« July 2009 | Main | September 2009 »

15 posts from August 2009

08/30/2009

Site News: New HOWTO Section Started

I've started a new HOWTO section on this site, available at www.techstacks.com/howto/home.html.  The articles on this site are meant to be concise, single-topic items with instruction on how to set specific things up or to perform certain tasks.  For example, if you want to find out how to disable the trace method in Apache, there is a HOWTO on it that not only provides you with the modifications tat are necessary to be made to apache but also provides a way for you to test and verify that it worked.  

Currently there are only a handful of HOWTOs available but I'm constantly working on expanding the number.  The downside sometimes to running a technology blog that shares lessons learned, best practices, code examples, or other kinds of tips and techniques is that one winds up with numerous articles on items like disabling TRACE or different ways to verify it exists (or no longer exists after remediation), which makes it difficult to find the kind of thing you are looking for.  Now, there are pages specializing in particular topics.  

The following HOWTOs are now available:

    HOWTO: Set Up IIS and the Jakarta isapi_redirect Connector

    HOWTO: Disable Trace/Track in IIS

    HOWTO: Disable Trace/Track in Apache HTTPD

    HOWTO: Distinguish the Good SSL Ciphers from the Bad in J2SE5  

All these pages do allow comments and trackbacks but they are hidden and really meant more for feedback on items that I can then incorporate into the main page as corrections or updates.  Thanks for visiting my site today!

08/28/2009

Groovy Script: Get All SSL Ciphers Supported by a Site

Initially, I was going to put out this big announcement about how I had successfully ported my cryptonark script from Perl to Groovy.  Due to the Sun JDK not supporting SSLv2, the final product did not wind up being as feature complete as the Perl version, so as a PCI compliance tool, the groovy version won't cut it.  However, I did learn some interesting things about java and groovy along the way and the script itself is still pretty useful for someone who wants to know which ssl ciphers are supported on a particular host. 

Below are some of the things I've learned about ssl, groovy, and java while writing this script.

  • As previously mentioned, the sun jdk does not support SSLv2—it was disabled intentionally some time ago. It does support SSLv2 Hello's but this is not the same thing as an SSLv2 connection. Apparently IBM's JDK does support SSLv2 but I have not tested this script on anything other than Apple's Java 1.5.0_19 implementation under OS X 10.5.

  • Finding Groovy example code illustrating ssl connectivity is extremely hard to do.  Finding Java examples is a lot easier but most of the Java examples utilize inner classes, which groovy hates.

  • I still need to figure out a way to format output better for console applications with groovy. The spacing that I put in front of the values was my low-tech way of lining everything up nicely. Does anyone have any pointers here?

  • Anonymous Ciphers come in all encryption strengths, so there apparently really is no good reason to buy a 128bit-only (or stronger) ssl certificate from the CAs.

  • Groovy's CliBuilder rocks. If you want to create useful command line application interfaces, use CliBuilder

  • Colorization of groovy or java code within an xterm seems to be impossible, which is too bad because Perl and Ruby make it so easy.

The script will be available in binary form for download soon on the Downloads page. To reiterate, do not use it as a PCI Compliance auditing tool but consider it as one of those useful tools that may make your day go a little easier. Running it with no arguments will allow you to see the usage info. The host argument is required. Port number is set to 443 unless overridden with the port argument. In the source code below, both the SSLv2Hello test and the TLS test are commented out because the results are redundant. Uncomment them if you wish to test with SSLv2Hello packets and TLS Hello packets as well.

#!/usr/bin/env groovy
// Usage: ./whichCiphers.groovy --host $host --port $port

import javax.net.ssl.*

/* This section below sets up the cipher map.
   Yes...the spacing is intentional.  It's the
   only way I currently know to format the output
   nicely */

