/dev/otmar

Bumped to top due to updates.

For my current project I look at a lot of X.509 certificates using Dan Sully’s Crypt::OpenSSL:X509 Perl module. I’m not using the version from CPAN, but his current codebase straight from his git repository.

While trying to store information about certs in a PostgreSQL DB which is set to UTF-8 strings, I encountered errors. Some debugging later I found that some of the certs had Umlauts in the subject field. The XS code from Crypt::OpenSSL:X509 wasn’t UTF-8 aware, causing automatic down-conversion to ISO-8859-1, which produced illegal byte sequence when parsed as UTF-8.

After some cursing and debugging I came up with this patch:


--- ../dsully-perl-crypt-openssl-x509/X509.xs 2009-03-06 22:22:44.000000000 +0100
+++ X509.xs 2009-08-17 14:46:00.000000000 +0200
@@ -73,6 +73,15 @@
return sv;
}

OUTPUT:


Basically, this just tells the openssl library to output UTF-8 and the perl core that the new strings are encoded in UTF-8.

This might be overkill in the cases where it’s not actually needed, but it should do no harm.

Update: My patch is now in the git repository.

Update2: Life is not that easy. Looking at more X.509 certs in the wild shows that openssl does not check whether it returns a valid UTF8 string. So stay tuned for additional patches in Dan’s git repository.

Update3: My patches are now integrated in the git version.

This might be of broader interest to users or RT:

I recently hacked up a small Scrip that tries to merge new tickets generated by mail bounces into the original ticket.

This is similar to what RtBounceHandler is doing, just that it’s implemented as a scrip and not as an external program which runs on incoming mail.

I’ve added my code to the RT wiki.

The company laptop (Windows XP) of my wife came with the Broadcom software for controlling the Wifi settings.

I’ve already had so many troubles getting that box to talk WPA to my local WLAN at home (an OpenWrt Kamikaze running on an Alix box) that I switched back to WEP.

Last week I tried to get the Broadcom junk to talk WPA to the Linksys ADSL/WLAN CPE at my mother’s place. No go. Just once, for a few seconds it managed to get the TKIP key. Most of the time it failed to negotiate an AES key. Whatever.

I’m so glad I convinced her tech department to give us local admin rights. That way I finally just nuked that dysfunctional piece of sh*** and went back to the default Windows WLAN configuration tool.

That just worked.

Instantly. No hassle at all.

At work, we installed swatch to have a look at our combined logfiles. (see techrepublic or linsec for a swatch intro.)

But contrary to most of the examples, we’re using swatch not to check for known events, but to look out for unexpected entries. So basically our config is “ignore the known, send mail for the rest”:

ignore=/…/
ignore=/…/

watchfor=/./
mail=…..

This has one severe drawback: every single unexpected line in a logfile will send one mail. This just doesn’t scale.

The threshold feature won’t really help us, as it rejects notifications over its limit, whereas for email notifications it’s better to collect more messages into a single email.

So I dived into the code and added a ratelimit feature for the mail Action.

Apply the patch in Actions.pm.diff and then you can write:

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

and joe will get no more than one mail per 10 mins, without missing a single message.

As written, this config has one problem: I need to flush the messages I held back once I’m allowed to send mail again. In theory, I should have added some sort of timer-based event-handling to swatch, but I considered that to be overkill. Especially if you have multiple mail statements with different rate-limits. So I added another option to the mail Action that tells it just to flush spooled messages and do nothing more. You should trigger that option frequently, e.g. with a stanza like this at the top of your config-file:

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo,rateflush=1
continue

ignore=/ /
ignore=/…/

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

The razor business is said to have premiered the following business model: Sell the razor really cheap, but charge a lot for the blades.

Seeing the same in IT isn’t unusual, the prime examples are Inkjet printers where the printer is ridiculously cheap, but a new ink cartridge costs almost the same as the printer.

Cisco memory is another example.

I just noticed the same with HP’s new entry-level 1U server, the HP 120G5. We bought one for evaluation purposes for slightly above 500 €. Seems like a decent hardware: 1GB RAM, a Xeon processor and a single SATA harddisk. No frills, no chrome spoilers, just a straight forward server.

