This is Chris Mahns's Typepad Profile.
Join Typepad and start following Chris Mahns's activity
Join Now!
Already a member? Sign In
Chris Mahns
Web Site Systems Admin.
Recent Activity
Quick note here to always check your Source Address Translation setting on your virtual server since you can log a Connection error: ssl_hs_rxhello:7295: unsupported version (70) in curl when connecting to a VIP and spend quite a bit of time thinking that it's ssl related when it really isn't. You may also see: SSLRead() return error -9806 in curl. Continue reading
Posted Apr 13, 2018 at Blogging Techstacks
I've been running into rendering issues with IE11 lately where html pages are not getting rendered as expected even though they show up fine in chrome, firefox, and safari. I'm still digging into this but it seems like it could be due to Internet Explorer being put into Enterprise Mode for "internal" web sites, (where "internal" means any web site matching the domain name of the organization--for example, * Has any one else come across this? Enterprise Mode defaults to sending an IE8 user agent instead of an IE11 user agent and the meta tag that developers are encouraged to... Continue reading
Posted Jan 22, 2017 at Blogging Techstacks
If you want to enable them, your ciphers= line in server.xml will contain both SSL_RSA_WITH_RC4_128_MD5 and SSL_RSA_WITH_RC4_128_SHA but at this point in time, a vulnerability scanner will penalize you for having these enabled.
1 reply
Well, after an almost two year hiatus away from this blog, it's time for me to start posting stuff again. To kick things off, here is an update to cryptonark that fixes an issue with ssl certificate validation. You can grab it from the Downloads page and the changelog is available on the main CryptoNark page. Thanks to Olivier Mengué for pointing this issue out. Continue reading
Posted Oct 2, 2016 at Blogging Techstacks
The TCP Keep Alive interval on the BigIP TCP profile was reduced to a value lower than whet the idea timeout on the MQ channel/queue was set to.
1 reply
Toggle Commented Mar 5, 2015 on CryptoNark 0.5.6 Released at Blogging Techstacks
1 reply
It doesn't look like you can set something up globally in WebLogic without writing a filter but is there anything in front of that WebLogic server like Apache, a load balancer, or some kind of reverse proxy?
1 reply
Today, I am releasing CryptoNark version 0.5.6, which contains three notable changes/improvements: OpenSSL version detection has been updated up to the latest versions released on October 15, 2014. Due to the POODLE vulnerability, colorization of all SSL3 ciphers are now red regardless of cipher strength, which is an attempt to encourage people to start disabling sslv3 support on their ssl servers/websites. Added some preliminary SHA-2 certificate detection. If cnark sees that the SSL certificate on the site uses an SHA-2 signature algorithm, it will highlight that in green. If it doesn't see an SHA-2 certificate, it will display it in... Continue reading
Posted Nov 15, 2014 at Blogging Techstacks
Thanks a lot!
1 reply
I came across this error just the other day. cURL throws the following error when I was trying to connect to an https host: Unknown SSL protocol error in connection to <hostname>:-9846 Connecting to the same host using openssl's s_client, the following error was thrown: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Turns out, the server my client was trying to connect to was so old, it didn't support TLS! The workaround for this was to force an ssl3 connection. Continue reading
Posted Oct 16, 2014 at Blogging Techstacks
I updated my OpenSSL Version Matrix again to reflect new versions of OpenSSL released since June 5 2014, including the three new versions of OpenSSL that were released yesterday, (October 15, 2014) to address four security issues. Continue reading
Posted Oct 16, 2014 at Blogging Techstacks
It's only been a few days since the 0.5 release but I've been busy updating CryptoNark with some bug fixes and also added in support for Windows. One caveat: I've only tested this on WIndows 8.1 under a Strawberry Perl 5.18.2 installation. Please let me know if there are any issues on older/newer versions of Strawberry Perl. One additional item to note in this version. SSLv2 connections to some sites were causing perl to crash when running on Windows. I've modified the subroutine that is making SSLv2 calls to make it more stable but on those sites that it was... Continue reading
Posted Jun 10, 2014 at Blogging Techstacks
I updated my OpenSSL Version Matrix post again to include the three new OpenSSL versions recently released. The matrix is now current as of June 7, 2014 with Perl code you can steal. I still use Tie::Hash::indexed in all my modules to order this hash in the order you see it in the post. Also, the Kindle edition of chromatic's Modern Perl: 2014 Edition is available so grab a copy--it's a steal. Continue reading
Posted Jun 7, 2014 at Blogging Techstacks
It has been a while since the last release but here's new version 0.5 of CryptoNark. New features and changes in this release include the following (but are mainly centered on certificate validation): Modifed DHE- cipher strings to note that they also support Forward Secrecy Added more OpenSSL version strings. This is now current to the most recent OpenSSL version CryptoNark will check to see if you are running 0.9.8l or less and warn that your version doesn't support secure client renegotation. The cert_info() subroutine has been modified to use the AES265-SHA cipher from RC4-SHA. This is purely just to... Continue reading
Posted Jun 2, 2014 at Blogging Techstacks
This first fairly useful iControl example using Perl and SOAP::Lite solves a fairly time-consuming problem if you want to print all the pools and pool members from one of your BigIP LTM's and you're not really sure how to do it with the tmsh commands (or tmsh scripting). If you have a large number of pools and are using a web browser, you could spend hours clicking on a pool, then clicking the Members tab, then clicking on Pools, then selecting the next pool, then the Members tab for *that* pool, etc. Very time consuming. This example uses the get_member_v2()... Continue reading