def ciphers = [
  'TLS_RSA_WITH_AES_128_CBC_SHA': '        High-Grade, 128-bit',
  'TLS_RSA_WITH_AES_256_CBC_SHA': '        High-Grade, 256-bit',
  'TLS_DHE_RSA_WITH_AES_128_CBC_SHA': 'High-Grade, 128-bit',
  'TLS_DHE_RSA_WITH_AES_256_CBC_SHA': 'High-Grade, 256-bit',
  'TLS_DHE_DSS_WITH_AES_128_CBC_SHA': 'High-Grade, 128-bit',
  'TLS_DHE_DSS_WITH_AES_256_CBC_SHA': 'High Grade, 256-bit',
  'TLS_DH_anon_WITH_AES_128_CBC_SHA': 'Anonymous Cipher, 128-bit',
  'TLS_DH_anon_WITH_AES_256_CBC_SHA': 'Anonymous Cipher, 256-bit',
  'SSL_RSA_WITH_3DES_EDE_CBC_SHA': '        High-Grade, 168-bit',
  'SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA': 'High-Grade, 168-bit',
  'SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA': 'High-Grade, 168-bit',
  'SSL_RSA_WITH_RC4_128_MD5': '        Medium-Grade, 128-bit',
  'SSL_RSA_WITH_RC4_128_SHA': '        Medium-Grade, 128-bit',
  'SSL_RSA_WITH_DES_CBC_SHA': '        Low-Grade, 56-bit',
  'SSL_DHE_RSA_WITH_DES_CBC_SHA': '        Low-Grade, 56-bit',
  'SSL_DHE_DSS_WITH_DES_CBC_SHA': '        Low-Grade, 56-bit',
  'SSL_RSA_EXPORT_WITH_RC4_40_MD5': 'Export-Grade, 40-bit',
  'SSL_RSA_EXPORT_WITH_DES40_CBC_SHA': 'Export-Grade, 40-bit',
  'SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA': 'Export-Grade, 40-bit',
  'SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA': 'Export-Grade, 40-bit',
  'SSL_RSA_WITH_NULL_MD5': '          Null Cipher, 0-bit',
  'SSL_RSA_WITH_NULL_SHA': '          Null Cipher, 0-bit',
  'SSL_DH_anon_WITH_RC4_128_MD5': '        Anonymous Cipher, 128-bit',
  'SSL_DH_anon_WITH_3DES_EDE_CBC_SHA': 'Anonymous Cipher, 168-bit',
  'SSL_DH_anon_WITH_DES_CBC_SHA': '        Anonymous Cipher, 56-bit',
  'SSL_DH_anon_EXPORT_WITH_RC4_40_MD5': 'Anonymous Cipher, 40-bit',
  'SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA': 'Anonymous Cipher, 40-bit'
  ]


  def cli = new CliBuilder( usage: 'whichCiphers.groovy [-h "hostname"] [-p "port"] ' )
    cli.h( longOpt:'host', args:1, required:true , type:GString, 'The hostname or site you want to test - REQUIRED' )
    cli.p( longOpt:'port', args:1, required:false, type:GString, 'The ssl port--usually 443' )

  def opt = cli.parse(args)
    if (!opt) return
    if (!opt.h) return
    if (opt.h) host = opt.h

  def port = 443
    if (opt.p) port = Integer.parseInt(opt.p)


  class listener implements HandshakeCompletedListener {
    void handshakeCompleted(HandshakeCompletedEvent e ) {
    }
  }

/* Right now I'm just running through each one of these but
   it should probably become a command line option instead
   because the SSLv2Hello, SSLv3, and TLSv1 tests report back
   the same results 

   SSLv2Hello test commented out as results are redundant.
   Uncomment if you want to test with an SSLv2 Hello  */

/*
  println "Testing with an SSLv2Hello...."
  ciphers.each{
  try{
    def factory = SSLSocketFactory.getDefault()
    def socket = factory.createSocket("$host", port)
      socket.setEnabledCipherSuites(it.key)
      socket.setEnabledProtocols( "SSLv2Hello", "SSLv3" )
      
      socket.addHandshakeCompletedListener( new listener( ))
      socket.startHandshake()
        println "  ${it.key}\t${it.value} works!"
      socket.close()
      }catch(SSLHandshakeException ex) {
  }
      
}

*/

  println "Testing with SSLv3...."
  ciphers.each{
  try{
    def factory = SSLSocketFactory.getDefault()
    def socket = factory.createSocket("$host", port)
      socket.setEnabledCipherSuites(it.key)
      socket.setEnabledProtocols( "SSLv3" )
      
      socket.addHandshakeCompletedListener( new listener( ))
      socket.startHandshake()
        println "  ${it.key}\t${it.value} works!"
      socket.close()
      }catch(SSLHandshakeException ex) {
  }
      
}

/* TLSv1 test commented out as results are redundant.  
   Uncomment to test using TLS Hello's */

/*
  println "Testing with TLSv1..."
  ciphers.each{
  try{
    def factory = SSLSocketFactory.getDefault()
    def socket = factory.createSocket("$host", port)
      socket.setEnabledCipherSuites(it.key)
      socket.setEnabledProtocols( "TLSv1" )
      
      socket.addHandshakeCompletedListener( new listener( ))
      socket.startHandshake()
        println "  ${it.key}\t${it.value} works!"
      }catch(SSLHandshakeException ex) {
  }
      
}
*/

08/21/2009

Bling v0.2 Released - Groovy-Based Blog Ping Tool

Bling v0.4 is out. Check out the main bling page for more information.

