SSL how to: install ssl on Postfix

Following describes how to get StartSSL certificates working with lighttpd. First of all read how to get free ssl certificate from StartSSL and actually create certificates.
wget http://www.startssl.com/certs/ca-bundle.crt -O ca-bundle.crt
 cat ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
 chmod 644 /etc/ssl/certs/ca-bundle.crt
 cat /etc/ssl/certs/mail_certificate.pem > /etc/ssl/certs/postfix.pem
 cat /etc/ssl/private/mail_privatekey.pem > /etc/ssl/private/postfix.pem
 chown root:ssl-cert /etc/ssl/private/postfix.pem
 chmod 644 /etc/ssl/private/postfix.pem
 chown root:root /etc/ssl/certs/postfix.pem
 chmod 444 /etc/ssl/certs/postfix.pem
The TLS portion of the Postfix config should look something like this.

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
 smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
 smtp_tls_key_file = /etc/ssl/private/postfix.pem
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
 smtp_use_tls = yes
  
 smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
 smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
 smtpd_tls_key_file = /etc/ssl/private/postfix.pem
 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
 smtpd_use_tls = yes
 
 smtpd_tls_received_header = yes
 smtpd_tls_loglevel = 1
 smtpd_tls_auth_only = no
 tls_random_source = dev:/dev/urandom
 
Test smtp for TLS

telnet mail.example.org 25
 
You should get a banner similar to this.

Trying 127.0.0.1...
 Connected to mail.example.org.
 Escape character is '^]'.
 220 mail.flexion.org NO UCE ESMTP
 
Issue a EHLO command

EHLO test.com
 
You should not see something like this. Check you can see 250-STARTTLS.

250-mail.example.org
 250-PIPELINING
 250-SIZE 52428800
 250-ETRN
 250-STARTTLS
 250-AUTH PLAIN LOGIN
 250-AUTH=PLAIN LOGIN
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN
 
Issue the STARTTLS command

STARTTLS
 
If you see the following, you are all set.

220 2.0.0 Ready to start TLS

SSL how to: install ssl on eJabberd

Article describes how to get StartSSL certificates working with eJabberd. First of all read how to get free ssl certificate from StartSSL and actually create certificates.
cat www_privatekey.pem www_certificate.pem sub.class1.server.ca.pem > /etc/ejabberd/ejabberd.pem
 chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem
 chmod 400 /etc/ejabberd/ejabberd.pem
The SSL portion of the eJabberd config should look something like this.

{5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}
                       ]},

 {s2s_use_starttls, true}.
 {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

SSL how to: install ssl on vsftpd

Article describes how to get StartSSL certificates working with vsftpd. First of all read how to get free ssl certificate from StartSSL and actually create certificates.
cat www_certificate.pem > /etc/ssl/certs/vsftpd.pem
 cat www_privatekey.pem > /etc/ssl/private/vsftpd.pem
 chown root:ssl-cert /etc/ssl/private/vsftpd.pem
 chmod 644 /etc/ssl/private/vsftpd.pem
 chown root:root /etc/ssl/certs/vsftpd.pem
 chmod 444 /etc/ssl/certs/vsftpd.pem
 
The SSL portion of the vsftpd config should look something like this.

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
 rsa_private_key_file=/etc/ssl/private/vsftpd.pem
 ssl_enable=YES
 force_local_data_ssl=NO
 force_local_logins_ssl=NO
 ssl_tlsv1=YES
 ssl_sslv2=NO
 ssl_sslv3=NO

SSL how to: install ssl on dovecot

Following article describes how to get StartSSL certificates working with Dovecot. First of all read how to get free ssl certificate from StartSSL and actually create certificates.

wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O sub.class1.server.ca.pem
 cat www_certificate.pem sub.class1.server.ca.pem > /etc/ssl/certs/dovecot.pem
 cat www_privatekey.pem > /etc/ssl/private/dovecot.pem
 chown root:ssl-cert /etc/ssl/private/dovecot.pem
 chmod 644 /etc/ssl/private/dovecot.pem
 chown root:root /etc/ssl/certs/dovecot.pem
 chmod 444 /etc/ssl/certs/dovecot.pem
The SSL portion of the Dovecot config should look something like this.

ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem


Test imaps
wget http://www.startssl.com/certs/ca.pem -O /tmp/ca.pem
 openssl s_client -CAfile /tmp/ca.pem -connect mail.example.org:993

SSL how to: install ssl on Lighttpd

Following describes how to get StartSSL certificates working with lighttpd. First of all read how to get free ssl certificate from StartSSL and actually create certificates.

cat www_certificate.pem www_privatekey.pem > /etc/ssl/private/lighttpd.pem
 chown root:www-data /etc/ssl/private/lighttpd.pem
 chmod 640 /etc/ssl/private/lighttpd.pem
 wget http://www.startssl.com/certs/ca.pem -O ca.pem
 wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O sub.class1.server.ca.pem
 cat ca.pem sub.class1.server.ca.pem > /etc/ssl/certs/lighttpd.pem
 chown root:root /etc/ssl/certs/lighttpd.pem
 chmod 644 /etc/ssl/certs/lighttpd.pem
The SSL portion of the lighttpd config should look something like this.

