Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

12Mar/1612

SSL Error: Cannot verify server identity

Phone browsers have less trusted root and intermediate certificates than many desktop browsers. This can make your https site look good on the web but fail on mobile devices. Errors like "unable to verify the identity of the server" and others along those lines can show up. This is because the certification chain  can not be verified. Doesn't matter what supplier of SSL certificates you use they all end up in a few root certificates that are shipped with browsers and operating system as trusted certificates.

Many certificate re-sellers have their root certificates further down that chain than others. If the chain can't be traced back to a trusted certificate the warnings will show up. That will not effect the actual encryption of your website, self signed certificates for example still encrypts the traffic, but it will look bad. People can interpret that as a security risk, like a man in the middle attack, or as just low quality.

In this example I have setup a website on a Apache server with a certificate bought from GoDaddy. I haven't installed the intermediate  certificate. Any desktop browser can follow the chain, since it has a different set of trusted certificates, but the iPhone or Android devices can not since they don't have this certificate. There is a hole in the chain between our website certificate and the trusted one that the device have. By plugging that hole with a valid certificate that our certificate references and in turn references the trusted certificate that the device have we can complete the chain and get rid of the problem.

As mentioned above this example uses a Apache web server running on Linux and a GoDaddy certificate. The procedure will be different with other web servers and certificate suppliers but the principal is the same. When your certificate is delivered always check if there is intermediate certificates included.

So in the zip file that your GoDaddy certificate comes in there is a file named dg_bundle-g2-g1.crt, this is the certificate that your web site certificate is derived from and sits between that and the trusted certificate higher up in the chain.

So on my Apache server I bring up the file /etc/httpd/conf.d/vhost.conf

<VirtualHost 172.30.31.95:80>
    ServerAdmin webmaster@somesite.com
    DocumentRoot /var/www/html/somesite.com
    ServerName www.somesite.com
    ServerAlias somesite.com
    ErrorLog logs/somesite.com-error_log
    CustomLog logs/somesite.com-access_log common
</VirtualHost>
<VirtualHost 172.30.31.95:443>
    ServerAdmin webmaster@somesite.com
    DocumentRoot /var/www/html/somesite.com
    ServerName www.somesite.com
    ServerAlias somesite.com
    ErrorLog logs/somesite.com_ssl-error_log
    CustomLog logs/somesite.com_ssl-access_log common
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/somesite.com.pem
    SSLCertificateKeyFile /etc/pki/tls/certs/somesite.com.key
</VirtualHost>

As you can see we have two ports open, standard port 80 for http and https on port 443. The 443 have certificate along with it's private key configured. Upload the intermediate certificate to the server and copy it into the same folder (/etc/pki/tls/certs) as the other certificate files. Make sure that the apache server have access to it.

sudo chown -R root:www /var/www

Then add the bundle file in the ssl config in vhost.conf by adding this line just below the SSLCertificateKeyFile line.

SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt

Restart Apache

sudo service httpd restart

Now the certificate chain can be completed on the other devices as well and the error/warning will be gone!

9Feb/163

Use UNC path in Filezilla server

Filezilla is widely used for ftp servers, it's open source and easy to setup. It also support SSL encrypted FTP connections which is nice for data security. In one of my setups the need for sharing UNC paths came up. Filezilla actually supports it even though the UI doesn't. So in a few easy steps we can set it up. Remember that the service account running the Filezilla service needs access to the share.

  1. Setup the account in the UI. Point the directory to "c:\temp" or similar.
  2. Open up the "FileZilla Server.xml" located in the Filezilla install directory.
  3. Find the corresponding user node "<User Name="{username}">
  4. Under "<Permissions>" you will have an entry for each folder setup. Change the <Permission Dir="C:\temp"> to <Permission Dir="\\server\share">
  5. Recycle the Filezilla service and you are good to go!

 

You can then change permissions from the UI if you like. So this work around is just needed for creating the link to the share. Once again the FileZilla service account need access to the share. Running it under "System" or "Network Service" will not work in most cases!

4Feb/150

Move MySQL database storage location

It's always a good idea to keep storage away from the boot device. If you run out of space on the boot device the system will halt. If you make a new install it's easy enough to move your storage and you can do it from a cloud-init script like this:

- mkdir /var/db
- chown -R mysql:mysql /var/db
- sed -i 's:datadir=/var/lib/mysql:datadir=/var/db:g' /etc/my.cnf
- service mysqld start

If the installation is all ready up and running you have to add steps for stopping the MySQL server and copy the database files:

mkdir /var/www/db
service mysqld stop
mv /var/lib/mysql/* /var/db
chown -R mysql:mysql /var/db
sed -i 's:datadir=/var/lib/mysql:datadir=/var/db:g' /etc/my.cnf
service mysqld start

In these examples I have user /var/db where I mounted the second storage device. You can however use any location you see fit. Points of interest in the command sequence.

chown -R mysql:mysql /var/db

Make sure that the mysql deamon have access to the storage location.

sed -i 's:datadir=/var/lib/mysql:datadir=/var/db:g' /etc/my.cnf

sed is a simple tool for search and replace inside text/config files directly from the command line. Here it searches for the line specifying the MySQL datadir location and replaces it with the new value.

