What We Didn’t Have For Amiga Development

While using Cloanto’s Amiga Forever to massage the source code for Rend24 into something that actually compiles*, I was amazed at the basic functionality we had to live without during the time I did Amiga development.

  • Undo!?  I can’t believe it, but TurboText does not have a traditional undo!  Goodbye, old reliable CTRL-Z.  (You can undo deleted lines, but that’s it.)
  • Home, End, PgUp and PgDn.  It’s shocking how much I’ve relied on these keys since I switched to Windows.
  • Scroll Wheel.  Cloanto kindly provided an implementation for the mouse scroll wheel in their emulator, but we didn’t have one on Amiga mice.
  • Shift-highlighting.  Holding down shift and moving around does not highlight text.  How did we copy and paste?!?  I honestly can’t remember.
  • Click-to-front.  Amiga windows do not come to the front when you click on them like they do in Windows (unless you run some extra software).  Again, it’s amazing how much you get used to it.
  • Automatic saving preferences.  Before Windows, we had to explicitly tell the computer to save our preferences to disk after changing them in the program.  What a pain.
  • Any kind of IDE.  Yep, we had to run a text editor on a specific file and then type “make” to compile things.  Actually that’s no so bad, really.  It forces you to be a more thoughtful, disciplined programmer.

In short, I can’t imagine doing Amiga development on an actual Amiga anymore.  If only there was a way to edit, compile and link source code on a PC and then copy the binaries over to the Amiga.  If, you know, there was any reason to compile Amiga binaries, that is.

* I don’t know why I was doing it, either.

A Router Firewall In Action

Is this normal for a home router? :)  I get a report every week filled with scary-sounding log messages like the ones below.  I guess it’s good to see that these things are caught, but it makes one wonder what kinds of things are not getting caught.

[HOST Attack: TCP SYN Flood][Deny access policy matched, dropping packet]

[HOST Attack: TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet] dropping packet]

[TCP SYN Flood][Deny access policy matched, dropping packet]

[TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]

Gave Up On Ubuntu

Recently I put an old 1.8GHz P4 computer in the living room to use as a dedicated media player for music, pictures and video.  As an experiment, I first tried to install Ubuntu Linux as the operating system, thinking the Linux desktop had surely matured enough by now to perform this simple task.

It did perform well in most areas.  I used XBMC to play music and show slideshows from my TVersity media server and Miro to play downloaded video podcasts from Revision3 and Mevio.  They worked beautifully.

However, one area where the Ubuntu box did not do well was in playing back Flash video content.  Hulu and YouTube, for example, were both jerky and unwatchable in full screen and not much better at the original size.  (The computer has an ATI Radeon 9600 video card – not great by today’s standards, but plenty powerful enough to play full screen video.*)

The nail in the coffin was Netflix.  Netflix instant download videos (or whatever they call them) wouldn’t play at all because they require Windows Media Player.  That’s not Ubuntu’s fault of course, but it was still one less thing I could do.

So I finally gave up and switched it back to Windows XP.  It’s just easier.  There’s really nothing wrong with Ubuntu, but you still have to wrestle and tweak it for optimum performance, which is kind of a pain.  And, just like the Amiga used to be, it’s not high on the list of priorities for major vendors to support, so you’re always going to be lagging behind.

(As a side note, anyone that has ever complained about Windows pushing too many updates should try Ubuntu sometime.  There are updates galore on a weekly basis.)

* I should probably mention that Hulu and YouTube also don’t perform very well on this box under Windows XP, either.  Flash video unfortunately uses more CPU processing power than GPU processing power.

Huckabee’s Divisive Argument Against Abortion

Mike Huckabee appeared on The Daily Show last week to discuss the touchy subject of abortion, and Stewart brought out what I find most annoying about the pro-life argument.

The pro-life side often argues that we must outlaw abortion because we must treat all life as precious (Huckabee did this in that same tone of voice with which one might gently scold a wayward child, maximizing the irritation factor).  Stewart countered (correctly) that this is a divisive argument, because what is left unsaid (except by the more dickish pro-life proponents) is the implied accusation that the pro-choice side has no understanding of the value of life – that they are essentially sociopathic.

Many pro-life people may actually believe that, and to them I would say… well… nothing.  Because one thing I’ve learned in life is to avoid conversing with zealots.

But to anyone willing to listen instead of preach, I would say this is at best insulting and at worst hypocritical.  It’s insulting because the pro-choice side is clearly not arguing to trivialize the meaning of life, and it’s hypocritical because, if the assertion is that all life is precious, the pro-life side should consist of an army of pacifist vegans that oppose the death penalty.

