msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

11 Feb 2009 Using Forte Agent Newsreader in linux with SSL support

This post describes how you can connect to a NNTP news servers that provides SSL support with your Forte Agent Newsreader version 6.0 under Ubuntu linux.
I assume you know how to install Forte Agent in linux or access it from a Windows partition and will not describe that in this post.

Installing wine

# sudo aptitude install wine

Always install the newest Wine version available.

Start Forte Agent using wine

# wine agent.exe

I assume you know where you have placed the Forte Agent files.

In Windows Forte Agent uses Internet Explorers DLLs to implement SSL support and that is not available in linux.
If you try to run Forte Agent with the Server Setting “The server requires a secure connection SSL” you will get a error message

Failed: Unknown exception msg=2 type=2

One solution is to use the linux command stunnel to create a SSL tunnel from your PC to the news server you want to connect to.

Install stunnel for the SSL support

# sudo aptitude install stunnel

Then you set up the stunnel tunnel from your PC to the nntp news server

# sudo stunnel  -c -d 127.0.0.1:563 -r nntpnews.servername:563

This command makes it possible to connect your Forte Agent newsreader to IP address 127.0.0.1 port 563 and all those requests will be forwarded to your newsservers port 563. The port number is just to change if it your news provider uses another port.

Now, in Forte Agent you have to go to the “Servers and Accounts”, “Advanced Settings…” and check the checkbox “Use a non-standard NNTP port” and write in the port you are using. In my example it is port 563.

You are now ready to connect to your news provider with a SSL tunnel while using Forte Agent Newsreader.
Enjoy safe news reading.

Tags: , , , , , ,

Posted by

30 Jan 2009 Enable secure / https SSL login on mediaWiki 1.13.3

This is how I’ve enabled secure SSL login through https on a mediaWiki 1.13.3 installation. This description might work on other versions of mediaWiki, but that has not been tested.
mediWiki doesn’t support SSL login out of the box so a little hack has to be performed.

First you need to tell the webserver, in my case my Apache server that mediaWiki login requests should be redirected to the SSL page
Add the following code lines to your Apache config files or the mediaWiki .htaccess file

Rewrite login url to use httpsRewriteEngine On

RewriteCond %{REQUEST_URI} ^/index.php$
RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]

Rewrite non login url to use normal http

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(?!title=Special:Userlogin)
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R]

Source: http://wiki.epfl.ch/cfavi/mediawiki

In addition to the above configuration you have to create a PHP script to fix some cookies problems since the cookie was made on an https address but normal surfing is done on http mode.

Create a file named ssl_login.php and insert the following code into it

# Secure the login page.

# Secure cookies hurt us because they are set on the https page
# but inaccessible from the http page, so we lose our previous session.
$wgCookieSecure = false;

# Don't process JavaScript and CSS files.
# Otherwise, a secure page will be tagged as "partially secure" because these
# files are being hit via http.
if (checkQS('gen', 'js')) {return;}
if (checkQS('gen', 'css') || checkQS('ctype', 'text/css')) {return;}

# Get page title from query string.
$pageTitle = array_key_exists('title', $_GET)
     ? $_GET['title']
     : "";

# Get server variables
$domain = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];

# Are we on the sign-in page or not?
# Logic works for everything except Special pages which apparently don't
# even run LocalSettings.php.
$onSignInPage = false;
$signInPageName = 'special:userlogin';  // lowercase on purpose
if ( strtolower($pageTitle) == $signInPageName ) {
  $onSignInPage = true;
} elseif ( strstr(strtolower($uri), "/$signInPageName") ) {
  $onSignInPage = true;
} else {
  $onSignInPage = false;
}

# Secure only the Special:Userlogin page.
# Un-secure all other pages.
if ( !checkServerVariable('HTTPS', 'on') && $onSignInPage ) {
  header('Location: https://' . $domain . $uri);
} elseif ( checkServerVariable('HTTPS', 'on') && ! $onSignInPage ) {
  header('Location: http://' . $domain . $uri);
} else {
  // nothing
}

function checkQS($key, $value) {
  return checkArrayValue($_GET, $key, $value);
}

function checkServerVariable($var, $value) {
  return checkArrayValue($_SERVER, $var, $value);
}

function checkArrayValue($arr, $key, $value) {
  return array_key_exists($key, $arr) && $arr[$key] == $value;
}

Include this file in your LocalSettings.php file like this

# Fix to use SSL login
include '/full/path/to/htdocs/ssl_login.php';

Source: http://www.mediawiki.org/wiki/Manual:Configuration_tips_and_tricks#HTTPS_on_Login_only

Remember to restart your apache webserver to see the changes.

