Thursday, October 26, 2017

openssl is too old. of course.

 I was having a good morning. I got to work on time and had a cup of coffee.  
 The world was good.  
   
 Then I see this:  
   
 Downloading: https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 javax.net.ssl.SSLException: hostname in certificate didn't match: <zlib.net> != <amanekaneko.com> OR <amanekaneko.com> OR <cpanel.amanekaneko.com> OR <mail.amanekaneko.com> OR <webdisk.amanekaneko.com> OR <webmail.amanekaneko.com> OR <www.amanekaneko.com>  
   
 browsing amanekaneko.com is fascinating, to say the least  
   
   
 me@:~/certs$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 --2017-10-26 12:20:05-- https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 Resolving zlib.net... 69.73.182.198  
 Connecting to zlib.net|69.73.182.198|:443... connected.  
 ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.  
 To connect to zlib.net insecurely, use `--no-check-certificate'.  
   
 What?!  
   
 I see the same across a bunch of build systems. ffs.  
 Maybe it is the firewall doing something weird.  
   
 Nope.  
   
 me@:/etc/ssl/certs$ openssl version -a  
 OpenSSL 0.9.8k 25 Mar 2009  
 built on: Thu Mar 19 15:32:30 UTC 2015  
 platform: debian-i386-i686/cmov  
 options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)  
 compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLF  
 CN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall  
 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_A  
 SM -DAES_ASM  
   
 OPENSSLDIR: "/usr/lib/ssl"  
   
 All certs are here: /etc/ssl/certs  
 All symlinked to: /usr/share/ca-certificates/  
   
 $JAVA_HOME/lib/security/cacerts is the same.  
   
   
 SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt  
   
 openssl   
 apt-get reinstall openssl  
 apt-get reinstall ca-certificates  
 cd /usr/lib/ssl/certs  
 c_rehash  
   
 yet.  
   
 me@:~$ openssl s_client -connect zlib.net:443  
 CONNECTED(00000003)  
 depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority  
 verify error:num=20:unable to get local issuer certificate  
 verify return:0  
   
 I need the /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority certificate.  
 It is present. Very present.  
   
 but.  
   
 me@:~$ openssl s_client -CApath /etc/ssl/certs/ -connect zlib.net:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > zlibnet.pem  
   
 depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root  
 verify return:1  
 depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority  
 verify return:1  
 depth=1 /C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority  
 verify return:1  
 depth=0 /CN=amanekaneko.com  
 verify return:1  
 DONE  
   
 cat the output and yep. the pem is pem-a-licious.  
   
 me@:~$ sudo cp zlibnet.pem /usr/lib/ssl/certs  
   
 me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 --2017-10-26 12:15:48-- https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 Resolving zlib.net... 69.73.182.198  
 Connecting to zlib.net|69.73.182.198|:443... connected.  
 ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.  
 To connect to zlib.net insecurely, use `--no-check-certificate'.  
   
 Nope. Weird. Well, that's new. Let's see what happens if we specify the cert dir.  
   
 me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz --ca-certificate=/usr/lib/ssl/certs  
 --2017-10-26 12:15:48-- https://zlib.net/fossils/zlib-1.2.11.tar.gz  
 Resolving zlib.net... 69.73.182.198  
 Connecting to zlib.net|69.73.182.198|:443... connected.  
 ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.  
 To connect to zlib.net insecurely, use `--no-check-certificate'.  
   
 No? So. certificate common name doesn't match requested host name. Why?  
   
 OpenSSL is too old.  
 OpenSSL 0.9.8k 25 Mar 2009 <- too old  
   
   
 me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz --no-check-certificate  
 me@:~$ curl https://zlib.net/fossils/zlib-1.2.11.tar.gz --insecure  
   
 or  
   
 curl -L --remote-name https://zlib.net/fossils/zlib-1.2.11.tar.gz  

Monday, October 9, 2017

symantec enterprise protection and centos 7 notes

 symantec enterprise protection and centos 7 notes  
   
 symantec enterprise protection for linux is way less than nice.  
 there is what i would call "glibc disarray."  
   
 first:  
 # yum install glibclibgcclibX11  
   
 then:  
 # yum install glibc.i686 libgcc.i686 libX11.i686  
   
 do your install and check up on it:  
 # /opt/Symantec/symantec_antivirus/sav info -a  
 Enabled <- yes  
   
 # /opt/Symantec/symantec_antivirus/sav manualscan -s /nfs/mount/ <- scan a decade's worth of work  
   
 # /opt/Symantec/symantec_antivirus/sav info -s <- is the scan running?  
   
 # tail -f -n 30 /var/symantec/sep/Logs/10666666.log <- tell me more  
   
 # ls -la /var/symantec/sep/Quarantine/ <- here be viruses  
   
 to free nfs mounts from the tight grip of sep after you foolishly  
 scan a decade's worth of work.  
   
 # lsof |grep /nfs/mount |grep rtvscand |awk '{print $3}' |grep -o '[0-9]*' |sort -n |uniq |xargs kill -9  
   
 # umount /nfs/mount  
   
 # /opt/Symantec/symantec_antivirus/sav info -a  
 scan engine is malfunctioning  
   
 # /etc/init.d/rtvscand restart  
 
 i dislike logs:
 
 # cd /var/symantec/sep/Logs
 # for i in *.log ; do echo "" > $i ; done  
 # echo "" > /opt/Symantec/LiveUpdate/Logs/lux.log

centos 7 write path & auto eth issue

 centos 7 write path & auto eth issue  
   
 gross.  
   
 # dmesg |grep "WRITE SAME"  
 [  6.984034] sda3: WRITE SAME failed. Manually zeroing.  
   
 # touch /etc/tmpfiles.d/write_same.conf  
 # find /sys | grep max_write_same_blocks >> /etc/tmpfiles.d/write_same.conf  
 # vi write_same.conf  
    
  # type path mode uid  gid  age argument  
  w /sys/devices/pci0000:00/0000:00:10.0/host0/target0:0:0/0:0:0:0/scsi_disk/0:0:0:0/max_write_same_blocks -  -  -  - 0  
   
 next, deal with eth  
   
 # nmcli d  
 DEVICE TYPE   STATE    CONNECTION  
 ens160 ethernet disconnected --  
 lo   loopback unmanaged  --  
   
 change netword script  
   
 vi /etc/sysconfig/network-scripts/ifcfg-<ethname>  
 ONBOOT=yes  
   
 restart networking however you do it.  

Wednesday, October 4, 2017

looking at data in a regkey and doing something

 i need to do "stuff" to a lot of systems. some of them i own. some i don't.  
 to make sure i do "stuff" to the ones i own - members of hell, hades or purgatory.  
 all i need to do is figure out their domain membership status.  
   
 happily, domain names are saved in a system's registry.  
 
 ..... 
 @ECHO OFF  
   
 REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" \
 /v DefaultDomainName | findstr "HELL HADES PURGATORY"   
   
 IF %ERRORLEVEL% == 1 goto end  
 IF %ERRORLEVEL% == 0 goto dosomething  
   
 goto end  
   
 :dosomething  
 @echo "Hello World"  
 pause  
   
 goto end  
   
 :end  
 @exit  
 .....

 in a nutshell, if an error is returned - that is strings defined in findstr are absent - then the script
 skips to the end and we do nothing. if the strings are present we dosomething. in this case, echo "Hello
 World" 

 the REG QUERY statement must be one line.