$SERVER["socket"] == "0.0.0.0:443" {
                  ssl.engine                  = "enable"
                  ssl.ca-file                 = "/etc/ssl/certs/lighttpd.pem"
                  ssl.pemfile                 = "/etc/ssl/private/lighttpd.pem"
 }
 
 
Test https
wget http://www.startssl.com/certs/ca.pem -O /tmp/ca.pem
 openssl s_client -CAfile /tmp/ca.pem -connect www.flexion.org:443
 
 

SSL how to: self-signed SSL certifiate creation with open ssl

SSL certificates are widely used in the Internet by different services, so we should be able to create SSL certificates. In my other article I have described how to get free SSL certificate from StartSSL. It is freee, but process is quite complicated anyway and they are providing certificates non-commercial project only. The other way to get certificate is to generate self-signed SSL certificate. That is what I am going to describe in this article and going to use it in my future articles and scripts.

Sorry, but this article is moved to my new blog. You can find it by the following link

What is SSL certificate

What is ssl?

All of us have met SSL protected sites many times. For example green location control on PyPal site shows us that site is SSL protected.

So, lets try to learn more about PayPal SSL certificate, double click green area and browser will show some info. We can see that this certificate was issues by VeriSign for PayPal, Inc, certificate has class 3 Extended Validation.


While it is clear what is the certificate issuer and holder, certificate validation class requires some explanation:

Domain Validation (DV) SSL Certificates (class 1):  where the Certification Authority (CA) checks the right of the applicant to use a specific domain name.  No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.

Organization Validation (OV) SSL Certificates (class 2):  where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization.  Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility in who is behind the site and associated enhanced trust.


Extended Validation (EV) SSL Certificates (class 3 that gives us green location bar):  where the CA checks the right of the applicant to use a specific domain name PLUS it conducts a THOROUGH vetting of the organization.   The issuance process of EV Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate, and includes:
  • Verifying the legal, physical and operational existence of the entity
  • Verifying that the identity of the entity matches official records
  • Verifying that the entity has exclusive right to use the domain specified in the EV Certificate
  • Verifying that the entity has properly authorized the issuance of the EV Certificate
EV Certificates are available for all types of businesses, including government entities and both incorporated and unincorporated businesses. A second set of guidelines, the EV Audit Guidelines, specify the criteria under which a CA needs to be successfully audited before issuing EV Certificates. The audits are repeated yearly to ensure the integrity of the issuance process.

Encryption algorithms

There are several encryption algorithms available, using symmetric or asymmetric methods, with keys of various lengths. Usually, algorithms cannot be patented, if Henri Poincare had patented his algorithms, then he would have been able to sue Albert Einstein... So algorithms cannot be patented except mainly in USA. OpenSSL is developed in a country where algorithms cannot be patented and where encryption technology is not reserved to state agencies like military and secret services. During the negotiation between browser and web server, the applications will indicate to each other a list of algorithms that can be understood ranked by order of preference. The common preferred algorithm is then chosen. OpenSSL can be compiled with or without certain algorithms, so that it can be used in many countries where restrictions apply.

Private & public keys

The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. This is sometime hard to understand, but believe me it works. The keys are similar in nature and can be used alternatively: what one key encrypts, the other key pair can decrypt. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the key pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. Anybody can send you an encrypted message, that only you will be able to decrypt. You are the only one to have the other key pair, right? In the opposite , you can certify that a message is only coming from you, because you have encrypted it with you private key, and only the associated public key will decrypt it correctly. Beware, in this case the message is not secured you have only signed it. Everybody has the public key, remember!
One of the problem left is to know the public key of your correspondent. Usually you will ask him to send you a non confidential signed message that will contains his public key as well as a certificate.

Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message

Signing certificate

This process is required to confirm the identity of the certificate owned. Certification Authorities like VeriSign, Comodo or StartSSL are doing this. Or you can create self signed ssl certificate. You can read how to get free SSL certifcate from StartSSL.
In my later articles I will show how to install certificates on different server software.

Gedit indent/unindent hot keys

I my post on twitter I was incorrect, so just decided to post it here:

Gedit indent - select lines & just press TAB
Gedit unindent - select lines & just press Shift+TAB

If you are using Gedit for coding, you can find my post about Gedit templates plugin useful.