3Feb/150

Unattended use of mysql_secure_installation

After installing MySQL on any Linux distribution you run the mysql_secure_installation script, or at least you should! It will prompt you to set a new root password, remove anon access and a few other things. But if you want this configuration to be done in a deployment or cloud-init script? The mysql_secure_installation command/script doesn't accept any parameters, so it can't be used for unattended install. How ever you can execute the same commands via the mysql command line tool as long as the service is started.

mysql -e "UPDATE mysql.user SET Password=PASSWORD('{input_password_here}') WHERE User='root';"
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
mysql -e "DELETE FROM mysql.user WHERE User='';"
mysql -e "DROP DATABASE test;"
mysql -e "FLUSH PRIVILEGES;"

I use this to provision new MySQL servers in the Amazon EC2 environment and it works like a charm. If this is used in a cloud-init script make sure to execute the sudo service mysqld start first!

22Oct/140

Free Team Foundation Server in the cloud

During my professional career as a developer most of the time I have been using Team Foundation Server (TFS) for source control. Back in the day I even used Source Safe, stone age history for most people. For my private project or small startup projects "the files on disk with occasional zip backups" approach has been way to common. I have also used different GIT solutions as well as Google Code. It works fine but when you are use to TFS it's not as easy as you are use to. All the mayor cloud suppliers want to flirt with the startup community by offering free services that will keep the startups close when they grow bigger. We have seen several examples of this from Microsoft in the past, like BizSpark. Now they offer free Team Foundation Server in the cloud called Team Foundation Service or Visual Studio Online. The basic account is free for up to five users with unlimited repositories. Support for both TFS and GIT repositories!

So far I have added two of my current projects and the performance is really good! There is also many ways to extend the service with your own code and REST APIs. You can also use free resources for builds, load testing and more. If you require more resources they can be purchased on a pay for what you use approach. If your project grows you can add additional team members for $20/month.

20Oct/140

How to change from IDE, ATA or RAID to AHCI

I decided to break the RAID1 on my Dell M6500 so I could run Microsoft Server 2012 R2 along with my Windows 7 installation. When the RAID was deleted I thought it would be best to switch my SATA controller over to AHCI since I'm running two Corsair Force GT SSD drives. After changing to AHCI the computer blue screens during boot. I have done it several times before but not often enough to remember what needs to be enabled. This behavior is documented in Microsoft KB922976 (Error message occurs after you change the SATA mode of the boot drive) with automatic registry fix and all. However this is not the complete solution for all situations.

According to the KB you need to enable loading of the AHCI driver, a no brainier! And also enable the Intel AHCI controller driver. But what is not included in the KB article is that the ATAPI driver also needs to be enabled for it to work. If you try to change from ATA to AHCI it is already enabled, if your computer booted with the ATA setting.

So according to the KB you should set these two registry keys to "0":

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci\Start
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IastorV\Start

But you should also check that this one is set to "0":

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\atapi\Start

You can also run these commands instead:

REG ADD HKLM\System\CurrentControlSet\Services\msahci /v Start /d 0 /f /t REG_DWORD
REG ADD HKLM\System\CurrentControlSet\Services\IastorV /v Start /d 0 /f /t REG_DWORD
REG ADD HKLM\System\CurrentControlSet\Services\atapi /v Start /d 0 /f /t REG_DWORD

Now your computer will start without the blue screen!

7Jul/140

Microsoft SQL Server Performance Basics (I/O Performance)

There are a lot of settings that you can tweak to get higher performance out of your Microsoft SQL Server. The most basic one is IO performance, i.e. disk performance. Usually when I talk to people about this I get the response that this is an art form and something that most techs don’t know about or feel that they don’t understand. Most people rely on the SAN team to take care of this but if you don’t understand this and can inform the SAN team what you need you will get the standard. Most SAN system are optimized for  There are always more tweaks that can be applied but in most cases the further you come along this line the smaller impact the changes have. In this article I would like to point out the most basic, and important, performance issues with Microsoft SQL Server that are easy to address. These are independent of size of the solution or underlying hardware e.g. local attached discs or SAN.

Background

To understand why this is so important you need to know a little about how Microsoft SQL Server reads from the disk. To simplify Microsoft SQL Server reads pages, pages contains a number of rows with you corresponding data. The pages with extents are 64kb in size. So the goal here is to read (or write) the page with as few disc IO’s as possible.

Stripe Unit Size

The stripe size is the smallest chunk of data that can be addressed within the RAID. So make sure you are using at least 64KB stripe size. If it’s a larger number like 128KB or 256KB that only means that you can write several more pages in the same stripe, this can actually benefit performance of the read ahead function in Microsoft SQL Server.

