The Design and Implementation of laffer1

Got a really dicked up g5 at work.. boss ordered a "new" power supply for it and got the wrong one.. 450 watt instead of 650! Other two techs broke the clips on the logic board for the MEMORY. Fuckers gave them my mac as a TEMP!

Machine is a dual 1.8ghz with 256mb ram! (theft of ram) Its obvious someone is stealing ram now.

had to deal with a paper jam in a color laserjet and imaging/testing some mac images today plus upgrading a machine to 10.4.5 along with a prosoft EVIL NOVELL client. FOund out dreamweaver has a patch to fix some problems with drive listings.

http://hublog.hubmed.org/archives/001075.html

(apache, etc)

Well i've got some time this weekend and i've already started putting effort into my sites. I just changed the ip addresses for www.foolishgames.com and www.foolishgames.net. Both now resolve to seperate ips so that I could add home generated SSL certs. Now when using the forum on foolishgames.net, you can securely connect. This change might make the sites go down for 24 hours or less. JJ should not be affected.

SSL certificates for Apache2, Courier, Exim4 and Jabberd2 on Debian

Creating SSL certificates for web, mail and IM servers is not well documented. Here are some notes on generating certificates on a Debian server, signed by your own certificate authority, plus instructions for using them on OS X (instructions for installing and configuring openssl, apache2 and mod_ssl, exim4, courier-imap-ssl, courier-pop3-ssl and jabberd2 are not included):
Certificate Authority

First of all you need to create a root Certificate Authority certificate [ca.crt], which will later be used to sign the other certificates. It's encrypted by a password-protected key [ca.key].

cd /usr/share/ssl-cert/

Create index and serial files

cp /dev/null ca.index
echo '01' >ca.serial

Edit file paths in the default config file
[here's mine]

nano ca.config

Generate key and certificate for signing authority

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

(use . for everything except the Common Name, which is the name of your Certificate Authority, eg Example Certificate Authority)

So that OS X trusts all certificates signed by your Certificate Authority, download ca.crt then double-click and import it into the X509Anchors keychain using Keychain Access.
Apache2

For Apache, a key [example.org.key] is generated and used to encrypt a certificate request [example.org.csr], which is then signed by the Certificate Authority to produce the final certificate [example.org.crt]. The files are named this way so that you can have multiple certificates for virtual hosts. The keys must not be password protected, otherwise Apache will hang waiting for a password when it starts up.
Generate key and certificate for Apache

openssl genrsa -out example.org.key 2048
openssl req -new -key example.org.key -out example.org.csr

(use . for everything except the Common Name, which is the web server address, eg www.example.org)
Sign Apache certificate

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out example.org.crt -infiles example.org.csr

Set up Apache

cp example.org.key /etc/apache2/ssl/
cp example.org.crt /etc/apache2/ssl/

nano /etc/apache2/sites-enabled/example.org

ServerName www.example.org

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.org.key


apache2ctl stop
apache2ctl start

Courier

For Courier, a non-protected key [courier.key] is generated and used to encrypt a certificate request [courier.csr], which is then signed by the Certificate Authority to produce the final certificate [courier.crt]. The key and certificate are combined into a PEM file [courier.pem], which is then used for both the IMAP and POP3 servers.
Generate key and certificate for Courier

openssl genrsa -out courier.key 2048
openssl req -new -key courier.key -out courier.csr

(use . for everything except the Common Name, which is the mailserver address, eg mail.example.org)
Sign Courier certificate

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out courier.crt -infiles courier.csr

Combine key and certificate into PEM file

nano courier.crt

(strip out eveything before the BEGIN CERTIFICATE line)

cat courier.key courier.crt > courier.pem
openssl gendh >> courier.pem

Set up Courier

cp courier.pem /etc/courier/imapd.pem
cp courier.pem /etc/courier/pop3d.pem
chmod 0600 /etc/courier/imapd.pem
chmod 0600 /etc/courier/pop3d.pem
/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start
/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start

Exim

For Exim4, a non-protected key [exim.key] and certificate request [exim.csr] are generated. The request is then signed by the Certificate Authority to produce the final certificate [exim.crt].
Generate key and certificate for Exim4

openssl req -newkey rsa:2048 -keyout exim.key -out exim.csr -days 3650 -nodes

(use . for everything except the Common Name, which is the SMTP server address, eg smtp.example.org)
Sign Exim4 certificate

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out exim.crt -infiles exim.csr

Set up Exim4

cp exim.crt /etc/exim4/exim.crt
cp exim.key /etc/exim4/exim.key
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt
/etc/init.d/exim4 stop
/etc/init.d/exim4 start

Jabberd2

For Jabberd2, a non-protected key [jabberd.key] is generated and used to encrypt a certificate request [jabberd.csr], which is then signed by the Certificate Authority to produce the final certificate [jabberd.crt]. The key and certificate are combined into a PEM file [jabberd.pem], which is used for messages between client and server.
Generate key and certificate for Jabberd

openssl genrsa -out jabberd.key 2048
openssl req -new -key jabberd.key -out jabberd.csr

(use . for everything except the Common Name, which is the Jabber server address, eg jabber.example.org)
Sign Jabberd certificate

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out jabberd.crt -infiles jabberd.csr

Combine key and certificate into PEM file

nano jabberd.crt

(strip out eveything before BEGIN CERTIFICATE)

cat jabberd.key jabberd.crt > jabberd.pem

Set up Jabberd

cp jabberd.pem /usr/local/etc/jabberd/
chown root:jabber /usr/local/etc/jabberd/jabberd.pem
chmod 640 /usr/local/etc/jabberd/jabberd.pem

( edit all xml files so that points to /usr/local/etc/jabberd/jabberd.pem )

su jabber
jabberd &

Psi is the only OS X Jabber client (as far as I know) that verifies the authenticity of SSL certificates, though there is an option to hide warnings. It comes with a set of root certificates, to which you have to add the certificate for your root Certificate Authority (instead of using the system Keychain).

In ca.crt, replace

-----BEGIN CERTIFICATE-----

with



and

-----END CERTIFICATE-----

with



Do Show Package Contents on Psi.app, then open Contents/Resources/certs/rootcert.xml and add in the new data from ca.crt. Connect to the server on port 5223.

Protocol version 2 SSH uses this:
ssh-keygen -t dsa

(rsa is for version 1)

Then put the contents of .pub file on the server you want in the .ssh dir in the home directory. so ~/.ssh/authorized_keys2

Now you can use ssh keys. If you don't use a password when you generate the key, you won't need to type it anymore. There is a security risk if someone gets a copy of your pub file or worse yet gets physical access to your computer. There's also a ssh-agent that you can setup to work around this problem and still maintain security.

See IBM article here: http://www-128.ibm.com/developerworks/library/l-keyc.html

I'm just so busy tonight :)

Java 1.4.2 p8 (patch level 8) installed tonight. This seems faster and that will certainly help jj and fgnet.

I fucked up the MidnightBSD cvs trying to import some stuff. I'll have to fix it as soon as possible. (i did re-import 6.0 and 6.1 beta though but its not tagged correctly)

I also updated a shitload of services.