Let's Encrypt and Nginx

Let’s Encrypt started handing out free TLS certificates signed by a certificate authority that almost every browser trusts. Their client currently doesn’t work well with nginx, and I’ve found myself explaining how to use it with nginx on IRC a number of times, so I decide to just write it up here.

Issuance

Let’s Encrypt has a number of ways to verify you are the owner of the domain, but the easiest one for servers that already have a web server running it called “webroot”, in which you place a file at a pre-defined path on your site and they check it. The Let’s Encrypt client will generate the file for you and do most of the hard stuff, you just need to give it a place on to put the file that nginx will serve it from. If you’re nginx is configured to proxy everything to somewhere else, skip down to the section labeled Proxying. Otherwise, determine the location that it serves out of (usually /var/www/html or similar). Then, clone the repo and run Let’s Encrypt with the webroot. In the following code snippet, replace /var/www/html with wherever your root directory is:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto -a webroot --webroot-path /var/www/html --email your@email.tld -d your.domain -d www.your.domain certonly

you can specify up to 100 domains via multiple -d, they must all be valid from the same webroot though. You should give them a good email to contact you at, they only use for important things (problems with your certs, expiry notices…).

Installation

Once you have the certs, you need to install them. Mozilla’s SSL Configuration Generator provides some good resources for what your nginx config should look like. ssl_certificate should point to /etc/letsencrypt/live/<your domain>/fullchain.pem, and ssl_certificate_key should be privkey.pem in the same directory. ssl_trusted_certificate from their config is chain.pem and you have to generate the dhparam yourself (openssl dhparam -out /etc/ssl/dhparam.pem 2048).

Proxying

If you proxy everything back (eg location / { proxy_pass ... }) to a different program, that’s fine, you just need to make a special rule for path it’s looking for to be read off the disk. I put something like this in my server block:

location /.well-known/acme-challenge { root /var/www/html; }

Then (after reloading nginx, of course) continue above with your webroot-path set to /var/www/html. This can obviously be any location you want, as long as you feed the same path to letsencrypt as nginx

32C3 Torrent Feeds

The 32nd Chaos Computer Congress is going on right now, and they have all of the talks available in a variety of audio and video formats, and RSS feeds of these things, all on their media server. Unfortunately, there’s no feeds for the torrent files they provide, so I wrote up a quick web service to gather their feeds and convert them into torrent feeds.

You can see it live here: 32C3 Torrent Feeds and read/fork the source here.

For reasons surpassing my understanding, ruTorrent’s RSS feed feature prepends the feed URL to the URL of the torrent, but it also has a handy “Rule Manager” to rewrite the torrent URLs. My rule looks like this:

  • If the URL for the torrent description matches pattern: |.*cdn.media.ccc.de/(.*)|i

  • then replace the URL of the torrent download with: https://cdn.media.ccc.de/${1}

Silly Things With Home Automation

For a long time I’ve owned some X10 home automation stuff. The idea is pretty simple: there are some modules that you plug your lamps and whatnot into:

X10 Module Example

Then they have a controller that allows you to switch the various units on and off. All of the signals go over the power lines in ways I don’t understand (this page might help if you want to try). They also make computer controller units, which obviously require some Windows app that probably works on Windows 95 and Windows 98 only. It connects via a serial port. Fortunately, as usual, there’s some 3rd party Linux software to control it, called HEYU. I had got this setup before, but never gone as far as actually doing anything with the computer controls. Then this weekend I decided to sit down and write up a nice web interface. There are other Heyu web interfaces, but they are all difficult to get running and seem way too complex for my liking. Mine has a clean UI, is written in Python using Flask and has a nice phone UI:

x10web Screenshot

The configuration file allows you to define housecode and unit compinations and give them a name, then displays sets of buttons for each one. It also lets you do HTTP basic auth. This was mostly just something I wanted to play with, I doubt it will be that useful to me as there are few situations where it’s easier to unlock my phone, open my browser, load this page, sign in, then click the off button than just getting up and hitting the switch.

x10web’s source code is on GitHub

A Domain Availability Finder

First, demo: Domain Finder.

