Main goal
I need openSSL. Apple deprecated this library since 10.7 It is even impossible to create context when ignoring warnings about deprecation.
I decided to build openSSL and tweak it to my needs:
disable SSL protocol (only TLS should be supported)
limit cipher suites to secure one
What I have done
How I'm trying to build it.
I've downloaded sources version 1.0.2d and configured it this way:
./Configure -openssldir=$(pwd)/output-build \
enable-ec_nistp_64_gcc_128 \
no-ssl2 no-ssl3 \
no-shared no-comp \
enable-TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
enable-TLS_DH_RSA_WITH_AES_256_CBC_SHA \
enable-TLS_DHE_DSS_WITH_AES_256_CBC_SHA \
enable-TLS_DH_DSS_WITH_AES_256_CBC_SHA \
enable-TLS_RSA_WITH_AES_256_CBC_SHA \
enable-TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
enable-TLS_DH_RSA_WITH_AES_128_CBC_SHA \
enable-TLS_DHE_DSS_WITH_AES_128_CBC_SHA \
enable-TLS_DH_DSS_WITH_AES_128_CBC_SHA \
enable-TLS_RSA_WITH_AES_128_CBC_SHA \
enable-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
enable-TLS_RSA_WITH_3DES_EDE_CBC_SHA \
darwin64-x86_64-cc
Problem
Switches for disabling SSL are clear and I'm happy with it.
Switches for cipher suites are very inconvenient, I'm not sure how they work. They are not documented, ./Configure --help prints this:
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...]
[experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx]
[no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386]
[--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]]
[--test-sanity] os/compiler[:flags]
I just want listed cipher suites and nothing else. Format of this switches give me impression that I have to disable quite long list of other cipher suites. Is there better way so I can disabled all but those listed above?
Related
I've downloaded ServiceMix 7.0.1 and followed the documentation. I need to install Camel features using:
karaf#root>feature:install camel-sql
But when I do that nothing happens. There's no response until I hit ctrl-c. The log file doesn't help either.
2020-03-25 14:13:25,709 | INFO | Thread-16 | FeaturesServiceImpl
| 8 - org.apache.karaf.features.core - 4.0.9 | Adding features: camel-sql/[2.24.2,2.24.2]
And the online documentation is sparse to say the least.
Update
Using -v -t gives the below output, but still nothing thereafter:
karaf#root>feature:install -v -t camel-sql
Adding features: camel-sql/[2.24.2,2.24.2]
You have to update Maven configuration in etc/org.ops4j.pax.url.mvn.cfg in your ServiceMIX 7.0.1 installation. Change:
org.ops4j.pax.url.mvn.repositories= \
http://repo1.maven.org/maven2#id=central, \
http://repository.springsource.com/maven/bundles/release#id=spring.ebr.release, \
http://repository.springsource.com/maven/bundles/external#id=spring.ebr.external, \
http://zodiac.springsource.com/maven/bundles/release#id=gemini, \
http://repository.apache.org/content/groups/snapshots-group#id=apache#snapshots#noreleases, \
https://oss.sonatype.org/content/repositories/snapshots#id=sonatype.snapshots.deploy#snapshots#noreleases, \
https://oss.sonatype.org/content/repositories/ops4j-snapshots#id=ops4j.sonatype.snapshots.deploy#snapshots#noreleases
to:
org.ops4j.pax.url.mvn.repositories= \
https://repo1.maven.org/maven2#id=central, \
http://repository.springsource.com/maven/bundles/release#id=spring.ebr.release, \
http://repository.springsource.com/maven/bundles/external#id=spring.ebr.external, \
http://zodiac.springsource.com/maven/bundles/release#id=gemini, \
http://repository.apache.org/content/groups/snapshots-group#id=apache#snapshots#noreleases, \
https://oss.sonatype.org/content/repositories/snapshots#id=sonatype.snapshots.deploy#snapshots#noreleases, \
https://oss.sonatype.org/content/repositories/ops4j-snapshots#id=ops4j.sonatype.snapshots.deploy#snapshots#noreleases
repo1.maven.org no longer allows access using http. https is required.