Tags: , , , , ,

Posted by

09 Sep 2007 Setting up an SSL server with Apache2 on Debian

With the introduction of the Apache2 packages in Debian it is much simpler to create and use a secure SSL protected webserver than in the old days with Apache 1.3, here we’ll show how it is done. If you have Apache 2.x installed already then you’re good to go as you don’t need anything extra installed.

If you haven’t got it installed then you can do so easily:

earth:~# apt-get install apache2
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert
Suggested packages:
  apache2-doc ca-certificates
The following NEW packages will be installed:
  apache2 apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2040kB of archives.
After unpacking 6218kB of additional disk space will be used.
Do you want to continue? [Y/n]

Once the server is installed you need to do three things to get a working SSL setup:

  1. Generate, or import, a certificate.
  2. Enable Apaches SSL support.
  3. Configure your SSL options.

Generating A Certificate

Generating a certificate from scratch will give you something which will be used to protect the traffic exchanged between clients and your server, however it will be unsigned by a trusted certificate authority so it will generate warnings.

Importing a paid and “trusted” certificate will avoid this problem, but that is beyond the scope of this simple introduction.

Generating an SSL certificate for Apache2 may be accomplished using the apache2-ssl-certificate script. This will ask you questions interactively then generate the certificate file appropriately.

Here’s a sample session:

earth:~# apache2-ssl-certificate

creating selfsigned certificate
replace it with one signed by a certification authority (CA)

enter your ServerName at the Common Name prompt

If you want your certificate to expire after x days call this programm
with -days x
Generating a 1024 bit RSA private key
............++++++
..........................++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:Scotland
Locality Name (eg, city) []:Edinburgh
Organization Name (eg, company; recommended) []:Steve Kemp
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:earth
Email Address []: earth-admin@steve.org.uk

Enabling SSL Support

To use the SSL facilities of Apache2 you must enable the module mod_ssl, this can be achieved using the helper tool a2enmod (We’ve previously discussed the Apache2 helper scripts.)

As root run:

earth:~# a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

Once this is done you’ll have Apache setup to accept SSL connections, but the server will still only be listening for incoming HTTP requests on port 80 – and not SSL connections on port 443. To fix this you must add a line to the file /etc/apache2/ports.conf:

Listen 443

With these two steps out of the way you now have an Apache setup which will listen for and accept SSL connections. The next step is to modify your virtualhosts to use it.

Configuring your SSL Hosts

With a certificate setup, and the server updated to load and listen for incoming SSL connections you’re almost finished. The final step is to ensure that your virtual hosts, or main host, will accept SSL options.

I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

For reference here is a complete example which should be easy to modify/understand:

NameVirtualHost *:443
NameVirtualHost *:80

<VirtualHost *:80>
        ServerName earth.my.flat
        DocumentRoot /var/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
</VirtualHost>

<VirtualHost *:443>
        ServerName earth.my.flat

        DocumentRoot /var/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Tags: , , , , ,

Posted by

18 May 2007 Generering av SSL sertificat

Dovecot og Courier-imap klager til tider på at sertifikat ikke fungerer. Da kan man kjøre følgende kommando for å lage nytt sertifikat. Kommandoen kjøres fra /etc/ssl/dovecot/

openssl req -new -x509 -nodes -days 365 -out cert.crt -keyout cert.key
cat cert.key cert.crt > cert.pem

Endre navnet på filene slik at de stemmer overns med configfilene til de respektive programmene.

Tags: , , , ,

Posted by