Posts

Showing posts from 2015

Configuring Wildfly for HTTPS in a post Poodle world

If you have ever run into “ssl_error_no_cypher_overlap” errors trying to configure Wildfly to use HTTP then you have probably cursed the lack of decent documentation for configuring Wildfly now that browsers have disabled a lot of insecure SSL cyphers. This is how I got around the problem.

First you need a self signed key. This can be created with the command:

keytool -genkey -alias mycert -keyalg RSA -sigalg SHA256withRSA -keystore my.jks -storepass secret  -keypass secret -validity 9999

Then you need to configure Wildfly to accept a list of known cyphers. Mozilla has a nice list of cypher codes for high security, compatibility etc at https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility.

The problem is that this list has the OpenSSL key names, and Wildfly needs the RFC names. So you need to map one to the other using the table at https://testssl.sh/openssl-rfc.mappping.html.

What I ended up with was this list, defined in a enabled-cipher-suites attribute. This list i…

Authenticating via Kerberos with Keycloak and Windows 2008 Active Directory

Image
The following instructions show you how to configure Keycloak with Windows AD in order to use Kerberos authentication. Assumptions The Kerberos realm is VIRTUAL.LOCALThe hostname used to access Keycloak is virtual.local. This just means we are running Keycloak on the domain controller. In production virtual.local will be replaced with something like keycloak.dev.virtual.local or something like that, giving you a SPN of HTTP/keycloak.dev.virtual.local@VIRTUAL.LOCAL ConfigurationCreate a windows domain account called Keycloak.Run the following command to assign a SPN to the user and generate a keytab file:
ktpass -out keycloak.keytab -princ HTTP/virtual.local@VIRTUAL.LOCAL -mapUser Keycloak@VIRTUAL.LOCAL -pass password1! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NTVerify the SPN has been assigned to the user with the command:
setspn -l KeycloakConfigure the LDAP settings in Keycloak like this. Since we are running Keycloak on the domain controller, we reference LDAP via the local …

Remember me not - avoiding the Australian metadata dragnet with Tor and Asus

Image
So it is official. As an internet user in the great country of Australia my actions online are now tracked and recorded by the government. And that doesn't sit so well with me.

But rather than complain, I decided to take action and install an Asus RT-N66U router as the gateway on my home network. The router had generally positive reviews online, but I was mostly interested in the fact that it supported third party firmware, like the popular ones provided by a developer calling himself Merlin.

One of the big benefits provided by third party firmware releases is that you get early access to some cool new features. One such feature that caught my eye was the introduction of Tor into the router.


I have used Tor sporadically in the past. While I have to commend the Tor developers for making it easy to install Tor and browse anonymously, the reality is that running an additional piece of software was kind of a pain. It was a mental jump to go from "always online" to "firs…

Fixing OpenVPN "Authenticate/Decrypt packet error: cipher final failed"

When connecting to a VPN I was constant getting the error

Mar  8 09:29:27 openvpn[1696]: Authenticate/Decrypt packet error: cipher final failed

I had imported the supplied ovpn file and had followed all the other configuration steps, so this was quite frustrating. Then I saw this in the logs:

Mar  8 09:31:07 openvpn[1790]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'

Changing my client to use "cipher AES-256-CBC" instead of the default (which apparently was cipher BF-CBC) fixed the issue.