2013 ~ References notebook

Friday, December 6, 2013

AgFx Windows Phone App and Data Caching Framework

04:10 Caching, Frameworks, Windows Phone No comments

ORM Battle

The process of revocation invalidates a certificate before its end validity date using one of the revocation codes mentioned in the previous section. A Microsoft CA publishes certificate status information in the form of CRLs. Third party products use this information to provide revocation information in other formats such as OCSP, SCVP and XKMS.

Prior to checking the status of a certificate, client must first checks a certificate to ensure that is trusted and it is time valid. Every issued certificate has a defined period in which the issuing CA will vouch for the validity of the certificate. The validity period is defined using two fields within the issued certificate.

NotBefore. This field defines the date and time on which the certificate's validity period begins.
NotAfter. This field defines the last date on which the certificate is considered valid by the issuing CA. The NotAfter date will never be set to a date later than the NotAfter date defined in the issuing CA's certificate.

If CRL based status checking is used and the certificate is found to have a valid time, the presented certificate is examined to see if it contains a CRL Distribution Point (CDP) extension. The CDP extension indicates both the protocol that must be used to retrieve the CRL (HTTP, FTP, LDAP, or FILE) and the location where the CRL is stored (represented as a URL).

Using this information, CryptoAPI first searches the local certificate stores and the local cache for any CRL signed by the issuer (Certification Authority) of the certificate being validated. A cached version of a current CRL will always be used (as long as it is valid), rather than downloading the same CRL again. The following logic is used to evaluate the CRL:

If a CRL is found, and the certificate's serial number is listed in this CRL then the certificate will be considered revoked.
If the CRL is expired and the certificate is listed in the CRL with any reason other than certificate hold, the certificate will be considered to be revoked and no attempt to retrieve a new CRL will be performed.
If the certificate is not listed in the CRL, or the revocation reason is certificate hold, then a new CRL will be retrieved from the URLs listed in the certificate's CDP. The new CRL is fetched only if it is past the NextUpdate field in the currently held CRL. The new CRL is checked to determine if the certificate is revoked. If the original reason was certificate hold, the CRL is checked to determine if the certificate is unrevoked by looking for the remove from CRL revocation code.
If the CRL cannot be obtained, the client will generate a "Server offline" error.

Troubleshooting Certificate Status and Revocation
How to Publish the CRL on a Separate Web Server
CRL CDP publication

To publish the CRL

On the computer running AD CS, click Start, point to Administrative Tools, and then click Certification Authority.
In the console tree, double-click the CA name, right-click Revoked Certificates, point to All Tasks, and then click Publish.
If prompted, click New CRL, and then click OK.
Click Start, type \\IisServer\SharedFolder$, and then press ENTER.
In the SharedFolder$ window, you should see two CRL files named CAName and CAName+.

EffectiveDate (thisupdate), NextUpdate and NextCRLPublish

19:07 PKI No comments

(from http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx)

The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL.

Two CRL types exist: base CRLs and delta CRLs. In case where no delta CRL is used, certificates are treated as invalid if the base CRL is not available or expired. If a delta CRL is in use, the delta and base CRL must be available and valid to succeed with certificate verification.

The information provided in this article applies for both, the base CRL and the delta CRL generation.

When you look at a CRL, there is information about the Next update, the Next CRL Publish and the Effective date of the CRL. The term Effective date is used in the Windows certificate dialog while certutil.exe and the RFC name this fieldthisupdate.

Effective Date (aka thisupdate) - The date that a CRL became effective. The effective time, by default, is set to 10 minutes prior to the current date and time to allow for clock synchronization issues.
Next CLR Publish - This non-critical CRL extension indicates the date and time when a Windows CA will publish a new CRL. When a Windows computer uses a CRL for certificate verification it also examines the Next CRL Publish extension. If the Next CRL Publish date is already in the past, it connects to the CRL distribution points (referenced in the certificate) and attempts a download of a newer CRL. Note: If CRL is locally cached, and under certain conditions, download of new CRL might be skipped, even if Next CRL Publish date is already in the past. For more information, please see http://technet.microsoft.com/en-us/library/ee619723(v=ws.10).aspx.The time after the Next CRL Publish and before the Next Update is a buffer time to allow Windows computers retrieval of a CRL before the CRL has actually expired.
Next Update - The date and time that a Windows client considers as the expiration date of the CRL. From an operational viewpoint, this is the most critical information. If this date passes, Windows computers will invalidate certificates that are checked against this CRL.

