Wednesday, October 15, 2014

Turning Off SSLv3 in Apache and IIS8, AKA Putting Down the Poodle That Bites

Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off. 

Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes



1)     Open the ssl.config file with your favourite text editor.
In Red Hat based distributions like CentOS you should find it in
/etc/httpd/mods-available/ssl.conf

2)     Find the line starting with 
SSLProtocol

3)     Change it to 
SSLProtocol all -SSLv2 -SSLv3
This will allow all ciphers expect SSLv2 and SSLv3

4)     Save ssl.conf and exit your text editor

5)     Restart Apache by running the command
service httpd restart

6)     Use a tool like sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk
The list will be long so it might be worth redirecting the output to a file or piping the out into grep to return only the SSL ciphers
see step 14 of Windows for sample output



That's Linux done, now onto Windows and IIS8

To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
1)     Open regedit.exe

2)     Make a backup of your registry

3)     Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

4)     Backup this level of the registry

5)     Go into SSLv3, create a key/directory named "SSLv3" if it doesn't already exist

6)     Create a key/directory named "Client" if it doesn't already exist inside the SSLv3 key/directory

7)     Inside "Client" key/directory create or edit the dword value "DisabledByDefault" and set it to equal 1

8)     Create a key/directory named "Server" if it doesn't already exist inside the SSLv3 key/directory NB this should be at the same level as the "Client" key/directory

9)     Inside "Server" key/directory create or edit the dword value "Enabled" and set it to equal 0

10) Repeat steps 5 through 9 for SSLv2 it's the same process just replace SSLv3 key/directory with SSLv2 key/directory
you should have entries in your registry like the image below

11) Close regedit.exe

12) Reboot your server, this step is important your server will still accept SSL connection if you just do an iisreset

13) Download sslscan for Windows from https://code.google.com/p/sslscan-win/downloads/detail?name=SSLScan-1.8.2-win-r7.zip&can=2&q=

14) Run sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk


Example out from SSLScan is as follows
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server my-side-projects.blogspot.co.uk on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5

That's it you're all done, hope this helped.

Thursday, September 11, 2014

Change the Colour of Emacs Shell Prompt and Font Highlighting


The project I'm currently working on is Linux based, and I just can’t get my head around vi no matter how hard I try. Fortunately I have root privileges, so Emacs to the rescue :)

We are using CentOS so installing is as easy as

 sudo yum install emacs   

One of the many reasons I really like Emacs is you can run a shell inside Emacs.
Press Alt – x
Type shell
Press enter
NB the Alt key in Emacs is often called the Meta key and the key combination above would be shortened to M – x

This allows me to split the Emacs window and have the shell in the bottom half and what I working on in the top half, see the image below. To switch between the shell and what I’m working on I press M – O (that’s Alt and the letter O and not the number zero, Alt zero will unsplit the screen)


If like me you’re running Emacs inside Putty the first thing you might notice is the shell prompt is in dark blue on a black background. Not only is this very difficult to read but it can cause eye strain making for an unpleasant work day.

To change the colour of the shell prompt, and any font highlighting in Emacs is actually very easy if you know how. However the settings are a bit hidden, here is how to change the colours of any text in Emacs.

First you need to find out the supported colours for your version of Emacs. I’m using an old version and it doesn't support many colours, see the image below. Newer versions of Emacs support many more colours. To list the colours do the following.
Press M – x
Type list-colors-display
Press enter


Make a note of the easy to read colours. Then to change the colour of the shell prompt inside Emacs
Press M – x
Type list-faces-display
Press enter
This will display all the Font Highlighting options you can change, see the image below. On the left you will see underlined text of the name of the setting. On the right you will see the current colour settings.


Find the text comint-highlight-prompt and move the cursor directly over the top of it and press the enter key (sometimes the comint-highlight-prompt option doesn't show up, I don’t know why). This will take you into another screen, see the image below.  



  1. If the square brackets on the left of “Foreground” don’t have an X inside them like circle 1 in the image above, move the cursor in between the square brackets and press enter. This will enable the Foreground option
  2. Now move the cursor directly on top of the current colour of the foreground, circle 2 in the image above
  3. Press enter
  4. Type in the new colour you would like for the shell prompt, circle 3 in the image above. I chose green so I could feel like I was using a 1980s terminal :)
  5. Press enter 
  6. Move the cursor to the “Save for future sessions”, circle 4 in the image above 
  7. Press enter 
  8. Press Ctrl – x k to close the current screen / buffer. 
And you’re done :) The shell prompt will be what every colour you set it to.
While you are at it I would recommend changing at least minibuffer-prompt as well, you will be reading the text displayed in the minibuffer-prompt a lot. If you are feeling up to it change all the other text colours you find hard to read using the process above.

