Testing Cipher Strength

[problem]

You want to be sure that your web site is only serving 128 bits!

[/problem]

[solution]

Use openssl s_client – with specific ciphers – see the example.

[/solution]

[example]

The following script spins around 40, 56 and 64 bit ciphers – to check the lowest a site allows.

Ideally none of these ciphers should be allowed (check out www.modssl.org for apache config – look for ciphersuite).

openssl_cipher_check will produce the cipher details from the cipher codes returned in connection output.

If you need proxy support with s_client comment on this thread.


#!/bin/bash

[ $# -lt 1 ] && {

echo "$0: site:port"
echo "Usage: $0 www.example.com:443"
exit 0
}

fortyciphers='EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5'

fiftysixciphers='EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5'

sixtyfourciphers='RC4-64-MD5'

grabCipher() {

cipher=$1
site=$2

echo "
GET / HTTP/1.0

EOT
" | openssl s_client -connect $site -cipher $cipher

}

site=$1

echo "$site"
echo $site | sed 's/./-/g'

for na in forty fiftysix sixtyfour
do

eval ciphers="$${na}ciphers"

thiscipher=`grabCipher $ciphers $site 2>&1 | awk ' /Cipher/ { print $NF } '`

[[ $(echo $thiscipher | grep -c "^$") -ne 1 ]] && {

openssl ciphers -v $thiscipher
exit 0
}

done

echo "No 40, 56 or 64 bit ciphers supported"

exit 0

[/example]

[reference]

[tags]Ciphers, 128 bits, openssl s_client, Unix Coding School[/tags]

[/reference]

SSL Certification Expiry Date Checker

[problem]

You want to automate checking expiry of SSL (HTTPS) Certificate expiry.

[/problem]

[solution]

The link to the script is displayed in examples. It connects to the given site and shows site expiry. This can then be automated into a database, using some of my PHP or Perl Scripts, which can also be used to then report on sites about to expire.

[/solution]

[example]


./openssl_cert_expiry_check www.example.com:443

Here is the code – but take note you may need the openssl client that supports proxying. Leave me a comment if you want this code.


#!/bin/bash

[ $# -ne 1 ] &echo -n "$1 - "

echo "
GET / HTTP/1.0

EOT
" | openssl s_client -connect $1 2>&1 |
sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' |
openssl x509 -enddate |
awk -F= ' /notAfter/ { printf("Expires: %sn",$NF); } '

exit 0

[/example]

[reference]

[tags]openssl, SSL Certification Expiry Date Checker, Unix Coding School[/tags]

[/reference]

Compare Java Certificate Stores – cacerts

[problem]

You want to compare two cacerts java certificate stores.

Say comparing development server against prod, to ensure they both have same certs stored in cacerts (sampled by java among others).

[/problem]

[solution]

This can come in very handy, if you need to compare 2 different projects or envs. See the example.

[/solution]

[example]

Code to generate list of certs, along with there alias, entry, owner and valid dates.

Start in the directory where your cacerts file resides.


../../../bin/keytool -list -v -keystore cacerts -storepass changeit | gawk ' {
if(/Alias name/) {
if(alias != /^$/) { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
alias=$NF;
}
if(/Entry type/) { entry=$NF; }
if(/Owner/) { owner=$2" "$3; }
if(/Valid/) { valid=$5"/"$4"/"$8; }
} END { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
' | sort

You may need to change gawk for nawk on Solaris, etc.

Dump this out into a file for each env. The run diff with something like this:


diff -s dump.cob dump.dev | egrep -v -- "^([0-9]|--)" | sort | grep -vn xxx

[/example]

[reference]

[tags]openssl, cacerts, java certifications, comparing java certs, Unix Coding School[/tags]

[/reference]

Generate Random Data with dd

[problem]

You want to generate 512 bytes of random data, using UNIX dd (disk to disk) command.

[/problem]

[solution]

Using /dev/random blocks waiting for truly random data, whereas /dev/urandom just pumps out whatever is available.

You need to escape the control characters, or else it will trash your screen. cat -ve escapes these control characters for you.

See examples

[/solution]

[example]

dd bs=1 count=512 if=/dev/urandom | cat -ve

dd is a very powerful command, that can be used to read files, data, tapes, even disks, etc – varying the number of blocks with count and block size with bs.

if is the input device and of can be used to designate an output device.

dd bs=1 count=512 if=/dev/urandom | openssl base64

Also it can convert to upper and lower case, with conv=ucase, etc.

If you have an extremely large file, it can open at an offset – via the skip option, for example to skip the first 1k of the file and read 100 bytes:


dd if=access_log.techieblogs bs=1 skip=1024 count=1000
- - [04/Jun/2006:00:13:10 +0800] "GET /mysqldemo/run_q.php?database=mysql HTTP/1.1" 200 1364

[/example]

[reference]

[tags]dd, pseudo random data, cat, Unix Coding School[/tags]

[/reference]

While For Loops

[problem]

You want to loop around a number of times and perform an action.

[/problem]

[solution]

Being able to loop around a given number of times, fully utilizes the power of UNIX. See the example.

[/solution]

[example]

For example, spin around 100 times and print hello:

i=0; while [[ $i -lt 100 ]] ; do echo -n "hello"; ((i++)) ; done; echo ""
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohello...