Posted May 27, 2014 at Blogging Techstacks
It expires today (April 30, 2014) but if you are looking to pick up some new web development skills, Apress has a 40% off code good at checkout on eBooks in their Web Development category. Use promo code WEBD40. According to the email I received today, all books in their Web Development category qualify. Disclaimer: I do not have an affiliate relationship with Apress. I will not earn any commissions or referral fees. Continue reading
Posted Apr 30, 2014 at Blogging Techstacks
Imperva SecureSphere lets you download Performance Reports, which are dumped into a CSV file. Timestamps are in 13-digit unix epoch format, which aren't much fun to read. Also, every value in the CSV file is quoted, so if you want to do anything interesting with the data in Perl, you first need to get rid of all the quotes. The script below uses just two CPAN modules, Modern::Perl and Text::CSV, (note that it will not run without some additional re-work using Text::CSV_XS). Modern::Perl probably isn't strictly needed since I am not really using any newer Perl features but I always... Continue reading
Posted Apr 19, 2014 at Blogging Techstacks
DevOps is Different Things to Different People Sometimes, it seems like the worst term to come out the DevOps movement was "DevOps". After all these years, it still seems to have different meanings to different people. Case in point, an absolutely wonderful post recently from Jeff Knupp: How DevOps is Killing the Developer. If you haven't already done so, give it a read. In the article, Mr. Knupp provides what I personally thought was a pretty good definition of what "DevOps" is (or was?): "DevOps" is meant to denote a close collaboration and cross-pollination between what were previously purely development... Continue reading
Posted Apr 15, 2014 at Blogging Techstacks
Another thing that each of these iControl Perl scripts is going to need to do is to authenticate with the BigIP ltm. Since you are connecting using https, you are going to be using Basic Authentication. Below are a couple of options for setting authentication up. The first method, which seems to be the most popular, is to insert the userid and password into SOAP::Lite's get_basic_credentials method, which would get set prior to creating your soap request. For example: my $host = "the_bigip_hostname_or_ipaddr" my $port = "443"; my $uid = "some_user_id"; my $pwd = "some_password"; sub SOAP::Transport::HTTP::Client::get_basic_credentials { return "$uid"... Continue reading
Posted Mar 3, 2014 at Blogging Techstacks
Figuring out what kind of user account your iControl script is going to require is about as simple as figuring out what rights a regular user is going to need. If your script is simply echoing back statistics or pools or pool member stats or virtual server configurations, you don't need a user account that is going to have Administrative rights to your BigIP. You can get away with "Auditor" rights for these types of scripts. They also will not require any special terminal rights since they are going to be executed remotely. If your script is going to enable... Continue reading
Posted Feb 24, 2014 at Blogging Techstacks
After having the BigIP's in house for a while now and spending a bit of time writing iRules, I felt like it was time to give iControl a try. My intentions were noble: Kill two birds with one stone by learning iControl and Java. Something about it keeps drawing me back to Perl though. It is hard to explain but, for me, Perl is like a sketchpad. I can scribble away at a script until I have something that works. It might not be museum-worthy but it still looks good and conveys what I'm trying to do rather nicely. I... Continue reading
Posted Feb 21, 2014 at Blogging Techstacks
The Apache Tomcat team announced the release of Tomcat 7.0.50. The first release of 2014, this version contains bug fixes and improvements over the previous 7.0.47 version, which was released back in October. Please refer to the changelog for complete list. Downloads are available from a mirror near you. Continue reading
Posted Jan 12, 2014 at Blogging Techstacks
Many of the tuning tips in this post are well-established but the article gives IIS administrators pointers in how to accomplish these tasks in IIS 7.5. Continue reading
Posted Sep 5, 2013 at Blogging Techstacks
This blog passed a personal milestone of 500,000 lifetime page views during this 2013 Labor Day weekend. It took a little over 4 years to reach that point, which I think is not bad considering my high bounce rates. I just wanted to thank everyone for visiting over the years. In case anyone is interested, here are some browser stats incorporating data from the past 4.3 years: Browser % of Visits Firefox 41.34% Chrome 28.52% Internet Explorer 22.76% Safari 4.37% Opera 1.60% Others 1.41% EN-US is the predemoninant language at 67.59% of visits followed by EN-GB, which accounts for about... Continue reading
Posted Sep 1, 2013 at Blogging Techstacks
Ivan Ristić posted a couple of articles earlier this month that will be really useful for security professionals and systems administrators. The first is titled "Defending against the BREACH attack", which provides background and mitigation instructions for protecting against this new attack. The second is titled "Increasing DHE strength on Apache 2.4.x", which describes a problem (as well as a solution) that occurs when using a default compile of the Apache web server and OpenSSL and when one is looking to use Diffie-Hellman parameters stronger than 1024 bits in conjunction with ciphers supporting Forward Secrecy. Continue reading
Posted Aug 17, 2013 at Blogging Techstacks