For more information about relation between the above three fields, see http://technet.microsoft.com/en-us/library/ee619723(v=ws.10).aspx.

Now we know the CRL attributes that control the CRL validity. The question is how these dates are calculated by a Windows CA. Read on to find out!

Under the Certification Services configuration hive in the registry two values control the overlap period for the base CRL and two registry values define the overlap period for delta CRL creation:

HLKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\:

CRLOverlapPeriod=REG_SZ:Hours|MinutesCRLOverlapUnits=REG_DWORD:0x0CRLDeltaOverlapPeriod=REG_SZ:Hours|MinutesCRLDeltaOverlapUnits=REG_DWORD:0x0

You can verify the settings for the above registry keys on your CA computer with the following commands:

certutil -getreg CA\CRLOv*
certutil -getreg CA\CRLDeltaOv*

If the registry values are set and valid, the overlap period for a base or delta CRL is initially calculated by the CA as:

OverlapPeriod = CRLOverlapUnits * CRLPeriod

HTTP Requests in Android

16:54 Android, HTTP No comments

This code executes a HTTP POST request with org.apache.http.client.HttpClient. Could be used in combination with "Non-Blocking Web Requests".

public void postData() {
    // Create a new HttpClient and Post Header
    HttpClient httpclient = new DefaultHttpClient();
    HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");

    try {
        // Add your data
        List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
        nameValuePairs.add(new BasicNameValuePair("id", "12345"));
        nameValuePairs.add(new BasicNameValuePair("stringdata", "Cool"));
        httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));

        // Execute HTTP Post Request
        HttpResponse response = httpclient.execute(httppost);
        
    } catch (ClientProtocolException e) {
        // TODO Auto-generated catch block
    } catch (IOException e) {
        // TODO Auto-generated catch block
    }
}

Reading response:

Setting up the Android Emulator for HTTP debugging using Fiddler2

15:32 Android, Fiddler No comments

Launch an emulator with parameters:

emulator -avd my_avd -http-proxy 127.0.0.1:8888

http://www.android-proxy.com/2011/11/may-force-be-with-you-use.html

Finding proxy:

DefaultHttpClient httpclient = new DefaultHttpClient();

String proxyString = Settings.Secure.getString(getApplicationContext().getContentResolver(), Settings.Secure.HTTP_PROXY);

if (proxyString != null)
{   
    String proxyAddress = proxyString.split(":")[0];
    int proxyPort = Integer.parseInt(proxyString.split(":")[1]);
    HttpHost proxy = new HttpHost(proxyAddress, proxyPort);

    httpclient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
}

Bcrypt. Storing passwords.

19:22 Cryptography No comments

SOAP client lib in Python

15:55 Python, SOAP No comments

"suds has been the most reliable even though it hasn't been updated since 2010 or so.
SOAPpy hasn't been updated since 2011, but it works fairly well too"

By Cale Guthrie Weissman On April 5, 2013Seemingly every day there’s a new article or blog post imploring you to learn how to code. “Those who code have the power to transform their dreams into reality.” “Coding will help you keep [your job], or help you make a case for a raise.” “You should…

Ruby toolbox

12:23 Ruby, Ruby on Rails No comments

https://www.ruby-toolbox.com

Essential Ruby reading

10:38 Ruby No comments

http://net.tutsplus.com/articles/web-roundups/essential-ruby-rails-3-reading-3/

Lisp Flavored Erlang

13:46 Erlang, Lisp No comments

http://lfe.github.com
http://lfe.github.com/quick-start/1.html

.NET Async Enumerable

13:58 .NET, Async No comments

http://asyncenum.codeplex.com

Haskell school

12:43 Haskell No comments

https://www.fpcomplete.com/school

Chef Solo: automating settings

12:20 Settings, Tools No comments

http://en.wikipedia.org/wiki/Chef_(software)
http://www.rubyinside.com/chef-tasty-server-configuraiton-2162.html
http://wiki.opscode.com/display/chef/Chef+Solo

http://habrahabr.ru/sandbox/52663
http://habrahabr.ru/company/scalaxy/blog/87302

Intermittent TimeoutException: The request channel timed out while waiting for a reply after 00:01:00 in WCF web service

12:52 WCF, Workarounds No comments

I was experiencing this bug fairly long enough and without any success in reproduction.
Setting sendTimout to more than 1 default minute was not a decision, because this obviously was not an execution time problem. So as I have described in the previous post about WCF diagnostic, I analysed logs and found out that the response was actually sent from the server towards client which the client somehow failed to recieve. How is that? After pondering some time on the problem I just modified an amount of simultaneous client connection.

