Telling OpenSSL About Your Root Certificates

OpenSSL Logo

OpenSSL doesn’t come with its own trusted root certificates; you have to tell it where to find them. This should be straightforward – and it is – but Apple have found a way to make it trickier.

Normal *nix Systems

On a normal unix system, openssl is pretty good at locating the root certificates, but it still doesn’t automatically reference them. For example running Ubuntu:

john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
  OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN =
  VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
[...removed for brevity...]
    PSK identity hint: None
    SRP username: None
    Start Time: 1425842365
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Openssl is unable to validate the Verisign certificate. So where are the trusted root certificates stored? Actually, Openssl will tell us:

john@ubuntu:~$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

Add that into the command as the -CApath parameter, and:

john@ubuntu:~$ openssl s_client -CApath /usr/lib/ssl -connect 
  www.microsoft.com:443
CONNECTED(00000003)
depth=3 C = US, O =  Continue reading

Musk needs to tap the brakes a bit

Oh, that Elon Musk. Always saying the most provocative things, such as yesterday when he addressed attendees at a Nvidea conference and suggested that driverless cars will someday bring about a ban on the human-driven kind.“It’s too dangerous,” he said. “You can’t have a person driving a two-ton death machine.” To read this article in full or to leave a comment, please click here

Choosing a Route: Order of Operations

In Cisco IOS packets are forwarded through the router (or Layer 3 switch) by Cisco Express Forwarding (CEF). A data structure called the CEF table contains a list of known IP prefixes and the outgoing interface that packets should be put on in order to get them onwards to their destination. That’s well and good. But how do the IP prefixes make it into the CEF table? To answer that question you have to work backwards and understand the order of operations that IOS goes through in order for a prefix to make it into the CEF table.

The answer to the question of what makes it into the CEF table confused me a bit, particularly when working with complex redistribution schemes. I would end up concentrating so much on admin distance (AD) that I would overlook the other, more important elements that went into determining what went into the CEF table. In order to improve my understanding I came up with this order of operations which helps me not only with redistribution, but in pretty much any situation where I’m trying to do traffic engineering.

You will not find this order of operations on cisco.com or in any Continue reading

UK government filing raises fears about misuse of hacking powers

A legal filing by the U.K. government has raised fears that the country’s intelligence service GCHQ is misusing its powers to hack telecommunications companies in other countries.The document was made public by Privacy International and the Chaos Computer Club, both claimants in a lawsuit filed last year against GCHQ over its spying practices. In the filing, which is part of the case, the U.K. government claims it has the right to break into computers anywhere in the world, even if they are not connected to a crime or a threat to national security, the groups said.To read this article in full or to leave a comment, please click here

FCC’s net neutrality rules are complex, and that might be a good thing

Last week, the Federal Communications Commission released a 400-page document laying out the official orders for how it plans to regulate net neutrality under Title II common-carrier provisions. Not surprisingly, reactions to the document's specifics immediately separated out along ideological lines, with supporters of the doctrine praising the rules while opponents attacked them for leading to "years of litigation, serious collateral consequences for consumers, and ongoing market uncertainty."Stay flexible, my friendsTo read this article in full or to leave a comment, please click here

Microsoft’s deal with Xiaomi over Windows 10 raises eyebrows

Microsoft could be trying to chip away at Android’s dominance in its deal with Xiaomi to test the new Windows 10 operating system.The U.S. software giant announced Wednesday that select users of Xiaomi’s Android phones will be able to download a Windows 10 Technical Preview to their handsets, and offer feedback to Microsoft. The software giant is creating a custom Windows 10 build that can be loaded on the phones.Xiaomi has said it’s only an “experimental program” and not a commercial partnership.The program will target “power users” already adept at using their devices to install custom Android ROMs, also known as firmware. Following the announcement, Xiaomi’s online forum said it would release the Windows 10 pack soon.To read this article in full or to leave a comment, please click here

US gov’t wants HTTPS on its publicly-accessible sites within two years

Publicly accessible websites and services of U.S. government agencies will have to move to HTTPS encryption within two years to meet the government’s objective that these sites and Web services should be offered over a secure connection.The Hypertext Transfer Protocol Secure offers the strongest privacy protection available for public Web connections with today’s Internet technology, according to a draft proposal released Tuesday by the White House’s Office of Management and Budget.“The use of HTTPS reduces the risk of interception or modification of user interactions with government online services,” it added.To read this article in full or to leave a comment, please click here

Xiaomi users to test Windows 10 ahead of summer launch

Windows 10 will arrive this summer, and Microsoft is tapping an unlikely partner to help test it: Chinese Android handset maker Xiaomi.To flesh out the upcoming OS, Microsoft is inviting a select group of Xiaomi users to download the Windows 10 Technical Preview to their phone, and offer feedback.It’s a surprising tie-up, given that Xiaomi has had huge success in using Android to sell its phones. Last year, it became China’s leading smartphone vendor, and the company has ambitions to expand globally.Whether this means Xiaomi will explore using Microsoft’s new OS is unclear. In an email, Xiaomi said the testing of Windows 10 was an “experimental program entirely led by Microsoft.” The program will only be confined to “power users” of its flagship phone, the Mi 4.To read this article in full or to leave a comment, please click here