Can you please try bundle:install mvn:org.apache.camel/camel-sql/2.24.2
i am trying to compile OpenSSL (1.0.2h) with FIPS module (2.0.12) from source in which i need to additionally restrict all ECDHE, DHE, DSA, DES and DH Ciphers as well as TLSV1 and TLSV1.1 Protocol. Here are the steps that i did:
> root#cc3:/home/openssl#wget https://openssl.org/source/openssl-1.0.2h.tar.gz
> root#cc3:/home/openssl#wget https://openssl.org/source/openssl-fips-2.0.12.tar.gz
> root#cc3:/home/openssl#tar -xvf openssl-fips-2.0.12.tar.gz
> root#cc3:/home/openssl#tar -xvf openssl-1.0.2h.tar.gz
> root#cc3:/home/openssl#cd openssl-fips-2.0.12 && ./config -d && make && make install
> root#cc3:/home/openssl#cd /openssl-1.0.2h && ./config no-ssl2 no-ssl3
no-tls1 no-ecdhe no-dsa no-des no-dh --prefix=/home/openssl/local fips
&& make depend && make && make install
After doing the above steps, openssl compiles successfully and i can access it from /home/openssl/local/bin. However, when checking the list of available ciphers, i can still see ECDHE, DHE, DHA etc. in the list and i can even use them and TLSV1 protocol to connect to any website using s_client. The point is that the flags for configuring OpenSSL are not working for me.
Can anyone help me in figuring out exactly what is it that i am missing here? Am i doing something wrong and if yes then what can be done to fix the problem so that the Cipher Suites and older TLS Protocols are restricted? I used the method provided here to get a list of all possible parameters for config.
Also, is there a way to selectively restrict AES and RSA Ciphers? For example is there a way to disable AES256-SHA but keep open AES128-SHA?
Thanks!
I'm using liquibase 3.3.2 and i'm trying use the "includeObjects" parameter. This is the command line:
java -jar liquibase.jar \
--driver=com.ingres.jdbc.IngresDriver \
--url="jdbc:ingres://localhost:21071/local" \
--username=ingres \
--password=ingres \
--logLevel=debug \
--classpath="iijdbc.jar" \
"--currentDateTimeFunction=now()" \
--changeLogFile=db.changelog.xml \
--defaultSchemaName=ingres \
--includeObjects=personal \
generateChangeLog
This is the exception thrown.
Unexpected error running Liquibase: Unknown parameter: 'includeObjects'
SEVERE 24/03/15 10:05 AM: liquibase: Unknown parameter: 'includeObjects'
liquibase.exception.CommandLineParsingException: Unknown parameter: 'includeObjects'
at liquibase.integration.commandline.Main.parseOptions(Main.java:702)
at liquibase.integration.commandline.Main.run(Main.java:124)
at liquibase.integration.commandline.Main.main(Main.java:94)
Can anyone point what I am doing wrong?
Supposedly in version 3.3.2 the "includeObject" option is now available:
Liquibase 3.3.2 Released
The option --includeObjects is a parameter that belongs to the commands diff or diffChangeLog.
I guess it can not be used on the command generateChangeLog.
As Jens mentioned in the comment, the following should work as the include/excludeObjects arguments come AFTER the generate/diffChangeLog command apparently:
java -jar liquibase.jar \
--driver=com.ingres.jdbc.IngresDriver \
--url="jdbc:ingres://localhost:21071/local" \
--username=ingres \
--password=ingres \
--logLevel=debug \
--classpath="iijdbc.jar" \
"--currentDateTimeFunction=now()" \
--changeLogFile=db.changelog.xml \
--defaultSchemaName=ingres \
generateChangeLog --includeObjects=personal
I did the same approach (with mulitple tables comma-seperated) and it worked fine.