File allocation unit size / Disc cluster size

This setting is on the file system level. Microsoft SQL Server is designed for the NTFS file system and the default NTFS disc cluster size is 4KB. Again this should be 64KB for best performance, it enables SQL server to do less IO than a smaller cluster size does. There is a correlation between cluster size and stripe unit size that needs to be meet for optimal performance:

Stripe Unit Size ÷ File Allocation Unit Size = an integer

If possible you should try to meet this formula. However that isn’t always possible due to different storage systems. The most important thing for performance in that case is to use the 64KB cluster size! The formula for partition alignment below is however not optional for performance!

Partition alignment (partition offset)

When I have been talking to people about this most people look at me like I’m crazy. A system that was setup from a clean install of Microsoft Windows Server 2008 and later doesn’t suffer from this, these versions do an automatic alignment of the partition. If the partition isn’t aligned your server will end up splitting the read and write IO into two or more IO’s. This is very bad for performance.

Role of thumb here is:

Partition Offset ÷ Stripe Unit Size = an integer

Old systems prior to Microsoft Windows Server 2008 could end up with a 31.5KB offset (63 hidden sectors * 512b sectors). Doesn’t matter what stripe unit size you have 4,8,16,32,64,128…. It will never make the equation spit out an integer! Therefor bad for performance!

So if your system is prior to Microsoft Windows Server 2008 or have disk partitions created by an earlier version, check the partition offset! It’s easily done by running this command:

wmic partition get BlockSize, StartingOffset, Name, Index

To check the stripe size you have to refer to your storage controller. Standard offset in Microsoft Windows Server 2008 and later is 1024KB and it doesn’t really matter what stripe unit size you have, you will still end up with an integer.

Log files

For SQL server log files you should use RAID 1 both for best read/write performance but also for the extra data security. In a raid one you can lose 50% of your disks without losing data, neither RAID 5 or RAID 10 can guaranty this data safety. It will however cost you half of the storage space.

Do you want to read more?
http://technet.microsoft.com/en-us/library/dd758814(v=sql.100).aspx
Written by Jimmy May, Denny Lee and goes deeper into the techniques.

18Jun/140

Exchange – List all e-mail addresses on domain

Listing all e-mail addresses for a domain on an Exchange server. It's pretty easy from Powershell but it took me a while to figure out so I thought I would share it.

get-recipient | where {$_.emailaddresses -match “&lt;domain&gt;”} | fl name,emailaddresses >> c:\addresses.txt
18Jun/140

Hyper-V – accessing info about physical machine from guest VM

More then once I have run into the problem of not knowing on witch physical server a Hyper-V hosted server is running. Getting RDP access to a clients system and then needing help from SAN or Network teams, there first question: "What physical machine is the host running on?". Without access to the physical servers or System Manager it's hard to know. You could probably figure it out from assigned IP-addresses but there is a quicker way if the Hyper-V Integration Services are installed.

This registry key: HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters

It contains the following information:

  • HostName
  • PhysicalHostName
  • PhysicalHostNameFullyQualified
  • VirtualMachineName
  • And also additional info about server version etc.

You can also run this from the CMD:
reg query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters" /v PhysicalHostName

If you have remote access:
reg query "\\<machine>\HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters" /v PhysicalHostName

Ofcourse you can replace the "PhysicalHostName" with any of the above values!

5Mar/132

RoundCube Webmail login case sensitive

I got an issue reported to me that a user of a RoundCube Webmail setup we have had lost all his contacts. I logged in to his account and all the contacts where gone. Checked the database and found that all the contacts where still in the database. After some digging i found that there where 2 accounts in the RoundCube database. One sad User@ourdomain.com the other sad user@ourdomain.com. When I logged on to the User account all the contacts where there! So i realized that RoundCube logon are case sensitive. He will still see his e-mail because the RoundCube doesn't keep track of his password, it only tries to logon to the IMAP server and if logon is successful it creates it own DB-entries to keep track of contacts and other information. The IMAP server however isn't case sensitive and User or user is the same thing for it. But there is an easy way to fix it!

RoundCube Settings

I'm running RoundCube on a IIS server so I go in to the wwwroot and on to the config folder. In the file main.inc.php I look for the line $rcmail_config['login_lc'] = false; and change it like below:

// If users authentication is not case sensitive this must be enabled.
// You can also use it to force conversion of logins to lower case.
// After enabling it all user records need to be updated, e.g. with query:
// UPDATE users SET username = LOWER(username);
$rcmail_config['login_lc'] = true;

Then I do a IIS reset.

Database changes

If the user have all the contacts on the lowercase account your all good. Just delete the User account and it will all be good. But if the contacts where created on the User account like in my case you have to do like this. Delete the lowercase account and then run:

UPDATE users SET username = LOWER(username) WHERE user_id = {id of uppercase account};

If you don't delete the lowercase account first you will get an error like this:

Error Code: 1062. Duplicate entry '{username}' for key 'username'

If the user have spread his contacts over both accounts just change the contact table like this:

UPDATE contacts SET user_id = {id of lowercase account} WHERE user_id = {id of uppercase account};

Then delete the uppercase account and your all good!