foolproof. You still have to know what you are doing, and fortunately my 5+ years of experience managing similar setups comes in handy. The permissions issues still aggravate me, though.

Continue reading

the pros and cons of Power over Ethernet

Spurred on by a recent thread on the TAUG mailing list, I’ve been thinking about the cost vs. benefits of Power over Ethernet (PoE). PoE is a way to use the extra 4 wires in 10/100/1000-baseT Ethernet wiring for powering devices. The obvious application is to power IP telephones. Cisco has been doing this for a while using a proprietary solution which is similar to the PoE standard, IEEE 802.3af, which defines a protocol for detecting whether a device (or PD) is capable of receiving power prior to applying it, so that non-PDs don’t get fried by sending 48VDC down the wire. The protocol also determines how much current the PD will draw, and classifies the PD into a device class. All of this is well-described by this Wikipedia article.

There are two main advantages to using PoE, so far as I can see:

  1. No need to get a separate power brick for each device
  2. PDs can be centrally powered from a UPS in case of mains failure

The main con is the added cost, since you now need to purchase a PoE-enabled switch (which will then draw quite a bit of power, as it needs to power the devices).

What kind of cost are we talking about here?

  1. HP Procurve 2650 48-port switch (non-powered): USD $812.99
  2. HP Procurve 2650-PWR 48-port switch (PoE): USD $3,312.99

This works out to about USD $50/port, which I still think is a bit high. But maybe once the cost drops to around USD $25/port, it will be worth it.

Originally I was going to mention that purchasing PoE power injectors is another solution. A power injector has two Ethernet ports and a power brick attached to it; one of the Ethernet ports is an input from the regular non-powered network, and the other is a PoE output port to your PD. But I did some digging and find that the cost of a power injector is greater than USD $50, so I suppose this would only be feasible for a small deployment.

Step back for a moment and you realize that the cost of implementing the logic for PoE is far, far less than USD $50/port. The manufacturers are clearly just capitalizing on the fact that this is “new” technology and making a huge profit on it. As such I predict that there will definitely be wiggle room on the price in the future which will make PoE deployments more cost-effective.

moving from 1&1 to Dreamhost

I decided to move my shared hosting from 1&1 to DreamHost. I had some poor experiences with 1&1:

  1. remapping domains to subdirectories of my $HOME didn’t work at first
  2. excessively stringent RLimitCPU meant that certain operations, like trying to migrate from Gallery 1.x to 2.x would fail and time out
  3. trying to use 1&1’s built-in photo gallery hosed my site for a day as it remapped all the virtual host to subdirectory mappings

I hope hosting with Dreamhost will help these issues. I would really love to have my own server in a co-lo (i.e. eating my own dog food by having one in the TCCP co-lo, which I run) but I can’t justify the expense.

authenticating Apache against Windows 2003 Active Directory

Devlin’s rebuilding its intranet and moving away from the old Lotus Domino-based directory service. One of the developers on the intranet project asked me if he could authenticate employees against Active Directory instead. He’ll be using the MODx CMS, and would like to authenticate using mod_auth_ldap.

We’ve done this before to authenticate Subversion SCM users, but just as a test. This time I decided to try and create a user in Active Directory that would be used solely to bind to LDAP when doing lookups. I called this user “LDAP User”.

Making this work required a lot of trial and error, and I still haven’t managed to figure out a few things (see below). The first problem I had was that I was confused as to what the CN actually is for this particular user: it’s going to be cn=LDAP User, cn=Users, dc=devlin, dc=ca rather than cn=ldapuser, cn=Users, dc=devlin, dc=ca. ldapuser is just the login ID of the account rather than the actual CN.

The other thing I did wrong is that I put quotes around the Require statement, so rather than having

Require group “cn=Devlin Employees,cn=Users,dc=devlin,dc=ca”

the correct syntax is just

Require group cn=Devlin Employees,cn=Users,dc=devlin,dc=ca

A few things are still broken:

  1. I can’t figure out why LDAPS isn’t working. Doing searches from the command line using ldapsearch over SSL work fine, but the configuration of LDAP-SSL within Apache seems to be really tricky. I already have the directives 
            LDAPTrustedCA certs/sf_issuing.crt
        LDAPTrustedCAType BASE64_FILE

    in the configuration file, and Apache does say [notice] LDAP: SSL support available, but any attempt to actually use it gives an

    [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

    error.

  2. I’m not particularly impressed that AuthLDAPBindPassword is stored in cleartext in the configuration file, but there doesn’t seem to be a way of hashing it or otherwise concealing it.
  3. I haven’t figured out how to enable LDAPS on Domain Controllers that aren’t already HTTPS-enabled, so for now I’m not authenticating against them.

I should just get my parents a Mac Mini

I’ve been preparing an old IBM PC 300PL for my parents to replace their generic clone that died (RIP the machine formerly known as exodus.dreaming.org). They’re familiar with Windows, so I installed Windows 2000 Professional, ran Windows Update to download all the latest patches, and installed ClamWin as a virus scanner, and ZoneAlarm as a firewall. Fortunately they don’t have Internet access yet, but I worry about them clicking on some malware link and having some nasty spyware/trojan/virus take over their machine.

Despite all this, somewhere along the line I picked up some nasty trojan. This particular strain, TROJ_CONHOOK.AE, attached itself to WINLOGON.EXE so even booting in Safe Mode wouldn’t get rid of it. It saved itself as a randomly-named DLL (in my case, C:WINNTSYSTEM32pmnmlml.dll) and added itself as an AutoRun all over the place, a fact I was able to ascertain by using SysInternals‘ excellent Autoruns utility. Using another SysInternals utility, ProcessExplorer, I was also able to see that it was causing WINLOGON.EXE to run some routine inside the DLL file every second!

Call me a skeptic but I was still not totally convinced that pmnmlml.dll was not some legitimate Windows DLL. After all, just open your C:WINNTSYSTEM32 and half the stuff in there looks like a virus. (Quick: is dcomcnfg.exe a virus? How about dcomcfg.exe?) So I decided to copy the DLL to my Linux workstation and run strings(1) on it. Sure enough, the following text string was enough confirmation for me to see that it was a trojan:

http://82.98.235.63/cgi-bin/check/autoaff3

So I followed the procedure on Trend Micro’s site for getting rid of it — namely, booting off the Windows 2000 Professional CD and running the recovery console, then deleting the DLL.

Let’s step back for a second here. I am a professional system administrator, and my parents are not. How can I expect them to surf the Internet safely and not suck down one or more of these nasty trojans? Next thing I know, I’ll be getting a call from their ISP telling me that their little IBM is sending out 10,000 spams a minute, or is the control point for some DoS botnet.

I’m leaning more and more towards just getting them a Macintosh. I just have to convince them to part with their beloved Windows.

(By the way, dcomcnfg.exe is legitimate, while dcomcfg.exe is not. But how would one ever tell?