Posts

Installing openvpn 2.3 on CentOS 7

Those of you who run CentOS probably know that the openvpn server package isn't available in the base distribution, nor in the CentOS Plus repositories.  When you peruse the openvpn.net website, they recommend using RepoForge builds (the old DAG repos).  The problem with that is that the repository for CentOS 7 doesn't yet have an openvpn server rpm.  What to do?

It turns out that it's comically simple to build your own RPM, so that's what I'm going to show you.  The instructions come mostly from the openvpn installation documentation.

Instructions
Go get the latest source tarball from the openvpn downloads page.  At the time of this blog post (Oct 2014), the current version is 2.3.4, so I just used wget to pull it down wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.4.tar.gz  Before I try to build that source code into an RPM, I need to make sure the dependencies are installed and available.  So I used yum to install them:
sudo yum install openssl-de…

Configure a FIPS 140-2 Compliant Java Provider on RedHat/CentOS/Fedora

Image
If you're using any form of cryptography in Java, you might be aware of NIST FIPS 140-2, which lays out what you can and cannot use on federal information processing systems.

Oracle documentation, true to form, only gets you 80% of the way there.  Here's their technical notes on FIPS 140 compliance.

So here are the step-by-step instructions for configuring java with a FIPS-compliant Provider (SunPKCS11-NSS).

First, you need to install the libraries if you haven't already.  These are written by Mozilla, and have gone through NIST's Cryptographic Module Validation Program (CMVP).  Luckily, they're available for RedHat/CentOS/Fedora, and can be installed through yum.

sudo yum install nss-pkcs11-devel  Next, you need to configure your JRE to add the provider.  You do this by editing ${jre.home}/lib/security/java.security and adding a reference to the SunPKCS11 provider.

On my Fedora 19 box, I have both the OpenJDK and SunJDK installed.  Here are the locations of their J…

Installing MonoDevelop 3 on Ubuntu Oneiric and Mint 12

I really like being able to develop in .NET on linux, and I think that the mono team has come a long way in its efforts to make mono-based applications production-viable.  Sadly, I'm guessing that the majority of mono developers use mac, opensuse, or windows because those are the only platforms that dependably have pre-built binaries and installers.  Since I use Mint (a variant of Ubuntu), I'd really like a simple method for installing a current version of MonoDevelop.

Recently, I needed to install Mint on my new laptop and so I payed close attention to how I installed MonoDevelop and turned it into a script -- which you can now use!  I've tested it on a fresh Mint 12, but it should also work on Ubuntu Oneiric.

The script:

Installs the git client and the dependencies necessary to build MonoDevelop from source.Downloads the source code for MonoDevelop from github.Configures the build script to install the stable profile into /usr/local (/usr/local/monodevelop-3.0.1/ will be …

Installing CouchDB 1.2 on CentOS 6

Image
CouchDB has a really great idea behind it.  Whether or not CouchDB delivers on it, I've been wanting to discover for a while.  Only way to do that is kick the tires, so I started the process of figuring out how to install it.

First disappointment is discovering a general lack of documentation.  But my first appreciation is how simple it is once you figure out what needs to be done.

CouchDB runs on erlang, so you need to install erlang from the EPEL repository.  In order to use that repository on CentOS 6, run the following command:
sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm Now you can install erlang:
sudo yum install erlang That will bring with it a number of dependencies, such as wxWidgets.  With erlang now available, it's time to download the CouchDB source code from here. As of this writing, the latest release is 1.2.0, although 1.3 is in alpha in master.  I'm electing to use the stable release.

Now that you have the sou…

Invalid provider type specified when accessing X509Certificate2.PrivateKey

Today, I was attempting to digitally sign a byte array with my private key so that I could produce an event on the event bus and a consumer could ensure that the message came from me and was not modified while in transit.
public byte[] SignData(byte[] data) {   X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);   certStore.Open(OpenFlags.ReadOnly);
  // the DN I get is CN=name,CN=Users,DC=example,DC=com   // but the DN on the cert has spaces after each comma   string spacedDN = UserPrincipal.Current.DistinguishedName.Replace(",", ", ");
  X509Certificate2 cert = certStore.Certificates     .Find(       X509FindType.FindBySubjectDistinguishedName,       spacedDN,       true)     .OfType<X509Certificate2>()     .FirstOrDefault();
  if (null == cert) { // handle no cert }
  RSACryptoServiceProvider rsaProvider = cert.PrivateKey as RSACryptoServiceProvider;   return rsaProvider.SignData(data, new SHA1CryptoServiceProvider()); }
When I run this as myself, I…

Establishing a SSL connection to RabbitMQ using the .NET client

Image
First, I'm making the assumption that you've read, re-read, and followed the SSL tutorial on rabbitmq's website.  If you haven't done everything that it's instructed you to do (including adding your certificates to the Windows Certificate Store using certmgr), none of this code is going to work for you.  If you have, this code should "Just Work™".

Here's the complete code file that works for me.  You will (obviously) need to change the names of the servers, and the thumbprint of your certificate.

Note that this code only uses your client and server's certificates to establish a secure connection.  You are still logging in as guest.  I will show you how to use your client certificate to authenticate yourself below.
using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;

using RabbitMQ.Client;
using RabbitMQ.Util;


namespace RabbitSslTest
{
    class Program
    {
        static void Main(string[] args)
        {

Windows does not always honor DNS order

I was having a problem where some internal server names would become unresolvable after being resolvable.  After becoming tired of flushing the dns resolver cache, I finally opened wireshark to see what was going on.

To my surprise, windows was using my secondary DNS (8.8.8.8) instead of my primary, internal DNS!  After some searching, I finally found this knowledge base article.
This behavior occurs because the Windows XP DNS Client service (Dnscache) follows a certain algorithm when it decides the order in which it uses the DNS servers configured in the TCP/IP properties. If the DNS server list is reprioritized, the Windows XP DNS Client service resets the server priority at periodic intervals. By default, the server priorities are reset every 15 minutes.  Luckily, the workaround in that same article fixes the issues I was having.
To work around this behavior, modify the registry so that the DNS server that is configured first is tried first on each quer…