https – Page 2 – Giant Geek Blog

Accessing VirtualBox client from host

Assuming that you are a developer on Windows that run a VirtualBox instance for a server, you might find it difficult to browse/access the “virtual” server that are running as a client. Here’s an example of the config required for standard HTTP, HTTPS and SSH, you can easily expand for other services as needed. Example assumes that your client is named “Ubuntu64”, you need to change appropriately for each client.

NOTE: if you are using a Linux host, the commands are similar.


cd C:\Program Files\Oracle\VirtualBox
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/HostPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/GuestPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/HostPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/GuestPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/HostPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/GuestPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/HostPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/GuestPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/Protocol TCP
VBoxManage.exe getextradata "Ubuntu64" enumerate

Sniff for SSL capability of browser

If you run a secure server, you often have some non-secure content prior to authentication of a secure session. To provide a mechanism to show a page prior to authentication, you can “sniff” for the clients capability with a small bit of JavaScript.

First establish a global variable on the page:
<script type="text/javascript"> var sslok = 0; </script>
Then, include a JavaScript file that is ONLY available via a secure
<script type="text/javascript" src="https://www.giantgeek.com.com/secure/sniff.js"></script>

The ‘sniff.js’ file should contain (at a minimum):
sslok = 1;

Finally, check and act on the value:
<script type="text/javascript"> if (sslok === 1) { window.location.href = 'https://www.giantgeek.com/secure/'; } </script>

Done!

HTTP is deprecated?

I found this several years ago, and ‘most’ of my websites implement this standard.

While “http://” implies IP Port 80, and “https://” implies IP Port 443, the payload of such traffic is no longer limited to HyperText (the “HT” in HTTP). To support future protocols, it is advised that websites not force this upon future implementations of the IP stack.

Unfortunately, there is ONE case that implementation of this process can cause your websites. If you run on non-standard ports (or use HTTPS), you’ll still need the protocol (“http:” or “https:”) on the links used to swap protocols.

Obvious advantage here is that all of your links can be shortened.

More information is available at:

http://www.no-http.org/

Cheers!

MSIE’s flawed SSL implementation

This has been quite frustrating. It seems that Microsoft has again ventured from complying with the industry web standards in this space too!

The comments from the Apache HTTP 2.x ‘http-ssl.conf’ files say it all:

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

A little further research indicates that MSIE6 has (probably) partially fixed this (the HTTP/1.0 & KeepAlive issues), so the updated config should use a Regular Expression to look like…

SetEnvIf User-Agent ".*MSIE [1-5].*"
 nokeepalive ssl-unclean-shutdown
 downgrade-1.0 force-response-1.0

SetEnvIf User-Agent ".*MSIE [6-9].*"
 ssl-unclean-shutdown

Related Information:

Cheers!

Detecting browser SSL capability with JavaScript

If you run a secured website using HTTPS (aka SSL) it’s often wise to stop or notify users that are using a browser or client that doesn’t support the proper encryption level required.

Here’s a short method to “sniff” the capabilities prior to forwarding users to the secure area. You could add logic to inform the user of the problem.

As usual I’ve stripped a lot of the XHTML markup for readability.

<html>
<head>
<!– set ‘sslok’ global variable for testing SSL capability –>
<script type=”text/javascript”>
<!–
var sslok = 0;
//–>
</script>
<!– try including source javascript from secure server, this will set “sslok” to 1 if it works –>
<!– note that the /secure directory is protected so that only 128+bit SSL is allowed –>
<script type=”text/javascript” src=”https://www.example.com/secure/ssl-test.js”></script>
<!– if ssl is 1, our javascript include worked, so SSL is successful – redirect to SSL –>
<script type=”text/javascript”>
<!–
if (sslok == ‘1’) {
window.location = ‘https://www.example.com/secure’;
}
//–>
</script>
</head>
<body>
</body>
</html>

Contents of the ‘ssl-test.js’ file:

<!– set sslok to 1, so we know this include succeeded –>
sslok = ‘1’;

NOTE: If you use the same ‘filesystem’ for HTTP & HTTPS you might want to use a server-side program (PHP or Java for example) to generate the JavaScript. Benefit of that process would be that you could also interrogate and return other SSL attributes such as cypher strength.

Cheers!

Enabling A Secure Apache Server w/SSL Certificates

If you’ve taken some time to wander around my site, you may have noticed that I also have SSL enabled (with https://www.giantgeek.com/ url’s). Here’s the steps you can take on your site/server – provided you have proper access.

Download and install Apache-OpenSSL and OpenSSL – I’ve found http://hunter.campbus.com/ to be a reliable source for precompiled binaries for Win32 platforms.

Install OpenSSL, and add the following environmental variable.
OPENSSL_CONF=[apache_root]/bin/openssl.conf (.cnf?)

Generate a private key:
openssl genrsa —des3 —out filename.key 1024

Create CSR Request…
openssl req —new —key filename.key —out filename.csr

This step will ask for several pieces of information, here’s my example:

Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) []:Carol Stream Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dean Scott Fredrickson Organizational Unit Name (eg, section) []:Giant Geek Communications Common Name (eg, YOUR name) []:www.giantgeek.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xxxxxxxxxxxxxx An optional company name []:Giant Geek Communications

You can now send this CSR to a valid Certifying Authority…
I currently use http://www.comodo.com/.

It’s very likely that the CA will need to verify your identity, typically this requires you to fax a copy of your id card/passport or business papers. A D-U-N-S Number (from Dun and Bradstreet) will make this easier for businesses.

If you don’t plan on having lots of users, you can create a Self-signed certificate…
openssl x509 —req —days 30 —in filename.csr —signkey filename.key —out filename.crt

You’ll need to install the files received from the CA, but it’s pretty trivial so I’ll leave it for later.

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30