But: no on-board remote management. That would be extra. You need to buy the HP DL120 G5 Lights-Out 100c kit. We just plugged one of these into a DL 180, where we really need it. It’s a very tiny card. Just a PCI-E slot, a RJ45 jack and a single chip:

The price: ~ 200 €.

Sheesh.

Letzte Woche:

Verarschen kann ich mich selber.

This is one of the simple things which required more searching than I expected. I note the solution here in the hope that it is helpful to the next person searching for an answer.

The problem:

We’re running plain Ubuntu installations (gnome) with Kmail (for Kolab). Clicking on links in emails opens a shell window with Lynx and not Firefox.

The fix:

Most of the search hits I found advised me to use kcontrol and go to “KDE Components -> Component Chooser”. Well, that option isn’t enabled in the Ubuntu version of the KDE packages. As I don’t run the KDE panel, the suggested solution doesn’t work either.

The solution is contained in these bug tracker messages:

sudo apt-get install kde-systemsettings
kcmshell defaultapplication

Sometimes I miss the times of simple configuration files.

This is just Google-fodder:

If you use the lenny (beta2) installer to setup a system which uses / on LVM on dm_crypt on raid, then the first reboot fails with something like “cannot find LVM volumes”. After a few minutes you get dumped into a busybox shell.

Getting the system to boot

Run cryptsetup luksOpen /dev/md1 md1_crypt (or md0, depending on your setup). Exit busybox and the system should boot through. Then …

Fixing this for good

It seems to be that this Wiki page still applies. Thus you have to create a line in /etc/crypttab containing (in my case md1)

md1_crypt /dev/md1 none luks

and run update-initramfs -u to update the initrd.

That’s it.

This is one of the “simple” problems which always take longer to solve than expected.

The goal: Script RTIR to generate Investigations associated with an Incident.

In order to do that, I needed to solve the following who subproblems:

1. Being able to use the “edit” feature in the command line “rt” client and capture the new ticket’s id

Basically, I needed to capture the STDOUT of the “rt” command, and let also rt invoke vi. My solution:

--- /usr/bin/rt 2007-10-31 11:52:20.000000000 +0100
+++ /usr/local/bin/rt 2008-08-20 14:14:20.000000000 +0200
@@ -1335,7 +1335,7 @@
local $/ = undef;

open(F, ">$file") || die "$file: $!\n"; print F $text; close(F);
- system($editor, $file) && die "Couldn't run $editor.\n";
+ system("$editor $file < /dev/tty > /dev/tty”) && die “Couldn’t run $editor.\n”;
open(F, $file) || die “$file: $!\n”; $text = ; close(F);
unlink($file);


2. Add attachments during ticket creation

The “Autoreply on Create” Scrip is supposed to mail out the newly created content to the Requestor, thus I needed to not only provide plaintext while the creation, but also all the attachments that need to be sent out to the Requestor.

Adding text is simple, just use “Text: foo bar” to the Template. But attachments are simply not supported for “rt create” (and not that easy to add in the code). They are supported for “rt correspond”, so I can sidestep the “attachment on create” problem by simply splitting up the work into an empty “rt create” followed by a “rt correspond -a file”.

There is just one gotcha: The Autoreply script will happily mail on ticket creation with an empty mail.

Solution: Change the “Condition = On Create” for the Scrip to “Custom” with

my $t = $self->TransactionObj;
return 0 unless ($t->Type eq "Create");

my $c = $t->ContentObj;
return (defined($c)) ? 1 : 0;


I finally manged to crank out a new release of mod_epp. So, what’s new?

Last November Gavin Brown sent me a bug report regarding the handling of large answers. I provided a quick fix back then but did no official release.

While debugging that issue, I noticed that mod_epp didn’t generate the greeting on newer apaches. Tracing that, I found that the kernel didn’t return from accept on connection open, but on the first data reception. First I suspected the epoll interface, but some more intensive debugging found a more mundane reason: setsockopt is used to set:

TCP_DEFER_ACCEPT

Allows a listener to be awakened only when data arrives on the socket. Takes an integer value (seconds), this can bound the maximum number of attempts TCP will make to complete the connection.

Some more googling found the answer: you need to use the AcceptFilter directive to disable this optimization for the EPP socket.

This is not really documented, thus this bug report.