I have been frustrated a many times by Namecheap’s search interface, trying to suggest other domains to me and being clunky to search for one different TLDs. So I built a simple site to do what I wanted: Check one name against every TLD.

The code is pretty simple, it just downloads a list of TLDs from Namecheap and caches them (currently forever, something i’ve been meaning to change). Then the client gets a list of TLDs from the server (currently does not cache them, something that might be nice), and when it the user requests a domain name it checks it against every TLD it knows, in batches. Namecheap’s API docs don’t specify any maximum size of the request, but in testing requesting every TLD didn’t seem to work. I’ve been trying to determine the optimal batch size, so I’ve set it to randomize between 1 and 50 (for now) and record stats on the time it takes namecheap to respond. Once I’ve collected sufficient data I may change the range that the batch size can be or make it static.

The results are displayed in a simple list, with green boxes indicating availability. The links on the green boxes point to a NameCheap page to buy the domain, the links on the red boxes point to the domain on http.

Domain Finder Screenshot

Source on Github

SIP calls over cjdns

Following a recent discussion on IRC, I’m writing up a brief tutorial on how to make secure VoIP calls over a cjdns network (such as Hyperboria). Since cjdns encrypts everything end to end, there is no need to worry about ZRTP or other sorts of connection security. My computer is currently running Ubuntu 14.04 (Trusty), but this should work with most distros (obviously the install commands may vary by distro). I assume you’ve already got cjdns installed and you’re able to use it to communicate with others. If not, take a look at the cjdns README, then come back.

The first step is pretty straight forward: Install linphone. On Ubuntu/Debian, this is as simple as

sudo apt-get install linphone

When that’s done, start it up. It’ll present you with this screen:

Linphone Startup Screen

Go ahead and hit cancel on that dialog. You will, unfortunately, need to do this every time. Linphone does not seem to offer an option to simply not annoy the user with the crappy account creation wizard, and since we’re doing direct peer-to-peer calls, you won’t have and account. The next step is to go into the Options menu and select Preferences at the top. The only change you should need to make is to check the checkbox under Transport labeled Use IPv6 instead of IPv4. You’ll also want to make sure that under NAT and Firewall on that same screen, Direct connection to the internet is selected so it doesn’t attempt to do any NAT hole punching or anything. My settings dialog looked like this when I was done:

Linphone Settings Screen

Now close settings and shut down Linphone (Options->Quit - mearly closing the window will cause it to hide itself in the notification area but still run) and reopen it. This is needed to make it bind to IPv6 instead of IPv4. To test, you can call my PBX. There are a few different addresses:

sip:milliwatt@[fc28:ab92:6b6e:d624:ec1a:c336:d28a:fd69]

Will play a milliwatt tone, so you can judge the quality of the link. Note that my PBX is running on a shitty home network connection so link issues may be my end as well

sip:conference@[fc28:ab92:6b6e:d624:ec1a:c336:d28a:fd69]

Is a conference room. Maybe others will be in there!

sip:ivr@[fc28:ab92:6b6e:d624:ec1a:c336:d28a:fd69]

Is a silly, mostly non-functional IVR menu I made. Most of the options don’t work.

sip:finn@[fc28:ab92:6b6e:d624:ec1a:c336:d28a:fd69]

Will call the IP phone on my desk. I can’t promise I’ll answer it. And someone else might decide to.

To call these, you simple place the address in the text box at the top of Linphone and hit the big green icon to the right of it.

Your identity is displayed at the bottom of linphone, and to call you one must simply enter that into their SIP client. Jitsi and other SIP clients should be able to interconnect with Linphone no problem, but I haven’t got a nice tutorial for setting all of those up.

Building a "Secure" Android App

This quarter I’m taking a class about security stuff. I figured it’d be somewhat interesting, but found, much to my dismay, that the instructor very lacking in any practical knowledge related to information security. The main assignment for the entire quarter is building a secure mobile payement system for on Android.

