Retrieve remote FTP or SMTP TLS server certificate

February 26, 2013

With SSL protected resources it is easy to find a command line to retrieve the certificate. Following is documented at many places:

openssl s_client -connect www.google.com:443

But if you use use this with a TLS server, be it SMTP or FTP you’ll get

CONNECTED(00000003)
527654:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607:

The solution ins quite easy (if you know it) .. use following command line:

openssl s_client -connect ftp.xxxx.at:21 -starttls ftp

or

openssl s_client -connect smtp.xxxx.at:25 -starttls smtp

IPv6 OpenVZ VEs and Debian/Proxmox as host system

February 24, 2013

A friend of mine got a new root server and asked me to help him set it up. And of course I helped and as he got a free IPv6 subnet I thought lets configure it.  He is running Proxmox as his host system, which is based on Debian.So this guide is also true for Debian systems which have OpenVZ installed.

  1. You want to use IPv6 for the host system, you need to add at least following to  /etc/network/interfaces
    iface vmbr0 inet6 static
    address 2001:xxxx:xxxx:xxx::1
    netmask 64
      up ip -6 route add default via 2001:xxxxx:beef::1 dev vmbr0
      down ip -6 route del default via 2001:xxxxx:beef::1 dev vmbr0

    Replace vmbr0 with eth0 if you’re not using Proxmox and only OpenVZ on Debian.

  2. The ISP my friend has the server located at uses a default gateway, which is not in his IPv6 subnet, you need therefore add a host route. Which is done be following 2 lines
      up ip -6 route add 2001:4ba0:fff7:1:beef::1 dev vmbr0
      down ip -6 route del 2001:4ba0:fff7:1:beef::1 dev vmbr0
  3. Restart the networking with: /etc/init.d/networking restart
  4. Test it with following:
  5. Add following to /etc/sysctl.conf and make sure it is not defined two times
    # IPv6 Packet Forwarding and Proxy NDP
    net.ipv6.conf.default.forwarding = 1
    net.ipv6.conf.all.forwarding = 1
    net.ipv6.conf.default.proxy_ndp = 1
    net.ipv6.conf.all.proxy_ndp = 1
  6. Call sysctl -p to activate it at once (so no reboot is required)
  7. Go to /etc/vz/vz.conf and make sure following is in there
    IPV6="yes"
  8. You currently can’t add an IPv6 address through the web GUI of Proxmox – so you need to use the CLI (replace with a IP adresse from your IPv6 range
    vzctl set <VEID> --ipadd 2001:xxx:xxx::xxx --save
  9. restart the VE, and try the ping stuff from step 4 in the VE. (ps: It can take up to 5 pings before you get a response the first time.)

More is not needed … its quite easy!

ps: don’t forget to add an IPv6 DNS server, if it is a IPv6 only VE. This can currently not be done via Proxmox web GUI.

pps: iptables does not filter IPv6 .. you need ip6tables for this. don’t think that you’re secure, if you didn’t open anything with iptables.

List of IEEE 802.1x hotfixes for Windows 7

February 16, 2013

Most companies which want to enable 802.1x for their wired network run Windows 7 SP1. After activating 802.1x you’ll run into various problems with your Windows 7 boxes. It will work fine in lap tests but it will fail in the real world. Why is that? Because there are many 802.1x bugs in it.

Normally I blog about Linux, networking and security and not Windows related stuff. I’m not an Windows expert but I needed to get it authenticated with my network so needed to look into the matter. I hope it helps other networks guys. I’m working for over 8 month (no not all the time 😉 ) now to get Windows 7 SP1 100% of the time working with 802.1x. Its working 99% of the time, but there are still errors (under rare and special condition) that occur. ;-(

At the time of writing this list I didn’t find any other site that lists the available hotfixes, so I though I start a list. And the description texts from Microsoft to these hotfixes are sometimes brain dead.  Anyway some entries are the result of working with the Microsoft Premier Support on cases. If you’ll find any other hotfix, fixit, … please let me know.

ps: We’re using EAP-TLS so I can only write about patches I needed for it.

  1. KB2481614
    If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  2. KB980295
    If an initial 802.1x authentication is passed, but a re-authentication fails, Windows 7 will ignore all later 802.1x requests. This hotfix should also fix a problem with computers waking up from sleep or hibernation – but we’ve disabled these features so I can’t comment on them.
  3. KB976373
    This hotfix is called “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network”. I can’t comment on this, as we’ve not deployed 802.1x for our VoIP phones at this point. But it solves one other problem, which is described here. The Windows Vista hotfix for the same problem, linked in the article (There is a third hotfix related but not linked in the article, its for XP – so it seems the problem is through the whole product line), states that if an error occurs Windows is normally hard-coded to ignore EAPOL packets for 20min. I would guess it is the same for Windows 7 too. The linked article tells you to install the patch and set some registry key to lower the value.
  4. KB2769121
    A short time ago I found this one: “802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates”. At time of writing I’m not sure if it helps for something in my setup. According to the symptoms list of the hotfix, it does not, but maybe it helps for something else, as the one before does.
  5. KB2736878
    An other error during booting – this time it happens if the read process starts before the network adapter is initialized. Really seems that they wanted to get faster boot times, no matter the costs.
  6. KB2494172
    This hotfix fixes a problem if you’ve installed a valid and invalid certificate for 802.1x authentication. The workaround is just deleting the invalid certificate. I’m not sure at this point if it affects also wired authentication.
  7. KB976210
    This problem occurs only during automated build processes and if you use an EAP method which needs user interaction – as I don’t do that I can’t comment on this hotfix.

So far this is my list – with the list you should get running Windows 7 and 802.1x nicely, but it is not perfect – Do you know any other patches or workarounds?

 

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 25 queries. 0.044 seconds.