Friday, May 15, 2009

HOWTO Convert a windows vmware image to a linux qemu/kvm

This is a good HOWTO for converting windows vmware images to linux Kernel Virtual Machines (KVMs). Note that if you don't have a single monolithic vmdk disk file, you can just run qemu-img over each individual file, converting it to raw, then cat them together in order. I tried this and it worked a treat:

for i in $( ls *.vmdk ); do qemu-img convert -O raw $i ~/$i.dd; done
cat s001.vmdk.dd s002.vmdk.dd s003.vmdk.dd > monolithic_image.dd

Monday, May 11, 2009

Verify ssl certificates and keys

The following openssl commands are handy for verifying/inspecting/converting keys/certificates and inspecting CRLs:

# Check a private key
openssl rsa -in /etc/apache2/ssl/server.key -check -noout -text

# Verify this cert against this CA list
openssl verify -verbose -purpose sslserver -CAfile /etc/ssl/cacert.pem /etc/apache2/ssl/server.pem

# Display cert details
openssl x509 -in /var/cert.pem -text -noout

# What purposes does this cert have?
openssl x509 -in mycert.pem -purpose

# Connect to a server and show the certs
openssl s_client -debug -connect localhost:443 -showcerts

# Inspect a CRL
openssl crl -inform DER -in blah.crl -text -noout

# Convert DER (.crt .cert .der) to PEM
openssl x509 -inform der -in cert.cer -out cert.pem

# Inspect DER without converting
openssl x509 -inform der -in cert.cer -noout -text

All calls on Samsung F480 appearing as "unknown" number

My phone wasn't displaying any numbers when I received a call - even though I had corresponding entries in the phonebook. For the benefit of others googling for a solution to this problem: it isn't your phone. It doesn't matter if your contacts are in the phone or in the sim. Most likely you need to call your provider and make sure caller id forwarding is enabled on your service. This can happen when you change providers or start a new service.

Sunday, May 10, 2009

Convert epoch timestamp (seconds since 1970) on the command line

Use this to convert epoch timestamp (seconds since 1970) on the command line. For some reason the man page doesn't reveal this secret:

date -d @1241958464
If you have the epoch seconds in hex, use this on linux:
echo $((0x4f91d6f8)) | xargs -I## date -d @##
The same thing is much easier on OS X:
date -r 0x4f91d6f8

Friday, May 8, 2009

Setting up a Samsung F480 for Gmail IMAP and SMTP

Set up one of these recently. Google's instructions are pretty good but I thought I'd document specifically for this phone:


  • Enable IMAP in gmail settings
  • Incoming settings:

    • IMAP4 server: imap.gmail.com
    • Port: 993
    • Security type: SSL (always)

  • Outgoing settings:

    • SMTP server: smtp.gmail.com
    • Port: 465
    • Secure connection: SSL

  • APOP login: No
  • My address: myname@gmail.com
  • Use SMTP auth: Yes
  • Same as POP3/IMAP4: Yes

The openssl client came in handy for checking the google certificates, which for some reason are signed by their own ca:

openssl s_client -connect smtp.gmail.com:465 -showcerts

Friday, May 1, 2009

Creating certificates for ldaps on windows 2003 server using openssl CA


/usr/lib/ssl/misc/CA.sh -newca
(Set a password for the CA)

/usr/lib/ssl/misc/CA.sh -newreq
(Set a password for the key for this cert)

/usr/lib/ssl/misc/CA.sh -sign
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out keyandcert.p12
(Consolidate key and cert into single file, protect with 'import password')


Then test cert is valid with:

openssl pkcs12 -in keyandcert.p12 -noout -info

Import CA cert:

  • Start | Run | mmc
  • Add snap-in Certificates
  • Right click on Trusted Root Certificates | All tasks | Import | Choose the CA certificate: demoCA/cacert.pem | Choose Trusted Root CA store
  • Find the certificate in the Trusted Root CA store | Right click | Properties | Enable only the following: untick everything except Server Authentication and Client Authentication

Import server cert:

  • Right click on Personal Certificates | All tasks | Import | Choose the server certificate: keyandcert.p12 | Enter private key password, mark as exportable | Choose Personal store
  • Find the certificate in Peronal store | Dbl click | Ensure the certificate dates are correct and the phrase "You have a private key that corresponds to this certificate" is present on the General tab.

Test with python (install the CA cert in a directory first):

import ldap
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,"/etc/ssl/cacert.pem")
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
l = ldap.initialize("ldap://computername.mydom.com")
l.start_tls_s()

This should return successfully. If not, turn up the schannel logging level on the windows box by setting the eventlogging key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging = 0x4

Then re-try the python code. You should see the following events from schannel in the event viewer:

  • Creating an SSL server credential
  • Server credential has following properties....
  • An SSL server handshake completed successfully

The Microsoft HOWTO for doing this is pretty poor. It says all you need to do is install the certificates and reboot, then the DC will be listening on the ldaps port (tcp 686). In fact, a reboot is *not* required to get TLS working on the regular ldap port using start_tls as above, and even if you reboot the DC won't listen on port 686. I have trawled the net and can't find any other instructions for how to get ldaps listening.

I hate this windows black magic voodoo shit where debugging is practically impossible, error messages are completely uninformative, and rebooting is the cure for everything.

Update: If you need to update expired certificates, that does require a reboot. Deleting the old certs and restarting the certificate service doesn't cut it. To debug you can run a packet capture and look at the 'server hello' in wireshark; it parses the whole certificate so you can see what you are serving.