After various discussion with the instructor, my group was able to talk him out of making us do payment related stuff, and instead just are designing a “secure” chat app. After discussion with my group, we decided to worry mostly about the connection security and authenticating the server and client to each other securely. I had seen one site use TLS certificates to authenticate the client, and I was vaguely aware that it could be done. On top of that, we used certificate pinning on the client to ensure that CA-related hax can’t be used to trick the client into trusting the wrong server in a MITM-style attack. All of our source code is released on Github: client, server.

Authenticating the Server

The server has a TLS X.509 certificate that it presents to clients trying to communicate with it. This certificate happens to be signed by CA in most trusted CA lists (StartCom), mostly for ease of testing in a normal browser, but our app ignores this and looks for our specific certificate, mostly using examples from the OWASP wiki. This means that to attack our connection, an attacker would either need to steal our certificate, make a cert with the exact same public key, or find a vulnerability in the Android TLS 1.2 implimentation or the underlying crypto. These things seem pretty unlikely, but an actually good secure messaging app would use end-to-end encryption, so that even our server couldn’t read it, however I consider this practice for more “traditional” apps where the server actually does have to read the data. The internet-facing webserver is an nginx instance configured with the Mozilla SSL Configuration Generator, and setup to expect, but not require, client side certificates. It terminates the SSL session and proxies back to our Java-based server, adding HTTP headers to indicate the status of the client’s certificate (non-existant, valid, invalid, etc). See: nginx.conf, added to git by request of some of our classmates.

Authenticating the Client

The client authentication thing is a bit more tricky. We wanted to get away from the password-based authentication model where the client proves they know/have access to a secret by handing the secret over to the server, so certificates were the way to go. Client side SSL certificates on Android ended up being easier than I was expecting. When you go to make an HTTPS request, you create and object to represent the SSL context, then you call one of it’s methods with 3 arguments: The KeyManager object used for client-side certificates, the TrustManager object to be used to validate the remote server, and the SecureRandom object used for entropy. In most examples online, all three of these are null, and the examples that actually show a non-null one only do one (usually client-side certs or a TrustManager), however it’s pretty easy to combine the two, as we did in SecureConnection.java. The key pair creation proved a bit trickeir, unfortunately. When the main activity is launched, we check if we have a key stored, and if we don’t we prompt the user for a usenrame. The app (specifically, GenerateKeyPair.java) then generates a public/private key pair, stores the private key in the local keystore, and uploads the public key to the server for signing in the form of a standard CSR. At the time of this writing, the actual cert-signing part of the server doesn’t work. We had been using a hacked-together python server that spawned openssl, piped the CSR in to stdin, read the certificate out of stdout and returned it to the client, but are in the process of moving to a Bouncy Castle based CSR signing routine in the Java server. Once this is complete, the server can authenticate the client by their having a certificate that has been signed by our internal CA, and determine the speific one by either their certificate’s common name field, and/or their certificate fingerprint.

Other Thoughts

The server-side stuff is still pretty lacking, but the basics are there. We’re hoping to get something useful running by the end of the quarter to show to the teacher and class. If you’re looking for a good secure messaging app, try TextSecure. It actually impliments secure end-to-end crypto and is developed by respected security researchers such as Moxie Marlinspike. Our app is just for fun and shouldn’t be treated as more secure than, say, SMS.

Powerline, Minature Octo Batman, and more

Last week, after replacing my failing hard drive with an SSD and reinstalling my OS, I was playing with tmux and vim configs when I rediscovered Powerline. It’s a script to provide extensible statusline elements to a variety of things (including vim, tmux, i3, zsh, etc). I installed it into my tmux, and loved it so much that I ended up putting it on several of my servers as well. Many of the default modules are nice to have in the tmux stausline, athough I changed it a bit from the default.

But I wanted more. For example, one of the things I had in my previous tmux’s config was the number of currently connected cjdns peers. So I got to work learning how to write my own modules for it. Turns out there is approximately zero documentation for doing this. Github user Omega expressed similar issue in #409 on the official powerline repo, and was kind enough to link to his powerline module, which proved simple enough to read and understand. From there, I was able to create a series of modules to check everything from cjdns peers to the current price of bitcoins.

