Renewing Root CA for Novell NetWare 6.5 SP8

I have a couple of Novell NetWare 6.5 SP8 servers that simply refuse to die. One of them can be quantum dated back to 2004, the other one dates back to 2008. Last night the Root CA expired, rendering LDAP services unavailable. Luckily, I had prepared for this event. Continue reading Renewing Root CA for Novell NetWare 6.5 SP8

SSL Certificates issued by royalvulkan.com

A student came to my office today. His browser showed our fronter.com instance protected by a peculiar SSL certificate issued by royalvulkan.com. The norm for fronter.com instances are SSL certificates issued by COMODO CA Limited. The intrusive SSL certificate has a validity period spanning from 1996 to 2056, which is very odd. The certificate probably has a wildcard Common Name, causing it to cover all conceiveable hostnames. I have no idea how this certificate got introduced into our student’s computer. Luckily, Google Chrome spotted the faulty certificate and the student was wise enough to come and see me. Shortly after, I had to leave the student and go to class. I’ll try and update this post if he shows up again with the same problem.


I pondered this issue during the weekend. Maybe the student has somehow activated the proxy setting, sending all his (sensitive) internet traffic to an unknown third party.

security/ssl-admin for ordinary SSL/TLS services

I came across Dan Langille post on security/ssl-admin and figured I should try it before my old certificates expires later in 2016.

ssl-admin exists mainly for managing OpenVPN certificates, and with some tweaking you can make it work for ordinary SSL/TLS services. Continue reading security/ssl-admin for ordinary SSL/TLS services

oinkmaster, wget, and HTTPS download of snort rules

oinkmaster started complaining like this the other day:

root@enterprise:~>oinkmaster -Q -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules

/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
ERROR: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
To connect to www.snort.org insecurely, use `--no-check-certificate'.

Oink, oink. Exiting...

Order was restored once again by adding the following line to .wgetrc in roots home directory:

check_certificate = off

This is not the proper way of handling HTTPS security, but it gets the job done. Previously we used HTTP access for downloading our snort rules, and it’s only recently we were redirected to use HTTPS access.

Update 2014-10-22

oinkmaster suddenly felt ill again, exiting with exit status 8:

root@enterprise:~>oinkmaster -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules
Loading /usr/local/etc/oinkmaster.conf
Downloading file from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz...
/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
WARNING: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 422 Unprocessable Entity
2014-10-22 08:42:41 ERROR 422: Unprocessable Entity.


Oink, oink. Exiting...
root@enterprise:~>echo $?
8

This time check_certificate = off won’t help at all. Apparantly, wget does not correctly use the Certificate’s Subject Alternative Names (www.snort.org vs snort.org), according to a comment on http://blog.snort.org/2014/07/snort-2962-is-now-available.html.

I have wget 1.15 and OpenSSL 1.0.1j installed. I just reconfigured wget to link with GnuTLS 3.2.19, recompiled and reinstalled wget, and this is no better combination than linking wget with OpenSSL. :-/