Similarly the for command is a beauty too, spin around 5 times and kick off a loop 5 times – paste the result into 5 columns:


for i in 1 2 3 4 5; do for j in 1 2 3 4 5; do echo "$i:$j"; done; done | paste - - - - -
1:1 1:2 1:3 1:4 1:5
2:1 2:2 2:3 2:4 2:5
3:1 3:2 3:3 3:4 3:5
4:1 4:2 4:3 4:4 4:5
5:1 5:2 5:3 5:4 5:5

[/example]

[reference]

[tags], Unix Coding School[/tags]

[/reference]

Split output over columns

[problem]

Ever wanted to produce columns of output, rather than your output spilling off the screen.

[/problem]

[solution]

Useful command for this is paste, see example for how it works – to split output into 3 columns.

[/solution]

[example]

ls | paste - - -
comments.php comments-popup.php fat.js
footer.php header.php index.php
screenshot.png sidebar.php style.css

As you’d expect with UNIX, that is not the end of this commands uses! 🙂

Create a comma seperated list:

ls | paste - - - -d,
comments.php,comments-popup.php,fat.js
footer.php,header.php,index.php
screenshot.png,sidebar.php,style.css

Then courtesy of the LINUX info command:


cat num2
1
2
$ cat let3
a
b
c
$ paste num2 let3
1 a
2 b
c

And:


$ paste -s num2 let3
1 2
a b c

[/example]

[reference]

[tags]paste, Unix Coding School[/tags]

[/reference]

Looping with For and While

[problem]

You want to loop a number of times in UNIX.

[/problem]

[solution]

Being able to loop around a given number of times, fully utilizes the power of UNIX. See the examples.

[/solution]

[example]

For example, spin around 100 times and print hello:

i=0; while [[ $i -lt 100 ]] ; do echo -n 'hello'; ((i++)) ; done; echo ''
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohellohellohello
hellohellohellohellohellohellohellohello...

Similarily the for command is a beauty too, spin around 5 times and kick off a loop 5 times – paste the result into 5 columns:


for i in 1 2 3 4 5; do for j in 1 2 3 4 5; do echo "$i:$j"; done; done | paste - - - - -
1:1 1:2 1:3 1:4 1:5
2:1 2:2 2:3 2:4 2:5
3:1 3:2 3:3 3:4 3:5
4:1 4:2 4:3 4:4 4:5
5:1 5:2 5:3 5:4 5:5

[/example]

[reference]

[tags], Unix Coding School[/tags]

[/reference]

Check var for pattern

[problem]

You want to check a variable for a given pattern.

[/problem]

[solution]

This is my personal favorite way to check for values in vars. See examples.

[/solution]

[example]

[[ $(echo $var | grep -ic "pattern") -eq 0 ]] &

You could also go for “-eq 1” – does contain:

[[ $(echo $var | grep -ic "pattern") -eq 1 ]] &

Or “-ne 0” for same, etc.

[[ $(echo $var | grep -ic "pattern") -ne 0 ]] &

Plus you could use || for “or” either in place of “&&” or after this block – same as if .. then “positive” else “negative” fi.

[[ $(echo $var | grep -ic "pattern") -eq 0 ]] || { echo "var does contain pattern" }

[/example]

[reference]

[tags], Unix Coding School[/tags]

[/reference]

Detach proc from shell

[problem]

When you exit your shell, the processes you’ve kicked off die.

[/problem]

[solution]

If you start a process with nohop (ignore the hup signal), it will not exit (usually) when your shell is exited. nohup stands for no hang up, a throw back to terminal lines.

[/solution]

[example]

nohup command > /tmp/logfile.log 2>&1&

If you forget to run the command with nohup, this can now be simulated on solaris.

Just background the process (with ctrl Z and bg) then type disown.

disown [%1]

The UNIX command jobs will show all backgrounded jobs. After running disown, it should show no jobs in the background.

[/example]

[reference]

[tags]nohup, disown, daemons, Unix Coding School[/tags]

[/reference]

Binary Calculator Hex

[problem]

You want to perform some arithmetic with UNIX.

[/problem]

[solution]

The binary calculator, installed with pretty much all version of UNIX, can be used for an array of tasks.

Not just basic calculations, but also converting between bases and it can automated, etc.

[/solution]

[example]

It’s simpliest use, it just to run bc and add, subtract divide.


bc
888+999
1887

Be aware though, that to perform precision point calculations, you must specify the “-l” long option. For example:


bc
999/222
4

Obviously wrong! 🙂 Now with the long option:


bc -l
999/222
4.50000000000000000000

Can also be automated like this, to convert between decimal and hex:


i=0; while ((i < 20)) ; do echo -n ' $i: '; echo 'base=10;obase=16;$i' | bc; ((i++)); done | paste - - - -
0: 0 1: 1 2: 2 3: 3
4: 4 5: 5 6: 6 7: 7
8: 8 9: 9 10: A 11: B
12: C 13: D 14: E 15: F
16: 10 17: 11 18: 12 19: 13

[/example]

[reference]

[tags]BC, HEX, Unix Coding School[/tags]

[/reference]