Erlang float to integer

Today I decided to write very small article. I think it may be interesting for programmers who came to Erlang from Java, C++ or C. From the point of view of Erlang developer everything is very simple. You just need to round or truncate the float and it will become an integer. Here is an example:

Eshell V5.8.4  (abort with ^G)
1> is_float(round(1.5)).
false
2> is_integer(round(1.5)).
true
3> is_float(trunc(1.5)).  
false
4> is_integer(trunc(1.5)).
true
5> round(1.5).            
2
6> trunc(1.5).            
1

Erlang TCP client & server sockets with gen_tcp


Article have been moved to my new blog: Erlang TCP server & TCP client sockets with gen_tcp

Today I am going to write a brief article about Erlang gen_tcp usage. Probably the reader already has experience with sockets programming. But just to remind server architecture. First of all listening socket should be created, than server is going into accept state waiting for new connection. Once new connection is accepted server creates new thread to process incoming packets. While server waits for another connection.

Erlang echo server code:

3 good reasons not to use php template engines! Say NO to Smarty!

Friendly speaking I thought that I would never touch this topic,  but recently I had to apply changes and fixes to one project and was really surprised to see template engine that uses str_replace...

Resons for not using template engine
  1. PHP is a Hypertext Preprocessor and can be embedded into PHP. It is the main benefit of PHP. So, why one should refuse it?
  2. Speed! Really, even when you are using "cool template engines" (no names here) with caching they will be much slower than plain PHP. Especially if you are enabling Eacelerator & optimize your code.
  3. New language really? Each template engine uses its own language at least for iterations, so one should learn it. What is the reason? is it more functional than PHP?

Problems & solutions

I understand that design should be separated from the program logic - just do not put the logic into the template! I understand that developers want to have one main template with placeholders for modules & templates for modules. PHP can handle this too, and I am sure you know it.

Just some code for illustration. Very basic template handling class:

class Tpl{
	static public $Vars = array();
	
	static public function Add($var, $val, $context){
		self::$Vars[$context][$var] = $val;
	}

	static public function Out($file){
		extract(self::$Vars['core'], EXTR_OVERWRITE | EXTR_REFS);
		extract(self::$Vars[$file], EXTR_OVERWRITE | EXTR_REFS);
		require("./templates/{$file}.html");
		self::$Vars[$file] = array();
	}
	
	static public function Get(){
		extract(self::$Vars['core'], EXTR_OVERWRITE | EXTR_REFS);
		extract(self::$Vars[$file], EXTR_OVERWRITE | EXTR_REFS);
		ob_start();
		require("./templates/{$file}.html");
		self::$Vars[$file] = array();
		return ob_get_clean();
	}
}

Script code:

include("class.Tpl.php");

Tpl::Add("V1", "Hello", 'test');
Tpl::Add("V2", "World!", 'test');
Tpl::Out("test");

And template:

<html>
<head>
<title><?=$V1?> <?=$V2?></title>
</head>
<body>
Working<br/>
<?=$V1?> <?=$V2?>
</body>
</html>


Sure, in real projects I am using more complicated solution with HTML cache, controls and validators, but is is using PHP as a template language.

Erlang captcha code for websites

Today I want to publish simple Erlang captcha library. It uses very simple algorithm - code & captcha image is generated and file name contains code itself. So, if file exists, than code entered correctly. Once code is entered, file is deleted. One can reload (in terms of web) or generate new code. In this case old file will be removed and new generated.

Sorrym but this article have been moved to my new blog on erlycoder.com

Read complete article: Erlang captcha code for websites

How to send email with attachment from Erlang

Today I am going to publish small script for sending email from Erlang. It is quite simple. The idea was taken from some other script (not mine, but I do not know who is an author. Sorry for that). Actually many linux users or at least admins will find it familar.
Main difference from original code, that I have found in the Internet, is that this script allows attachments. It does not cover all possible cases, but you can simply modify it for your needs.

Sorry, but this article was permanentaly moved to my new blog erlycoder.com

Read complete article: How to send email with attachment from Erlang

Erlang convert IP to integer & integer to IP.

Jut needed to convert ip to integer for Erlang project and have not found code via Google. So decided to post it here for anybody who will find it helpful.

First function converting IP tuple to integer:

ip_to_int({A,B,C,D}) -> (A*16777216)+(B*65536)+(C*256)+(D).

Code to convert integer to IP tuple:

int_to_ip(Ip)->	{Ip bsr 24, (Ip band 16711680) bsr 16, (Ip band 65280) bsr 8, Ip band 255}.

And brief dumb example:

Eshell V5.8.4  (abort with ^G)
1> Ip = {1,2,3,4}.
{1,2,3,4}
2> db_server:int_to_ip(db_server:ip_to_int(Ip)).
{1,2,3,4}
3> 

Hope this code helped you, if you have reached this page :)

What is Erlang open_port and os:cmd?

