Category Archives: Uncategorized

Stranger – Chapter 7 – Anything can be a monster with the right type of imagination

So my wife and I have divided chores in our household in certain categories. Some chores she will take care of and do it however she pleases, and some I will. Others we will both take whenever there is time. One chore my wife is responsible for is taking the laundry, this includes folding the clothes. However, when she folds the clothes, she places them on the bed. Then we are both responsible for taking our own folded clothes to where we store them (we currently store them separately for no specific reason, it just became like that). We are both lazy in our own ways, and I’m lazy when it comes to putting away my clothes once they have been folded. Thus, they end up spread out around my side of the bed. Currently, one pile is laying on the air conditioning unit next to my bed, and another one on the windowsill next to my bed.

A few nights ago Stranger was on watch as usual, when he suddenly detected something straight out of a horror movie. Between the folded clothes on the windowsill, were red glowing eyes. There were hundreds of them, and they were staring right at us, ready to attack. This of course required immediate evacuation. Stranger acted without hesitation and grabbed the cover, and then swiftly made his way out on the balcony. Standing out there, I woke up, and Stranger let go of the controls. I knew what had happened, but the feeling of being confused and terribly frightened had me standing out there for a few minutes before I could go back inside. I double checked the clothes so that nothing was hiding under them, and then went back to sleep.

Next to the clothes is a pile of socks I’ve been picking from every morning when I’m about to take my morning shower. Last night Stranger sensed a disturbance in the force coming from the pile of socks. His instincts are as always, 100% correct and the socks had turned into snakes! He quickly leaped into battle against the overwhelming number of foes (I have a lot of socks, and change daily, sometimes twice a day depending on what I do during the day). It was a long and hard battle, but I never doubted Strangers abilities and he obviously managed to take care of the threat.

When I woke up the traces of the battle were still there in plain sight. My first thought was that I might need to call a medic to the scene, but there were clearly no survivors. There were socks spread out literally everywhere in the room (I even had one tucked up in my armpit).

Stranger triumphs, yet again.

Thanks Stranger!

Installing Postfix and Courier with MySQL and SASL on Debian 7

I recently had to move to a new server and had some troube getting Postfix and Courier to work as I wanted. The tutorial I used to follow a bunch of years ago is gone and the tutorials I found were either outdated, wrong or didn’t do it my way. So with some inspiration from other tutorials including the old one I used to have, I have written my own modified version.

Step 1: Prepare your certificate now as you will be using it later
If you don’t already have one you can get one for free at StartSSL
This tutorial wont cover the steps at StartSSL as there are other documents for that.

Files that you will need:

– yourcert.crt
– yourprivatekey.key (in a decrypted state for server purpose)
– ca.pem
– sub.class1.server.ca.pem

Place them in a folder like /etc/ssl/StartCom/year-month-day
For example, I use /etc/ssl/StartCom/2015-08-10 since that is the expiration date for one of my certs.
When the files have been placed there you need to do the following:

This is because Courier wants it in a pem file later, while Postfix wants them separated.
There might be a way to keep it consistent but I haven’t checked.

Also remember to set permissions to this folder!

Your private key is in there and you need to protect it.

Step 2: Install required software

Step 3: Setup MySQL database

Step 4: Configure postfix

Create these files below and paste the content that follows.
Remember to replace the user and password with whatever you chose before.

Change permissions of the files

Create user vmail

Set options in the Postfix configuration file.
Replace server1.example.com with a FQDN of your server.
Also replace the cert and key file with the cert and key file in your StartCom folder.
For example instead of /etc/postfix/smtpd.cert you write /etc/ssl/StartCom/2015-08-10/yourcert.crt

Now open /etc/postfix/master.cf and uncomment the following section.
The format of these lines are important so only remove the comment characters (#) and nothing else.

Step 5: Configure Saslauthd

Create a folder for saslauthd

Open the following file.
Set START to yes and change the line OPTIONS=”-c -m /var/run/saslauthd” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”.

Open the following file and configure pam to use MySQL to authenticate you.

Edit smtpd.conf and configure sasl to use the sql plugin to authenticate users.

Add the postfix user to the sasl group

Restart postfix and saslauthd

Step 6: Configure courier

Edit Courier to use MySQL to authenticate

Now configure Courier to use your StartSSL cert for imap.
Courier wants the combined pem file.

Find the row TLS_CERTFILE and change the path.
For example: TLS_CERTFILE=/etc/ssl/StartCom/2015-08-10/combined.pem

Also find the the following rows and make sure they are set to the values below.

Since I don’t use pop3 I will make sure to disable it.

Find the the following row and make sure it’s set to the value below.

Restart courier

Step 7: Modify aliases

Issue this command to update the aliases

That should be all.
Don’t forget to populate the database with a user and a domain.

If you have any comments or feedback then feel free to leave them in the comment section below.
This tutorial will be updated later with some more security related settings to protect against certain SSL/TLS attacks.