I can understand drawing an equivalence between laws against murder and laws against abortion – that’s an argument that makes sense.  But to turn what should be a purely legal argument into an ethical debate over the value of life doesn’t jibe with my understanding of the role of government.  Morality should be an argument for philosophers and clergy, not government bureaucrats.

uvBlog 2.1.90621

Published a new version tonight with mainly internal changes.  The biggest change is in the administration of posts and tags, so I can now (finally) go through and try to make some sense of my tags.

uvBlog 2.1.90615

Published a minor update tonight which cleans up some cosmetic problems in the RSS feeds.  Internally it also improves the generation of links (some were still full URI paths instead of relative paths, which caused headaches if you tried to run the site on https).

How to Create and Manage Certificates with OpenSSL

Lately I’ve been on a crusade to digitally sign my emails.  I tried some free email certificates from StartSSL and Thawte, but neither one was quite what I wanted (they just show an email address with something like a generic “free member” as the common name).  So I decided to try making my own certificate authority with OpenSSL.  There are tons of resources on the Internet for doing this, but in this magnum opus I’m attempting to distill it all down into one place.

Preparation

First download and install a binary distribution of OpenSSL.  I’ve used both the GNU Windows binary distribution and the Shining Light binary distribution.  Add the binaries to your path (I’ll assume you know how to do that – if not, you should probably stop reading now).

The OpenSSL tool makes use of a configuration file to cut down on the number of options you have to set on the command line.  Start by making a copy of the default openssl.cnf from the distribution and edit it to your liking.  In particular, edit the default country, location, organization name, etc., otherwise you’ll have to retype them every time you create a certificate request.

Here is the openssl.cnf file used for the following demonstrations, with the places you might want to change highlighted.  For brevity, I’ve stripped out tabs and comments.

# openssl.cnf

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = .
certs = $dir
crl_dir = $dir
new_certs_dir = $dir
database = $dir/index.txt
certificate = $dir/ca.crt
serial = $dir/serial.txt
crlnumber = $dir/crlnumber.txt
crl = $dir/revoked.crl
private_key = $dir/ca.key
RANDFILE = .rnd
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = nombstr

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MyState
localityName = Locality Name (eg, city)
localityName_default = MyCity
0.organizationName = Organization Name (eg, company)
0.organizationName_default = MyOrg
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = MyOrgUnit
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name

[ ca_ext ]
# Extensions for creating certificate authorities
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:0
keyUsage = cRLSign,keyCertSign
extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection
subjectAltName = email:copy
issuerAltName = issuer:copy

[ mail_ext ]
# Extensions for client email certificates
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection

[ ssl_ext ]
# Extensions for SSL certificates
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

Make sure default_md is set to “sha1” instead of “md5.”  It’s more secure.

You’ll also need to create a file named serial.txt that contains just the number 01, like this:

01

If you plan to work with certificate revocation lists (CRLs), you’ll also need to create a file named crlnumber.txt that contains the number 01, and an empty index.txt file.


Create a Certificate Authority

This will create your certificate authority’s root certificate, which will be used to sign all your other certificates.  A “certificate authority” is a fancy name for someone that has the authority to issue and sign certificates.  In this case, that’ll be you – issuing certificates to yourself.  “Root certificates” are distinguished from other certificates because they are self-signed; the user must therefore trust the reputation of the certificate authority.  (We’ll assume you trust yourself.)

1. Start by creating a private key for the root certificate authority.  (On the following screens, you may get ‘unable to write random state’ messages; I could never fix them, but it seems to work anyway.)

> openssl genrsa -des3 -out ca.key 2048

Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
....................................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key: password
Verifying - Enter pass phrase for ca.key: password

2. Next create a certificate request.

> openssl req -new -key ca.key -out ca.csr
-config openssl.cnf

Enter pass phrase for ca.key: password
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MyState]:
Locality Name (eg, city) [MyCity]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [MyOrgUnit]:
Common Name (eg, YOUR name) []:My Root Certificate Authority
Email Address []:ca@mydomain

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Create and self-sign the root certificate.

> openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key
-extfile openssl.cnf -extensions ca_ext

Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=MyState/L=MyCity/O=MyOrg/OU=MyOrgUnit/
CN=My Root Certificate Authority/emailAddress=ca@mydomain
Getting Private key
Enter pass phrase for ca.key: password

You can also do all 3 steps in one command if you want:

> openssl req -new -x509 -keyout ca.key -out ca.crt
-config openssl.cnf -extensions ca_ext

Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.......................+++
writing new private key to 'ca.key'
Enter PEM pass phrase: password
Verifying - Enter PEM pass phrase: password
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MyState]:
Locality Name (eg, city) [MyCity]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [MyOrgUnit]:
Common Name (eg, YOUR name) []:My Root Certificate Authority
Email Address []:ca@domain

Now you have a root certificate. Note that you’ll need to publish the root certificate so that people can install it as a Trusted Root Certificate Authority.  Do NOT publish the private key.  Keep it backed up and safe from prying eyes.  (I keep it on a USB thumb drive; ie. not stored on a computer connected to the Internet.)


Create an S/MIME Email Certificate

This will create a certificate signed by your root certificate authority, which you can use to sign and encrypt your emails in S/MIME-compatible programs.

Creating certificates is normally a two-stage process:  A user provides their certificate request and credentials to a certificate authority and then the CA returns a signed certificate.  This demonstration does it all on one machine.

1. First the client creates a private key.

> openssl genrsa -des3 -out mail.key 2048

2. Then the client creates a certificate request.

> openssl req -new -key mail.key -out mail.csr
-config openssl.cnf

Alternatively, you can do both steps in one command:

> openssl req -new -out mail.csr -keyout mail.key
-config openssl.cnf

3. The client would then transmit the certificate request to the certificate authority, where the CA would sign a certificate and return it.

> openssl x509 -req -in mail.csr -out mail.crt
-CA ca.crt -CAkey ca.key -CAserial serial.txt
-extfile openssl.cnf -extensions mail_ext

The signed certificate file would then be sent back to the client for him to use.

Create an SSL Certificate

This will create an SSL certificate signed by your root certificate authority, which you can import into Apache and IIS to create secure web sites.  The process is almost identical to creating an email certificate except that the private key is not encrypted for Apache installations, and the extensions are slightly different.

(If the private key is encrypted, Apache will prompt you for the password when it starts, which would be bad if the web server restarted unattended.  For IIS, you’ll need to import the certificate as a PKCS#12 file (see below), so it doesn’t matter.)

Again, this is normally a process that takes place between a client and a certificate authority, but we’re doing it all on one machine for this demonstration.

1. The client creates a private key.

> openssl genrsa -out ssl.key 1024 [note: no -des3 for Apache]

2. The client creates a certificate request.

> openssl req -new -key ssl.key -out ssl.csr
-config openssl.cnf

3. The certificate authority receives the request, then signs and returns a certificate.

> openssl x509 -req -in ssl.csr -out ssl.crt
-CA ca.crt -CAkey ca.key -CAserial serial.txt
-extfile openssl.cnf -extensions ssl_ext


Exporting to PKCS#12

Often times you need to export a certificate and its accompanying private key to PKCS#12 format (usually identified by a .pfx or .p12 extension). This is necessary, for example, when you want to import a certificate into Outlook for encrypting emails or IIS to secure a web site.

> openssl pkcs12 -export -clcerts 
-in mail.crt -out mail.p12 -inkey mail.key

Loading 'screen' into random state - done
Enter pass phrase for mail.key: password
Enter Export Password: exportpassword
Verifying - Enter Export Password: exportpassword


Revoke a Certificate

You may need to revoke a certificate if the private key has been compromised, or if you decide not to use it anymore.  This is an area I’ve only started experimenting with, so I don’t know much about it.

Make sure you’ve setup the [CA_default] section in openssl.cnf and created an empty index.txt database file.

> openssl ca -revoke (file).crt -crl_reason reason 
-config openssl.cnf

The “reason” will probably be either “superseded” or “keyCompromise.”


Create a Certificate Revocation List (CRL)

The above revocation will just add the revoked certificate to the index.txt database.  From there, you need to create a certificate revocation list (CRL) to publish.  Again, I’ve just started experimenting with this so I’m not sure how the CRL propagates yet.

Make sure you’ve created a file named crlnumber.txt containing just the number 01 (or whatever serial number you want to start with) the first time you do this.

> openssl ca -gencrl -out revoked.crl -config openssl.cnf


Notes

If you don’t want to mess with OpenSSL and the command line, Windows Server has a bunch of certificate services, but based on my meager experience with them, one could argue that they are just as hard to setup and use, especially since they are geared more for “the enterprise.”  One nice thing about OpenSSL is you can put the whole operation onto a USB thumb drive and keep your “certificate authority” completely safe… assuming you don’t lose it.

