A blast from the past: mod_epp

I recently got contacted by SIDN regarding some problems with mod_epp. They were running into issues when combining mod_epp with mod_proxy and needed me to find a fix. We came to an agreement, I spend some time programming C again, and here it is: mod_epp version 1.6.


* Bugfix: Internal EPP error messages work again
* Default value for EPPAuthURI
* New config statement: EPPReturncodeHeader
- Backend can signal EPP RC to mod_epp
* New feature: implicit login
- EPPAuthURI = implicit
- no special request to authenticate
- uses either HTTP error code or via EPPReturncodeHeader
of the command.
* New feature: User-Agent: header set
* Bufix/Feature: Connection close now works on mod_proxy
- X-Connection
- via EPP return code

* A mod_proxy setup is now fully supported. See README.

Get it here.

More upgrading tidbits

As mentioned before, I disabled xen before the etch->lenny upgrade. Now I’ve re-enabled xen, and the following bits may be of wider interest:

My server at the Hetzner hosting center has one static IP address and a small network that is routed towards that IP address. So my plan was to use this small network ( for the virtual switch inside the xen Dom0 and connect all the domUs to it. I solved this the following way:

In /etc/network/interfaces I tell Debian to create the bridge and use br0 as the interface of the dom0 into that bridge:

auto br0
iface br0 inet static
        pre-up brctl addbr br0
        bridge_fd 0
        bridge_hello 0
        bridge_stp off

That way, the xen scripts themselves have little to do. The settings in /etc/xen/xend-config.sxp are:

(vif-script 'vif-bridge bridge=br0')
(network-script network-route)

In the config-file for each individual domU, I just use something like

vif  = [ 'ip=,mac=00:16:3e:77:e2:79,bridge=br0' ]

but I’m not sure whether that’s actually needed at this point.

Concerning the domUs: The hints in the Debian Wiki were helpful, especially about changes to the console handling.

Upgrading from etch to lenny

Just in case somebody was wondering why this blog was down over the weekend:

I finally bit the bullet and upgraded my server from Debian etch to Debian lenny. And while doing that ran into Bug #541371.

Otherwise the upgrade was pretty painless. But as timid (some might say sane) as I am, I disabled xen before the upgrade. Getting that up and running with a new kernel will be the next step. This is especially tricky as I do not have a remote console, just the Hetzner rescue system.

Oh, and as I’m no longer running a pre-historic wordpress, this blog might get a new design sooner than later.

Crypt::OpenSSL:X509 and UTF-8 strings

Bumped to top due to updates.

For my current project I look at a lot of X.509 certificates using Dan Sully’s Crypt::OpenSSL:X509 Perl module. I’m not using the version from CPAN, but his current codebase straight from his git repository.

While trying to store information about certs in a PostgreSQL DB which is set to UTF-8 strings, I encountered errors. Some debugging later I found that some of the certs had Umlauts in the subject field. The XS code from Crypt::OpenSSL:X509 wasn’t UTF-8 aware, causing automatic down-conversion to ISO-8859-1, which produced illegal byte sequence when parsed as UTF-8.

After some cursing and debugging I came up with this patch:

--- ../dsully-perl-crypt-openssl-x509/X509.xs 2009-03-06 22:22:44.000000000 +0100
+++ X509.xs 2009-08-17 14:46:00.000000000 +0200
@@ -73,6 +73,15 @@
return sv;

+static SV* sv_bio_utf8_on(BIO *bio) {
+ SV* sv;
+ sv = (SV *)BIO_get_callback_arg(bio);
+ SvUTF8_on(sv);
+ return sv;
static void sv_bio_error(BIO *bio) {

@@ -293,8 +302,10 @@
name = X509_get_issuer_name(x509);

+ /* this need not be pure ascii, try to get a native perl character string with utf8 */
+ sv_bio_utf8_on(bio);
/* this is prefered over X509_NAME_oneline() */
- X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC);

} else if (ix == 3) {

@@ -799,7 +810,8 @@
n = OBJ_nid2sn(nid);
BIO_printf(bio, "%s=", n);
- ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(name_entry));
+ sv_bio_utf8_on(bio);
+ ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(name_entry),ASN1_STRFLGS_UTF8_CONVERT & ~ASN1_STRFLGS_ESC_MSB);
RETVAL = sv_bio_final(bio);


Basically, this just tells the openssl library to output UTF-8 and the perl core that the new strings are encoded in UTF-8.