Using Java to connect with SSLSocket, trusting all certificates

So I wanted to make a little test client that would connect to a web server via SSL.
The problem is that in this experiment I don’t really care about the security, so I want the client to accept all certificates, even self signed ones and very old ones.
Credits to my good friend Maboroshi who helped me find the final solution that solved the last problem with the invalid certs.

So the first thing I did was to write the following.
This is a safe code that does NOT accept invalid certificates of any kind.

SAFE
[code lang=”java”]
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;
import java.net.Socket;

public class test {
public static void main(String[] arstring) {
try {
//Connect without SSL
Socket clientSocket = new Socket("google.com", 80);
DataOutputStream outToServer = new DataOutputStream(clientSocket.getOutputStream());
BufferedReader inFromServer = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));

outToServer.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("No SSL – " + inFromServer.readLine());
clientSocket.close();

//Connect with SSL
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("google.com", 443);

DataOutputStream outToServerSSL = new DataOutputStream(sslsocket.getOutputStream());
BufferedReader inFromServerSSL = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));

outToServerSSL.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("SSL – " + inFromServerSSL.readLine());

} catch (Exception exception) {
exception.printStackTrace();
}
}
}
[/code]

The problem with the above code for me, was that when connecting to a server with an invalid certificate, I got the following error.

Exception in thread “main” javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

Thus, that solution wont cut it!
I needed something else, so I tried to write some code that would accept all certs as well.
Please note that ALL of the code from here on is UNSAFE, and should NOT be used in a production environment.


Reference to solution

UNSAFE
[code lang=”java”]
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509TrustManager;
import java.io.*;
import java.net.Socket;
import javax.net.ssl.TrustManager;
import java.security.cert.X509Certificate;

public class ssl {
public static void main(String[] arstring) {

try {
//Connect without SSL
Socket clientSocket = new Socket("google.com", 80);
DataOutputStream outToServer = new DataOutputStream(clientSocket.getOutputStream());
BufferedReader inFromServer = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));

outToServer.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("No SSL – " + inFromServer.readLine());
clientSocket.close();

//Connect with SSL
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}

@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}

@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};

// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());

SSLSocketFactory sslsocketfactory = sc.getSocketFactory();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("google.com", 443);

DataOutputStream outToServerSSL = new DataOutputStream(sslsocket.getOutputStream());
BufferedReader inFromServerSSL = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));

outToServerSSL.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("SSL – " + inFromServerSSL.readLine());

} catch (Exception exception) {
exception.printStackTrace();
}
}
}
[/code]

But, now this gives me a different error because this invalid certificate is broken/old!

javax.net.ssl.SSLProtocolException: no more data allowed for version 1 certificate
at sun.security.ssl.HandshakeMessage$CertificateMsg.(HandshakeMessage.java:431)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:963)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1208)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:674)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:133)
at java.io.DataOutputStream.writeBytes(DataOutputStream.java:276)
at ssl.main(ssl.java:93)
Caused by: java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:710)
at sun.security.x509.X509CertInfo.(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1751)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:196)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
at sun.security.ssl.HandshakeMessage$CertificateMsg.(HandshakeMessage.java:429)
… 10 more

Ok, so this is where it got tricky to solve.
I googled around for some time but I couldn’t really find a solution (since usually this is not the kind of thing you want to do).

But then a friend of mine (Maboroshi), pointed me to this site

Which brought me to this final solution.
The only real change here was to use the BouncyCastle provider

[code lang=”java”]
Security.insertProviderAt(new BouncyCastleProvider(), 1);
[/code]

Which can be found HERE

Another requirement that I came to think about, is that this change requires Java 6 since Java 7 doesn’t support MD2. There is a solution if you are running Java 7 though.

Just open this file

[code]
JDK_HOME/jre/lib/security/java.security
[/code]

And comment out the following line

[code]
jdk.certpath.disabledAlgorithms=MD2
[/code]

That should do the trick.
Solution was found HERE

UNSAFE
[code lang=”java”]
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509TrustManager;
import java.io.*;
import java.net.Socket;
import javax.net.ssl.TrustManager;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.security.cert.X509Certificate;
import java.security.Security;

public class ssl {
public static void main(String[] arstring) {
Security.insertProviderAt(new BouncyCastleProvider(), 1);

try {
//Connect without SSL

Socket clientSocket = new Socket("google.com", 80);
DataOutputStream outToServer = new DataOutputStream(clientSocket.getOutputStream());
BufferedReader inFromServer = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));

outToServer.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("No SSL – " + inFromServer.readLine());
clientSocket.close();

//Connect with SSL

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}

@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}

@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};

// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());

SSLSocketFactory sslsocketfactory = sc.getSocketFactory();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("google.com", 443);

DataOutputStream outToServerSSL = new DataOutputStream(sslsocket.getOutputStream());
BufferedReader inFromServerSSL = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));

outToServerSSL.writeBytes("GET / HTTP/1.1\nHost: google.com\n\n");
System.out.println("SSL – " + inFromServerSSL.readLine());

} catch (Exception exception) {
exception.printStackTrace();
}
}
}
[/code]

Now I got the output I wanted 🙂

No SSL – HTTP/1.1 200 OK
SSL – HTTP/1.1 200 OK