Version 2.0 has been released.  It adds some exception handling, nicer formatting of responses, and removes one service to lower the number of XMLRPC-based blog ping services to 17. (TopicExchange didn't ever provide a response so it's been dropped for now). I am semi-continually experimenting with a larger list of services and more will be added over time if warranted.

Head on over to the downloads page if you are interested in downloading a binary version. In addition, the main Bling page has been updated.

Source for this release is below. This is my first post using Alex Gorbatchev's SyntaxHighlighter, so hopefully posts like these will look even prettier!

#!/usr/bin/env groovy
/* bling.groovy - Written by Chris Mahns. 
 http://blog.techstacks.com/

You will need to modify the values for blogTitle and blogURL so that they match your own blog info.

This script pings 17 different blog directories. Run it when you update your blog.

v0.1 Initial release targeting 18 services.
v0.2 Reworked the output so that everything is nice and lined up.  Added basic exception handling when service responds with a connection refused. Also added logic branch so that if the service responds with an error, I now just display a generic 'ping failed' error. Removed TopicExchange as a service so now there are only 17 services getting pinged (but one of them is ping-o-matic).

To-Do: Add some kind of debug option. Add additional exception catches.
*/

import groovy.net.xmlrpc.*
import groovy.util.slurpersupport.GPathResult

// You'll want to make this next section your own
def blogTitle = "YOUR_BLOG_TITLE_HERE"
def blogURL = "YOUR_BLOG_URL_HERE"

// Set up a map (hash) of popular rpc endpoints
// It is too bad for my syntax highlighter, but some of 
// the blogs containing periods in their names necessitated
// placing them in quotes. 

def trackbacks = [
 'Google':  'http://blogsearch.google.com/ping/RPC2',
 'Weblogs':   'http://rpc.weblogs.com/RPC2',
 FeedBurner:  'http://ping.feedburner.com/',
 Moreover:   'http://api.moreover.com/RPC2',
 'Syndic8':   'http://ping.syndic8.com/xmlrpc.php' ,
 BlogRolling:  'http://rpc.blogrolling.com/pinger/',
 Technorati:  'http://rpc.technorati.com/rpc/ping' ,
 PingoMatic:  'http://rpc.pingomatic.com/',
 NewsGator:  'http://services.newsgator.com/ngws/xmlrpcping.aspx',
 Bloglines:  'http://www.bloglines.com/ping',
 'Blo.gs':  'http://ping.blo.gs/',
 BlogCatalog:  'http://rpc.blogcatalog.com/',
 'PubSub':  'http://xping.pubsub.com/ping/',
 'MyBlog.jp':  'http://ping.myblog.jp/',
 'Goo\t':   'http://blog.goo.ne.jp/XMLRPC',
 BlogPeople:  'http://www.blogpeople.net/servlet/weblogUpdates',
 ]

// Set up canned responses to make the outputted responses nicer.
// Previously, the output used the literal response from the endpoint
// which did not look all that nice in a terminal window.
def weal = "Thanks for the ping!"
def woe = "PING ATTEMPT FAILED."

// IceRocket is separate because their ping method call
// is different from everyone else's--go figure...


// Here is the section responsible for iterating through each ping
// url in the trackbacks map.

println "====PING RESULTS===="

try{
 def icerocketURL = 'http://rpc.icerocket.com:10080/'
 def icerocketServer = new XMLRPCServerProxy(icerocketURL)
 resp = icerocketServer.ping(blogTitle, blogURL)
 resp.data instanceof GPathResult

 if (!resp.flerror) 
 println " Icerocket\t${weal}"
 else
 println " IceRocket\t${woe}"

}catch(ConnectException ex){
 println " IceRocket\t${woe}" 
 
}

trackbacks.each {
 try{
 def url = it.value
 def proxy = new XMLRPCServerProxy(url)
 response = proxy.weblogUpdates.ping(blogTitle, blogURL)
  response.data instanceof GPathResult

 if (!resp.flerror)
  println " ${it.key}\t${weal}"
  else
  println " ${it.key}\t${woe}"

 }catch(ConnectException ex) {
  println " ${it.key}\t${woe}"
  
 } 
}