There doesn’t seem to be any kind of standard for the extensions on these files.  The PEM formats are all basically base64-encoded text files, and they have extensions like .key, .csr, .cer or .crt.  It really doesn’t matter what you call them, but it’s convenient to name certificates .crt or .cer in Windows because there are built-in associations for them.

If you post your certificates on the web, make sure your web server correctly associates them with the MIME type application/x-x509-ca-cert.  Also, if you post CRLs, associate them with application/x-pkcs7-crl.

Make sure you import PKCS#12 certificates with public AND private keys to sign emails in Windows Mail or Windows Live Mail.  They won’t work if you import public key certificates (.crt files) and you’ll see this cryptic error message whenever you try to send a signed email:  “The message could not be sent. An error has occurred.”

Name-Brand Certificates

My shared Linux web host won’t let me install my own SSL certificates, which I presume is because a) they don’t trust users, b) they want to charge money for it and c) it involves rebooting their web server.  Bummer.

When you buy certificates, they come in Class 1, Class 2 and Class 3 (also Class 4 and 5).  Class 1 certificates don’t have much in the way of identity verification – just a simple email or domain verification.  They are fast and easy to get (in minutes) and don’t cost very much, if anything.  Class 2 certificates have more robust identity verification and generally involves sending personally identifiable or corporate documentation to the certificate authority.  Class 3 certificates (which may also be called “extended validation” or EV certificates) involve “extensive” independent vetting of the client credentials (generally something that only large corporations would need).

Obviously if you’re building a major e-commerce site or something, you’ll have no choice but to buy Class 2+ certificates.  At the time of this writing, the cheapest Class 2 certificate I could find was $29 from StartSSL.  (It wasn’t clear if that’s a yearly charge or a one-time charge.)  GoDaddy Class 2 (“Deluxe”) certificates are $89/year.  Certificate prices range all the way up to VeriSign’s insanely expensive $1500+/year extended validation certificates.

I haven’t tested this theory, but it seems like there should be some way to buy a name-brand authority certificate and use it in turn to sign your own subordinate certificates.  On the other hand, that might potentially wreck the reputation of the trusted certificate authority.

As far as I know, there’s no way make an “extended validation” certificate because web browser makers (Mozilla, Microsoft, etc.) internally maintain their own lists of recognized EV certificate authorities.  You’ll just have to buy into the racket and pay big bucks for those.


References, in no particular order

http://www.openssl.org/docs/apps/openssl.html

http://www.sonicwall.com/downloads/Using_Openssl_to_Create_a_Private_Certificate_Authority.pdf

http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

http://www.freebsdmadeeasy.com/tutorials/web-server/apache-ssl-certs.php

http://www.davidpashley.com/articles/cert-authority.html

http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html

Sending Signed Emails from Windows Live Mail

For the longest time, I couldn’t figure out how to send digitally signed emails in Windows Live Mail (or Windows Mail) in Vista.  Both consistently reported, “The message could not be sent. An error has occurred.”

There was no other information in any log file I could find, and Google was no help at all.  This happened with free certificates from StartSSL, Thawte and homegrown OpenSSL certificates.

I finally figured out the reason:  The certificates only contained public keys.  (In other words, I imported them wrong.)  If you import and use password-protected PKCS#12 files – the ones that contain both a public and private key (as opposed to .crt or .cer files) – WLM and WM will then send signed emails correctly.

In the screenshot below, you can see that the correctly-imported StartCom certificate has a little key in the upper left corner, whereas the incorrectly-imported Thawte certificate doesn’t.  The first will work, the second won’t.

image 

Would have been nice if Microsoft’s error message had told me that…

Site Update 2.1.90612

Published an update to the blog software which adds a blacklist table to ban IPs.  Certain repeated bot-like activities will now result in automatic banning (things like brute force attacks, which I see a lot in the logs.)

Virginia Primaries this Tuesday

This Tuesday is primary day in Virginia.

On the Democratic side, your choices for Governor:

Random video clips of gubernatorial debates:

And your choices for Lieutenant Governor:

  • Mike Signer.  The guy in the YouTube videos.
  • Jody Wagner.  The lady in the commercials.
  • Jon Bowerbank withdrew, so don’t vote for him unless you want to look like a stupid American.

On the Republican side, your statewide choices were made for you by delegates at a convention.  Your November ticket is:

We don’t have any here where I live, but you may have some local races to decide in your area.  Check your local listings (aka. the State Board of Elections).