Sometimes it happens that you need to execute external command. Same happens when you are programming Erlang. Usually it is enough to use os:cmd. It executes the command and returns the result. Like the following

LsOut = os:cmd("ls"), % on unix platform

But sometimes you need to start the process and communicate with it via standard input and output. For example most of linux users know GnuChess program. And may be somebody even tried to start it from the shell without GUI. So, the following simple example will show how to start GnuChess and communicate with the process from Erlang.

-module(pipe).
-author('Sergiy Dzysyak ').

-compile(export_all).

start()->
	spawn(?MODULE, read, []).
	
read() ->
  Port = open_port({spawn,"/usr/bin/gnuchess -xe"},[binary,{line, 255}]),
  do_read(Port).

do_read(Port) ->
  receive
    {Port,{data,Data}} ->
    	io:format("Data: ~p~n",[Data]);
    {Port,eof} ->
      read();
    {go, Go} ->
    	Port ! {self(), {command, Go}};
    Any ->
      io:format("No match fifo_client:do_read/1, ~p~n",[Any])
  end,
  do_read(Port). 

Example is very basic and to stat it you should do the following:

[serg@localhost erl.chess]$ erl
Erlang R14B03 (erts-5.8.4) [source] [64-bit] [rq:1] [async-threads:0] [kernel-poll:false]

Eshell V5.8.4  (abort with ^G)
1> c(pipe).
{ok,pipe}
2> Pid = pipe:start().
<0.38.0>
3> Pid ! {go, <<"e2e4\n">>}.
{go,<<"e2e4\n">>}
Data: {eol,<<"Chess">>}
Data: {eol,<<"Adjusting HashSize to 1024 slots">>}
Data: {eol,<<"1. e2e4">>}
Data: {eol,<<"1. ... e7e5">>}
Data: {eol,<<"My move is: e7e5">>}
4> 

In a similar way communication via linux named pipes can be organized with external programs or even more complicated goals may be achieved. I have not tried to load drivers & communicate with them via port_open, but if I will get a minute, I will try and describe it here in my blog...

Gedit plugin: New from template

I am not sure how many people finding Gedit good enough as an editor for programming purposes, but I am using it exactly that way and quite happy with its functionality. Especially I like its integration with gnome virtual file system, that allows it to work directly on remote hosts, and ability to use and create new plugins for it.
With the release of new version of gnome environment & new version of Gedit text editor I met some problems with the compatibility of old plugins. So, I have to redo some plugins I have used before. First of all I decided to implement plugin that allows creation of new documents from templates.
Plugin is quite simple, but I have not much python programming experience and I should notice that there seems not much documentation available about new Gedit, Gtk Python API.... So, if someone has more experience in Python or have some good ideas regarding the plugin functionality you are welcome to fork Git repo or post a comment here.
Plugin on GitHub: https://github.com/dzysyak/Templates-plugin-for-GEdit3

Royalty free music search engine right in your browser (firefox, IE)

Most of web developers, especially who are dealing with flash, usually need to find some sound or loop. Personally I am not a flash developer, so had only a few flash projects or better to say projects with flash parts :)  But I felt myself uncomfortable when I had to go to some royalty free music site and only than search for what I needed. How it would be great to have it integrated into my browser search box I thought, and after a small research I have found Cool Stock Music. I am not sure about other sites yet, have just found this one. May be somebody else is providing similar thing too, but that is not important right now. Once you got to the site with your firefox or IE (as far as I know search plugins are supported from IE7)  you can open search engine selection, like on the image below and add "Cool Stock Music" to the list of search engines.


Once new engine is added to the list you can search sounds and loops right from the search box. Personally I am finding this very handy, as I do not have to go to the site, search form (do not want to remind all my disappointments). But what I like even more, are suggestions that are shown exactly like for google search, and sometimes good suggestion can save lot of time :)


Hope that someone will find this article useful and it will save somebody little bit of time and little bit of nerve cells. Personally I like this "search plugin" approach and think that guys on the right way :)

Example of Erlang crossdomain policy server for Adobe Flash

Latest version of article & code can be found on my new blog: Example of Erlang crossdomain policy server for Adobe Flash

Some time ago I had to use sockets from Adobe Flash/Flex, so needed a simple one implemented in Erlang. I do not suggest to use it exactly like it listed below, but you may find some idea for your project there. I hope that you know what I am talking about, if you are reading this article, so do not want to waist your time...

SSL how to: Get a server certificate from StartSSL.com

In this and a few later articles I am going to decribe how to install TLS/SSL certificate on lighttpd, vsftpd, Postfix, Dovecot, eJabberd and may be Apache. I also wanted to do this using the free SSL provider, StartSSL.
On my new blog you can also find articles on how to use SSL certificate from Erlang profram and probably in some other ways (just preparing nor articles for now).


Article have been moved to my new blog location:

Read complete article: SSL how to: Get a server certificate from StartSSL.com