If all else fails add the following to your .emacs file

 (custom-set-faces  
  '(comint-highlight-prompt ((t (:foreground "green"))))  
  '(minibuffer-prompt ((t (:foreground "green"))))  
 )  

finally no matter which method you use to change the colour of the shell prompt in enacs, don't forget to back up your .emacs file. Recreating it takes far to long

Reference: http://lists.gnu.org/archive/html/help-gnu-emacs/2004-11/msg00170.html

Friday, August 16, 2013

Turn off Windows Default Sounds and Stop Driving Your Co-Workers Crazy!

Another year goes by and despite my best intentions I haven’t posted anything on my blog. Since it has been over a year since my last post I thought I would post something, if nothing else at least I'm consistent.

If like me you work in an open office environment you might find all the unnecessary sounds alerts of Windows irritating. This is especially true for developers as something we need to test something over and over. A popup or message box with a loud “DING!” gets old pretty fast. It’s even faster if you are a co-worker listening to the repeated “DING!” over and over. While one solution is to just mute the speakers that means other, and what I actually consider useful, sound alerts are muted, like incoming email sound alerts and Skype messages.

My solution is to disable the sounds I don’t want to hear. I’m sure everyone know how to do this but just in case.

In Windows 7
  1. Click on “Control Panel”
  2. Click on “Start”
  3. Click on “Sound”
  4. Click on the “Sounds” Tab
  5. Disable the sounds you no longer wish to hear


Here is the list of sounds l like to disable
·        Windows -> Default Beep
·        Windows -> Exclamtion
·        Windows -> Exit Windows
·        Windows -> Start Windows
·        Windows -> Logoff
·        Windows -> Logon
·        Windows Explorer -> Empty Recycle Bin
·        Windows Explorer -> Start Navigation

If you have others leave them in the comments.


Until next year, hopeful before.

Wednesday, July 11, 2012

At Long Last a Side Project

It’s official, I have an active side project. What is it? A Visual Studio Plug-in to allow developer to deploy an ASP.Net website directly from SVN to a website server.


Why?
Deploying ASP.Net applications/websites to multiple server and setups is error prone because to many manual steps exist. Deploy ASP.Net from SVN aims to solve this issue by automating as many steps as possible and deploying a website in just a few clicks.

Project Description
Deploy ASP.Net from SVN is a Visual Studio Add In to allow developers to deploy as ASP.Net website from source control (initally only SVN but others may be added in the future) to a web server or web farm easily.

Project Goals
To make it easy to deploy an exact version of an ASP.Net website directly from source control.

Features will include
  • Deploy particular revision. 
  • Read deployment settings from a selected file to make deploying to development, test, stage and live servers the same process. 
  • Build a web.config file from a template. 
  • Deploy the same revision to multiple servers. 
  • Ability to exclude files in the deploy. 
  • Ability to run scripts before and after deployment. 
  • Ability to deploy code files or compiled code. 

Future Features
  • Convert the front end to WPF from winforms. 

The source code can be downloaded from github https://github.com/thelukemccarthy/DeployASPdotNetFromSVN

If you feel inspired and would like to help with this project, clone the code and start coding. I’ll be more than happy to help you get things setup and merge your code back into the project.

Thursday, June 23, 2011

Visual Studio 2010 "No Visual studio template information found. See application log in Event viewer for more detail" solution

Thanks to Sathya Narayanan Srinivasan for his blog post on solving this issue.

The solution is:

1. Close Visual Studio

2. Open Visual Studio Command Prompt. (Start Menu --> Microsoft Visual Studio 2010 --> Visual Studio Tools. Right-click on the Visual Studio Command Prompt shortcut, select Run as Administrator.)

3. run the command "devenv /installvstemplates"

Sunday, June 27, 2010

I've missed you, you don't write anymore!

It’s been sometime since my last blog post, you might have thought this blog was dead, but it isn’t. Since my last post I have moved to London. I decided it was time to live in the northern hemisphere for a while and explore this part of the world. As you can imagine moving to the other side of the world does take a little bit of time. It also explains why my side project hasn’t progressed any further. I’m now a happy job hunter in merry old England. I am also trying to find a good C# community group, but sadly I’m having trouble finding even one that meets on a regular basis. So if you know of one let me know about it. Once things settle down a little bit I will start to post more and work on the project will commence.

Monday, December 28, 2009

Google Wave Gadget

I think I have come up with an idea for an open source project using ASP.Net. We now have an almost infinite number of ways to communicate using the internet, with more coming online every day. The problem is that if you want to create an event you need to use at least the following servers
1. Facebook (must have)
2. Twitter (must have)
3. Google Calendar (nice to have)
4. Flickr (maybe have)
5. Blog (maybe have)
6. Google Wave (must have in the future)
In fact this may work best as a Google Wave Gadget, now to discuss the idea with the person I have teamed up with to see if he likes the idea too.