:::: MENU ::::

Posts Categorized / Linux

  • Jun 09 / 2016
  • 0
Linux, Python

openssl/pyOpenSSL – “SSL23_GET_SERVER_HELLO:tlsv1 alert internal error”

You’re getting this annoying error message again and again when trying to fetch certificate and/or establish a connection to your website using openssl:

139647967614624:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:

This issue is well known in several openssl versions, and a bug has been addressed for Ubuntu repositories:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1475228

For now, there’s a simple workaround that works to quickly fix it!

For openssl

If you’re facing it while using openssl directly, you can fix it by specifying the servername on command-line:

openssl s_client -connect www.mywebsite.com:443 -servername www.mywebsite.com

For pyOpenSSL

If you’re having this issue while using pyOpenSSL (python wrapper for OpenSSL), it can also be fixed with a quick workaround by adding the option set_tlsext_host_name() to specify the server name in your “Connection” object.
You will get something like this:

import socket
from OpenSSL import SSL

# REPLACE WITH YOUR OWN WEBSITE
hostname = 'www.mywebsite.com'
ctx = SSL.Context(SSL.TLSv1_METHOD)
sock = socket.socket()
ssl_sock = SSL.Connection(ctx, sock)
ssl_sock.set_tlsext_host_name(hostname)
ssl_sock.connect((hostname, 443))
ssl_sock.do_handshake()
cert = ssl_sock.get_peer_certificate()
print cert.get_subject().commonName

  • Jun 02 / 2016
  • 0
Linux

Configure VLan interface (with alias)

If you want to isolate multiple networks, you can use VLAN (Virtual LAN). On most of the switches, you can configure VLAN to handle tagged packets and be able to send them to a specific port by isolating it. A VLAN is assigned a specific id that can be any number between 1 and 4096.

Most of the Linux distributions can handle tagged packets and VLAN usage, but this feature is not mandatory enabled by default. For the example, I’ll present here how you can enable and configure VLAN on Ubuntu Server 14.04.

First, you need to install the vlan package:

apt-get install vlan

Temporary configuration

Then, you should load the 8021q module into the kernel (guessing you’re using a recent and not customized kernel):

modprobe 8021q

As it’s not possible to create a VLAN on virtual interface, you will have to use physical interface and alias to make it work. You can create additional interface with:

vconfig add eth0 100

Then, you can assign an address to this interface:

ip addr add 172.30.0.1/24 dev eth0.100

And finally make the interface up:

ip link set up eth0.100

Permanent configuration

You have to load the module automatically and permanently:

echo "8021q" >> /etc/modules

Finally, set the configuration in /etc/network/interfaces in order to make it loaded on startup:

auto eth0.100
iface eth0.100 inet static
        address 172.30.0.1
        netmask 255.255.255.0
        network 172.30.0.0
        broadcast 172.30.0.255
        vlan-raw-device eth0

  • May 09 / 2016
  • 0
Linux

Perform git commands with a specific ssh key

It’s sometimes necessary to execute one git command with a special SSH key rather that the one you’re running with (for example on a remote console).

This can be easily done by using such command:

ssh-agent bash -c 'ssh-add /home/myuser/.ssh/github.key; git pull [email protected]b.com:MYPROJECT/myproject.git'

  • Apr 22 / 2016
  • 0
Linux

Aggregate results from command line on a specific field (e.g. netstat per IP)

To aggregate results from a command line and count number of results for each field, you can combine multiple tools like awk, cut, uniq and sort to obtain the expected results.

For example, if you want to retrieve count of connections opened per IP onto your server, just run:

netstat -ntu | tail -n +3 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You will get a results like:

      1 127.0.0.1
      1 10.1.2.3
     65 10.1.2.8
     77 10.10.15.12
    114 10.1.3.8
    132 10.10.16.254
    310 192.168.10.1
   3970 10.0.0.254

If you want to aggregate only results on a particular keyword (a port for example), you can also integrate a grep option to filter your results:

netstat -ntu | grep "27017" | tail -n +3 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

  • Mar 30 / 2016
  • 0
Linux, Python

Generate SHA-512 hash on command-line with Python

Need to generate the hash for a password? No need to use an online generator, totally insecure for your passwords …
This simple command will ask you which string you want to hash and will return you the result after pressing “Enter” key!

python -c "import crypt, getpass, pwd; print crypt.crypt(raw_input(), '\$6\

Besoin de générer un hash pour un mot de passe ? Pas besoin d’utiliser un générateur en ligne, totalement insécurisé pour vos mots de passe …
Cette simple commande vous demandera pour quelle chaine vous souhaitez effectuer un hash et vous retournera le résultat dès que vous presserez “Entrée” !

python -c "import crypt, getpass, pwd; print crypt.crypt(raw_input(), '\$6\

 + raw_input() + '\

  • Mar 09 / 2016
  • 0
Linux

Define the MTU size for current network

To limit the fragmentation of packets and optimize your network, it can be necessary to find the best MTU size to set up on your interface. In order to find this best value, you can use a simple ping command.

We’re first trying with a MTU size of 1500 bytes:

$ ping -M do -s 1500 mysite.com
PING mysite.com (1.2.3.4) 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1500
ping: local error: Message too long, mtu=1500
ping: local error: Message too long, mtu=1500

We can clearly see that with the overhead, it’s sending 1528 bytes, too long for the MTU size allowed on the network (1500). Message will be fragmented.

We’re changing the value to 1472 bytes:

$ ping -M do -s 1472 mysite.com
PING mysite.com (1.2.3.4) 1472(1500) bytes of data.
1480 bytes from 1.2.3.4: icmp_seq=1 ttl=58 time=0.94 ms
1480 bytes from 1.2.3.4: icmp_seq=2 ttl=58 time=0.62 ms
1480 bytes from 1.2.3.4: icmp_seq=3 ttl=58 time=0.53 ms

Right now, we can see that packets are not fragmented anymore, exactly what we were expected!

On most of Linux distributions, MTU size can be set with this command:

ifconfig eth0 mtu 1472 up

You can check the results with the ip addr show command:

$ ip addr show
[...]
2: eth0: <no-carrier,broadcast,multicast,up> mtu 1492 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
[...]
</no-carrier,broadcast,multicast,up>

Question ? Contact