Testing Cipher Strength

Problem

You want to be sure that your web site is only serving 128 bits!



Solution

Use openssl s_client – with specific ciphers – see the example.



Example


The following script spins around 40, 56 and 64 bit ciphers – to check the lowest a site allows.

Ideally none of these ciphers should be allowed (check out www.modssl.org for apache config – look for ciphersuite).

openssl_cipher_check will produce the cipher details from the cipher codes returned in connection output.

If you need proxy support with s_client comment on this thread.


#!/bin/bash

[ $# -lt 1 ] && {

echo "$0: site:port"
echo "Usage: $0 www.example.com:443"
exit 0
}

fortyciphers='EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5'

fiftysixciphers='EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5'

sixtyfourciphers='RC4-64-MD5'

grabCipher() {

cipher=$1
site=$2

echo "
GET / HTTP/1.0

EOT
" | openssl s_client -connect $site -cipher $cipher

}

site=$1

echo "$site"
echo $site | sed 's/./-/g'

for na in forty fiftysix sixtyfour
do

eval ciphers="$${na}ciphers"

thiscipher=`grabCipher $ciphers $site 2>&1 | awk ' /Cipher/ { print $NF } '`

[[ $(echo $thiscipher | grep -c "^$") -ne 1 ]] && {

openssl ciphers -v $thiscipher
exit 0
}

done

echo "No 40, 56 or 64 bit ciphers supported"

exit 0





SSL Certification Expiry Date Checker

Problem

You want to automate checking expiry of SSL (HTTPS) Certificate expiry.



Solution

The link to the script is displayed in examples. It connects to the given site and shows site expiry. This can then be automated into a database, using some of my PHP or Perl Scripts, which can also be used to then report on sites about to expire.



Example



./openssl_cert_expiry_check www.example.com:443

Here is the code – but take note you may need the openssl client that supports proxying. Leave me a comment if you want this code.


#!/bin/bash

[ $# -ne 1 ] &echo -n "$1 - "

echo "
GET / HTTP/1.0

EOT
" | openssl s_client -connect $1 2>&1 |
sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' |
openssl x509 -enddate |
awk -F= ' /notAfter/ { printf("Expires: %sn",$NF); } '

exit 0





Compare Java Certificate Stores – cacerts

Problem

You want to compare two cacerts java certificate stores.

Say comparing development server against prod, to ensure they both have same certs stored in cacerts (sampled by java among others).



Solution

This can come in very handy, if you need to compare 2 different projects or envs. See the example.



Example


Code to generate list of certs, along with there alias, entry, owner and valid dates.

Start in the directory where your cacerts file resides.


../../../bin/keytool -list -v -keystore cacerts -storepass changeit | gawk ' {
if(/Alias name/) {
if(alias != /^$/) { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
alias=$NF;
}
if(/Entry type/) { entry=$NF; }
if(/Owner/) { owner=$2" "$3; }
if(/Valid/) { valid=$5"/"$4"/"$8; }
} END { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
' | sort

You may need to change gawk for nawk on Solaris, etc.

Dump this out into a file for each env. The run diff with something like this:


diff -s dump.cob dump.dev | egrep -v -- "^([0-9]|--)" | sort | grep -vn xxx



Reference

[tags]openssl, cacerts, java certifications, comparing java certs, Unix Coding School[/tags]



Generate Random Data with dd

Problem

You want to generate 512 bytes of random data, using UNIX dd (disk to disk) command.



Solution

Using /dev/random blocks waiting for truly random data, whereas /dev/urandom just pumps out whatever is available.

You need to escape the control characters, or else it will trash your screen. cat -ve escapes these control characters for you.

See examples



Example


dd bs=1 count=512 if=/dev/urandom | cat -ve

dd is a very powerful command, that can be used to read files, data, tapes, even disks, etc – varying the number of blocks with count and block size with bs.

if is the input device and of can be used to designate an output device.

dd bs=1 count=512 if=/dev/urandom | openssl base64

Also it can convert to upper and lower case, with conv=ucase, etc.

If you have an extremely large file, it can open at an offset – via the skip option, for example to skip the first 1k of the file and read 100 bytes:


dd if=access_log.techieblogs bs=1 skip=1024 count=1000
- - [04/Jun/2006:00:13:10 +0800] "GET /mysqldemo/run_q.php?database=mysql HTTP/1.1" 200 1364



Reference

[tags]dd, pseudo random data, cat, Unix Coding School[/tags]



While For Loops

Problem

You want to loop around a number of times and perform an action.



Solution

Being able to loop around a given number of times, fully utilizes the power of UNIX. See the example.



Example


For example, spin around 100 times and print hello:

i=0; while [[ $i -lt 100 ]] ; do echo -n "hello"; ((i++)) ; done; echo ""
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohello...