Premera, Anthem data breaches linked by similar hacking tactics

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem’s breach.To read this article in full or to leave a comment, please click here

Hundreds of Android and iOS apps are still vulnerable to FREAK attacks

Hundreds of Android and iOS apps are still vulnerable to a dangerous attack revealed two weeks ago that can compromise encrypted data, a security vendor said Tuesday.The apps have not yet been patched against the FREAK attack, short for Factoring attack on RSA-EXPORT Keys, which was revealed by researchers on March 3.The unpatched apps, which were not identified, are in categories including finance, communication, shopping, business and medicine, computer security company FireEye said in a blog post Tuesday.The findings highlight how even some of the most publicized and severe flaws can take quite a bit of time to get fixed. That poses risks for people using apps whose developers are not quick to patch them.To read this article in full or to leave a comment, please click here

Google Cloud and a Chromebook might be your next contact center

The next time you call customer service, you may get an answer from a Chromebook.The Chromebook won’t answer your questions, but the human who does may be talking through Google’s connected laptop with a headset. And they may be doing so from home.The days of vast in-house contact centers may be numbered now that pure software and VoIP (voice over Internet Protocol) can handle the same tasks dedicated systems used to do. One of the longtime vendors of call centers, Avaya, has started turning to cloud computing for some large enterprise deployments.Now, with an eye on smaller customers, the company is hosting its contact-center software on Google Cloud and letting companies send out Chromebooks to agents who will talk and text with customers.To read this article in full or to leave a comment, please click here

Google Cloud and a Chromebook might be your next contact center

The next time you call customer service, you may get an answer from a Chromebook.The Chromebook won’t answer your questions, but the human who does may be talking through Google’s connected laptop with a headset. And they may be doing so from home.The days of vast in-house contact centers may be numbered now that pure software and VoIP (voice over Internet Protocol) can handle the same tasks dedicated systems used to do. One of the longtime vendors of call centers, Avaya, has started turning to cloud computing for some large enterprise deployments.Now, with an eye on smaller customers, the company is hosting its contact-center software on Google Cloud and letting companies send out Chromebooks to agents who will talk and text with customers.To read this article in full or to leave a comment, please click here

DockerCon 2015 CFP Extended

Thank you to all who have submitted a session for DockerCon so far. We are very excited by the nearly 342 fantastic submissions we’ve received. After our initial call for papers closed on Monday, we received an overwhelming response and … Continued

Choosing a Route: Order of Operations

In Cisco IOS packets are forwarded through the router (or Layer 3 switch) by Cisco Express Forwarding (CEF). A data structure called the CEF table contains a list of known IP prefixes and the outgoing interface that packets should be put on in order to get them onwards to their destination. That's well and good. But how do the IP prefixes make it into the CEF table? To answer that question you have to work backwards and understand the order of operations that IOS goes through in order for a prefix to make it into the CEF table.

Premera Blue Cross says data breach may affect 11 million customers

As many as 11 million customers may have been affected by a data breach at U.S. health insurance provider Premera Blue Cross, in the second large attack against the health care industry disclosed in the last two months.The breach, discovered on Jan. 29, may have compromised customer names, birth dates, Social Security numbers, mailing and email addresses, phone numbers and bank account details, as well as claims and clinical information, Premera said on its website.It hadn’t determined yet if that sensitive information was actually removed from its systems, and it said there’s “no evidence to date that such data has been used inappropriately.” The FBI has been notified, it said.To read this article in full or to leave a comment, please click here

Ellison swings at Salesforce as Oracle’s growth sputters

Oracle expects to generate more than $1 billion in new SaaS and PaaS business in 2015, putting it toe-to-toe in the cloud market with Salesforce.com, Oracle’s top executives said Tuesday.“It’s going to be close, but you won’t have to wait very long to find out who’s going to win this,” Oracle Chairman and CTO Larry Ellison told financial analysts during the company’s quarterly earnings call.Oracle’s software-as-a-service (SaaS) and platform-as-a-service (PaaS) revenue grew by 30 percent to $372 million in the quarter ended Feb. 28, the third of Oracle’s fiscal year. Adjusting for strong currency fluctuations, the growth would have been 34 percent, Oracle said.To read this article in full or to leave a comment, please click here

EVPN Configuration

In my last blog I explained the features and use cases of the EVPN technology. In this blog I want to show how easy it is to configure, enable and expand EVPN. The configuration is focused on the Juniper MX platform, but as Junos is the single operating system across the entire Juniper portfolio, configuration on other platforms (like EX9200) is equal.

Design

The topology is really simple. I’m using 2 routers in this example, so multi-homing is not in scope. Each router has an Ethernet segment connected that consists of multiple VLANs on each side. There is 1 VLAN ID that is not equal on both sides, so this has to be taken care of.

EVPNtopology

Prepare for EVPN

To make sure we can start creating our VPN, we have to ensure the foundation is in place. This means we need IP reachability to the other Data Center routers loopback address and we need BGP with the EVPN address family enabled. The Junos release I’m testing with needs a special knob to be enabled to ensure packet lookups are done in the right way. Other versions will see this knob disappear as it is default moving forward.

routing-options {
    autonomous-system 64999;
    forwarding-table {
         Continue reading
1 3,421 3,422 3,423 3,424 3,425 3,683