I’ve wanted to publish them, but failed to find a good name. Fortunately, Github has a feature that randomly generates repo names. Thus, minature-octo-batman was born. I even put it in pypi (my first package there!), so you can install it easily with pip or easy_install. The README file contains a full list of the avalable modules and how to install them.

While I used powerline in tmux I decided to go with a powerline-esq but not actually powerline vim config. Mostly because I liked prurigro’s vimrc and did’t really feel comfortable mucking about with vimrc files myself. It’s an excellent vimrc, with syntax highlighting for every language I’ve thrown at it, suggestions, a powerline-esq status line, and all sorts of things I haven’t even discovered.

Scraping the UW course listings

I was boredly sitting in class earlier this evening when someone mentioned that he had been trying to scrape and parse UW’s course listings with python. I suggested BeautifulSoup, which he said he’d used, but it was still incredibly dfficult. I had to give it a shot myself. If you want to follow along, here’s one of the pages. Without looking at the source, it’s clearly a table or possibly a few of them, but still relatively easy to parse. However, looking at the source reveals that each timeslot of each course is in fact its own table, with one row and cell, which contains a <pre> tag, which has the “table” made by using the proper number of spaces to make everything line up. Like this:

<table width="100%" ><tr><td><pre>
       <A
       HREF=https://sdb.admin.washington.edu/timeschd/uwnetid/sln.asp?QTRYR=SPR+2014&SLN=12766>12766</A>
       B  5       MW     545-745P   UW1  221      NASH,ROB D
       Open     26/  48                      
                               MUST ENROLL IN CSSSKL 162 B                                                                                                                         
                               </td></tr></table>

After some brief spectulation with my fellow classmates about what they could be doing on the backend, I got down to parsing it. I first tried spliting it by the space character, then selecting each non-empty element and assuming it was what belonged in that place, but I quickly discovered that different courses have different numbers of values. For example, if a course is pass/no pass, it gets a little thing saying that. Otherwise, it gets a blank space in that “column”.

So I went with selectig the specific range of the value I wanted. It’s horrible, will probably break, but is the most reliable I could come up with. So, for example, characters 0 through 6 represent the enrollment restrictions column. Characters 7 through 13 are the SLN, etc. I put this all into a python script, which I tested on a number of different course listings, although not as extensively as I would have liked. The code can be found on my github. Feel free to file pull requests or issues if you find a problem/see a possible improvement. I’m stil not sure what to do with the data, but it has a lot of possibilities.

I’d love to see a collected set of utilities for accessing and parsing UW’s data. They have a lot of useful information like this that could be used to build great things. Maybe UW will sanction an official API or something…

Keybase, a site for matching handles to keys

I recently found out about Keybase. From what I gather, it’s a way to allow one to associate their PGP public key with their Twitter, Github, etc (only Twitter and Github are supported at this time, it seems). At first I thought it required you to trust Keybase, but after playing with it a little I realized that the keybase client actually does the verification. Basically, you post a signed message to your Github and Twitter which says what your username on that service is, your username on Keybase is, and that this is your key. Have a look at my Github verification for an example.

I filed two issues on Github which were promptly dealt with. I filed one late at night and it got resolved the next morning, filed another later that day which got resolved within the hour. Additionally, invites seemed to flow in as I filed issues, although that may have been concidence. At the time of this writing I have a few invites, might be willing to give some out.

The concept seems pretty interesting, I’ll be interested to watch how it develops. Some people on IRC were talking about building a fully-decentralized version of it with a blockchain, which might be cool if it ever materializes (so far no actual code as been written as far as I know).

I’ve also gotten into PGP use and stuff, as in harassing my friends to use it finally and using a desktop mail client instead of the Gmail web interface.

New domain, New website

I’ve just picked up finn.io, and I decided it was time to redo my website. The old one looks hideous, and was all in PHP. This is a static site, generated with Jekyll (still playing with it, I think I like it though) then managed through git. I’m not sure where I want this site (and this domain) to be for yet, but I’m finding out. Starting with this blog post.