Similarly the for command is a beauty too, spin around 5 times and kick off a loop 5 times – paste the result into 5 columns:


for i in 1 2 3 4 5; do for j in 1 2 3 4 5; do echo "$i:$j"; done; done | paste - - - - -
1:1 1:2 1:3 1:4 1:5
2:1 2:2 2:3 2:4 2:5
3:1 3:2 3:3 3:4 3:5
4:1 4:2 4:3 4:4 4:5
5:1 5:2 5:3 5:4 5:5



Reference

[tags], Unix Coding School[/tags]



Split output over columns

Problem

Ever wanted to produce columns of output, rather than your output spilling off the screen.



Solution

Useful command for this is paste, see example for how it works – to split output into 3 columns.



Example


ls | paste - - -
comments.php comments-popup.php fat.js
footer.php header.php index.php
screenshot.png sidebar.php style.css

As you'd expect with UNIX, that is not the end of this commands uses! 🙂

Create a comma seperated list:

ls | paste - - - -d,
comments.php,comments-popup.php,fat.js
footer.php,header.php,index.php
screenshot.png,sidebar.php,style.css

Then courtesy of the LINUX info command:


cat num2
1
2
$ cat let3
a
b
c
$ paste num2 let3
1 a
2 b
c

And:


$ paste -s num2 let3
1 2
a b c



Reference

[tags]paste, Unix Coding School[/tags]



Looping with For and While

Problem

You want to loop a number of times in UNIX.



Solution

Being able to loop around a given number of times, fully utilizes the power of UNIX. See the examples.



Example


For example, spin around 100 times and print hello:

i=0; while [[ $i -lt 100 ]] ; do echo -n 'hello'; ((i++)) ; done; echo ''
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohello...

Similarily the for command is a beauty too, spin around 5 times and kick off a loop 5 times – paste the result into 5 columns:


for i in 1 2 3 4 5; do for j in 1 2 3 4 5; do echo "$i:$j"; done; done | paste - - - - -
1:1 1:2 1:3 1:4 1:5
2:1 2:2 2:3 2:4 2:5
3:1 3:2 3:3 3:4 3:5
4:1 4:2 4:3 4:4 4:5
5:1 5:2 5:3 5:4 5:5





Check var for pattern

Problem

You want to check a variable for a given pattern.



Solution

This is my personal favorite way to check for values in vars. See examples.



Example


[[ $(echo $var | grep -ic "pattern") -eq 0 ]] &

You could also go for "-eq 1" – does contain:

[[ $(echo $var | grep -ic "pattern") -eq 1 ]] &

Or "-ne 0" for same, etc.

[[ $(echo $var | grep -ic "pattern") -ne 0 ]] &

Plus you could use || for "or" either in place of "&&" or after this block – same as if .. then "positive" else "negative" fi.

[[ $(echo $var | grep -ic "pattern") -eq 0 ]] || { echo "var does contain pattern" }



Reference

[tags], Unix Coding School[/tags]



Detach proc from shell

Problem

When you exit your shell, the processes you’ve kicked off die.



Solution

If you start a process with nohop (ignore the hup signal), it will not exit (usually) when your shell is exited. nohup stands for no hang up, a throw back to terminal lines.



Example


nohup command > /tmp/logfile.log 2>&1&

If you forget to run the command with nohup, this can now be simulated on solaris.

Just background the process (with ctrl Z and bg) then type disown.

disown [%1]

The UNIX command jobs will show all backgrounded jobs. After running disown, it should show no jobs in the background.



Reference

[tags]nohup, disown, daemons, Unix Coding School[/tags]



Binary Calculator Hex

Problem

You want to perform some arithmetic with UNIX.



Solution

The binary calculator, installed with pretty much all version of UNIX, can be used for an array of tasks.

Not just basic calculations, but also converting between bases and it can automated, etc.



Example


It's simpliest use, it just to run bc and add, subtract divide.


bc
888+999
1887

Be aware though, that to perform precision point calculations, you must specify the "-l" long option. For example:


bc
999/222
4

Obviously wrong! 🙂 Now with the long option:


bc -l
999/222
4.50000000000000000000

Can also be automated like this, to convert between decimal and hex:


i=0; while ((i < 20)) ; do echo -n ' $i: '; echo 'base=10;obase=16;$i' | bc; ((i++)); done | paste - - - -
0: 0 1: 1 2: 2 3: 3
4: 4 5: 5 6: 6 7: 7
8: 8 9: 9 10: A 11: B
12: C 13: D 14: E 15: F
16: 10 17: 11 18: 12 19: 13



Reference

[tags]BC, HEX, Unix Coding School[/tags]