Say I want to programmatically get the interface name of my ethernet card. This seems to work:
dbus-send --print-reply \
--type=method_call \
--system \
--dest=org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager/Devices/0 \
org.freedesktop.DBus.Properties.Get \
string:org.freedesktop.NetworkManager.Device \
string:Interface
Which returns:
method return sender=:1.5 -> dest=:1.135 reply_serial=2
variant string "eth0"
Is there some way of cutting out the middleman org.freedesktop.DBus.Properties.Get and retrieve the property more directly? Alas, calling it as a method does not work:
dbus-send --print-reply \
--type=method_call \
--system \
--dest=org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager/Devices/0 \
org.freedesktop.NetworkManager.Device.Interface
Returns:
Error org.freedesktop.DBus.Error.UnknownMethod:
Method "Interface" with signature "" on interface
"org.freedesktop.NetworkManager.Device" doesn't exist
I ask because having to call org.freedesktop.DBus.Properties.Get looks like having to call a object.getProp("someproperty") instead of object.getSomeProperty() in Python/Java/etc.
Yep, you can do that if you use qdbus. I don't have NetworkManager with me, but a command like that should work:
qdbus --system \
org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager/Devices/0 \
org.freedesktop.NetworkManager.Device.Interface
There are various command-line clients for talking to D-Bus, some are more convenient than others. Here's the list of the ones I know.
dbus-send (provided with D-Bus itself)
gdbus (provided by GLib)
qdbus (provided by Qt)
busctl (provided by systemd)
No.
Most likely org.freedesktop.DBus.Properties.GetAll will return you same value, but internally every service implement properties as handlers to messages with org.freedesktop.DBus.Properties.Get/org.freedesktop.DBus.Properties.GetAll method calls.
It looks like object.getProp("someproperty") because it actually is more like this pseudo-code
bus.handleMessage({
service: "org.freedesktop.NetworkManager",
object: "/org/freedesktop/NetworkManager/Devices/0",
iface: "org.freedesktop.NetworkManager.Device.Interface",
body: [ "org.freedesktop.NetworkManager.Device", "Interface"],
thisMessageIsReplyTo: null
})
Internally every method call/signal/reply is just a message with big signature (service name/object path/interface) and body
I want all my modules built with a .so extension so that they are shared. However, all my modules are building with a .la extension. Here are the contents of the module directory:
httpd.exp libmod_proxy_ajp.a libmod_speling.a mod_info.la mod_proxy_scgi.la
libmod_cern_meta.a libmod_proxy_balancer.a libmod_ssl.a mod_proxy.la mod_rewrite.la
libmod_dbd.a libmod_proxy_connect.a libmod_vhost_alias.a mod_proxy_ajp.la mod_speling.la
libmod_deflate.a libmod_proxy_ftp.a mod_cern_meta.la mod_proxy_balancer.la mod_ssl.la
libmod_expires.a libmod_proxy_http.a mod_dbd.la mod_proxy_connect.la mod_vhost_alias.la
libmod_info.a libmod_proxy_scgi.a mod_deflate.la mod_proxy_ftp.la
libmod_proxy.a libmod_rewrite.a mod_expires.la mod_proxy_http.la
Here is my configure command:
./configure \
--with-mpm=prefork \
--with-ssl=/opt/freeware \
--enable-cern-meta \
--enable-dbd \
--enable-deflate \
--enable-expires \
--enable-info \
--enable-proxy \
--enable-rewrite \
--enable-speling \
--enable-ssl \
--enable-vhost-alias \
--enable-mods-shared="cern_meta dbd deflate expires info proxy rewrite speling ssl vhost_alias"
I have done this many times in the past on AIX 5.2, 5.3 and 6.1 without issue.
.la files are libtool's library control file syntax. Notice they are really just small scripts. Check for your shared library objects inside the .libs directory. You might also explicitly tell configure that you want shared libraries with --enable-shared