This might be overkill in the cases where it’s not actually needed, but it should do no harm.

Update: My patch is now in the git repository.

Update2: Life is not that easy. Looking at more X.509 certs in the wild shows that openssl does not check whether it returns a valid UTF8 string. So stay tuned for additional patches in Dan’s git repository.

Update3: My patches are now integrated in the git version.

Fun with RT Scrips

This might be of broader interest to users or RT:

I recently hacked up a small Scrip that tries to merge new tickets generated by mail bounces into the original ticket.

This is similar to what RtBounceHandler is doing, just that it’s implemented as a scrip and not as an external program which runs on incoming mail.

I’ve added my code to the RT wiki.

Broadcom woes

The company laptop (Windows XP) of my wife came with the Broadcom software for controlling the Wifi settings.

I’ve already had so many troubles getting that box to talk WPA to my local WLAN at home (an OpenWrt Kamikaze running on an Alix box) that I switched back to WEP.

Last week I tried to get the Broadcom junk to talk WPA to the Linksys ADSL/WLAN CPE at my mother’s place. No go. Just once, for a few seconds it managed to get the TKIP key. Most of the time it failed to negotiate an AES key. Whatever.

I’m so glad I convinced her tech department to give us local admin rights. That way I finally just nuked that dysfunctional piece of sh*** and went back to the default Windows WLAN configuration tool.

That just worked.

Instantly. No hassle at all.

Rate-limit for swatch

At work, we installed swatch to have a look at our combined logfiles. (see techrepublic or linsec for a swatch intro.)

But contrary to most of the examples, we’re using swatch not to check for known events, but to look out for unexpected entries. So basically our config is “ignore the known, send mail for the rest”:



This has one severe drawback: every single unexpected line in a logfile will send one mail. This just doesn’t scale.

The threshold feature won’t really help us, as it rejects notifications over its limit, whereas for email notifications it’s better to collect more messages into a single email.

So I dived into the code and added a ratelimit feature for the mail Action.

Apply the patch in Actions.pm.diff and then you can write:

mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

and joe will get no more than one mail per 10 mins, without missing a single message.

As written, this config has one problem: I need to flush the messages I held back once I’m allowed to send mail again. In theory, I should have added some sort of timer-based event-handling to swatch, but I considered that to be overkill. Especially if you have multiple mail statements with different rate-limits. So I added another option to the mail Action that tells it just to flush spooled messages and do nothing more. You should trigger that option frequently, e.g. with a stanza like this at the top of your config-file:

mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo,rateflush=1

ignore=/ /

mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

The razor business model within IT

The razor business is said to have premiered the following business model: Sell the razor really cheap, but charge a lot for the blades.

Seeing the same in IT isn’t unusual, the prime examples are Inkjet printers where the printer is ridiculously cheap, but a new ink cartridge costs almost the same as the printer.

Cisco memory is another example.

I just noticed the same with HP’s new entry-level 1U server, the HP 120G5. We bought one for evaluation purposes for slightly above 500 €. Seems like a decent hardware: 1GB RAM, a Xeon processor and a single SATA harddisk. No frills, no chrome spoilers, just a straight forward server.

But: no on-board remote management. That would be extra. You need to buy the HP DL120 G5 Lights-Out 100c kit. We just plugged one of these into a DL 180, where we really need it. It’s a very tiny card. Just a PCI-E slot, a RJ45 jack and a single chip:

LO 100c

The price: ~ 200 €.


Getting kmail on Ubuntu to open links in firefox

This is one of the simple things which required more searching than I expected. I note the solution here in the hope that it is helpful to the next person searching for an answer.

The problem:

We’re running plain Ubuntu installations (gnome) with Kmail (for Kolab). Clicking on links in emails opens a shell window with Lynx and not Firefox.

The fix:

Most of the search hits I found advised me to use kcontrol and go to “KDE Components -> Component Chooser”. Well, that option isn’t enabled in the Ubuntu version of the KDE packages. As I don’t run the KDE panel, the suggested solution doesn’t work either.

The solution is contained in these bug tracker messages:

sudo apt-get install kde-systemsettings
kcmshell defaultapplication

Sometimes I miss the times of simple configuration files.