This has resolved the issue, but soon after it became clear that I was looking in wrong direction: another two methods clogged the channel which led to above mentioned methods timeout.

Some links which might be helpful:

http://stackoverflow.com/questions/981475/wcf-timeout-exception-detailed-investigation
http://www.codeproject.com/Articles/36031/WCF-Tracing-FAQs
http://www.codeproject.com/Articles/420538/Simple-steps-to-enable-tracing-in-WCF

WCF Tracing

20:34 WCF No comments

This link explains the most of trace levels: WCF Tracing FAQ

Add the following sections to server config

And corresponding params to system.serviceModel as well.
All the explanatory notes on params may easily be found in MSDN.

Using map() in Python 3

12:40 Python No comments

A: python 2.6:

>>> map(chr,[66,53,0,94])
['B', '5', '\x00', '^']

However, on 3.1, the above returns a map object.

B: python 3.1:

>>> map(chr,[66,53,0,94])
<map object at 0x00AF5570>

To return a list in Python 3 the following should be used:

list(map(chr,[66,53,0,94]))

Accessing class from another module in Ruby on Rails

14:52 Ruby on Rails, Workarounds No comments

Modules in Ruby on Rails are not autoloadable in Ruby on Rails application.

Some hints on how to use a class from another module.

1. To make a module autoloadable the corresponding line should be commented out in application.rb

# Custom directories with classes and modules you want to be autoloadable.
# config.autoload_paths += %W(#{config.root}/extras)

2. Just use "::" before the class
3. Include the module in a code where the class is supposed to be used.

Certificate errors when using RVM to install Ruby

13:27 Ruby on Rails, RVM 1 comment

Fixing $PATH:
http://www.troubleshooters.com/linux/prepostpath.htm

Curl Certificate Error when Using RVM to install Ruby 1.9.3

From here:

http://stackoverflow.com/questions/6414232/curl-certificate-error-when-using-rvm-to-install-ruby-1-9-2
http://stackoverflow.com/questions/8612067/rvm-installation-fails

More on this:
DigiCert Trusted Root Authority Certificates: https://www.digicert.com/digicert-root-certificates.htm

https://github.com/mxcl/homebrew/issues/6103

Tryng to installing RVM on Mac OS (Leopard):

bash << (curl https://raw.github.com/ajiwo/rvm/targtar/binscripts/rvm-installer)
bash << (curl -s https://rvm.beginrescueend.com/install/rvm)
bash << (curl -s raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
curl -L get.rvm.io | bash -s stable

Got this message:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Message might as well be:

Downloading RVM from wayneeseguin branch stable

Could not download 'https://github.com/wayneeseguin/rvm/tarball/stable'.
Make sure your certificates are up to date as described above.
To continue in insecure mode run 'echo insecure >> ~/.curlrc'.

Certification fix # 1:

You need to download the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to your curl-ca-bundle-new.crt file.

To find the location of this file use:

   $ curl-config --ca

   /usr/share/curl/curl-ca-bundle.crt

Backup your curl-ca-bundle.crt file:

$ cp /usr/share/curl/curl-ca-bundle.crt /usr/share/curl/curl-ca-bundle.crt.old

Then you want to concatenate the two file using:

$ cat cacert.pem /usr/share/curl/curl-ca-bundle.crt >> curl-ca-bundle-new.crt

Certification fix # 2:

If do not want to change the script AND you do not want to add a cert "for ever" to the cert bundle. There is a very nice and quick solution:

#to download the cert
wget http://curl.haxx.se/ca/cacert.pem
#to let curl use it for the next calls
export CURL_CA_BUNDLE=~/cacert.pem

Then run your script. To reset the environment variable (for subsequent script calls that should not use this cert) re-login to your system or unset the environment variable:

export CURL_CA_BUNDLE=

Certification fix # 3

Explanation:

The version of libcurl provided with Mac OS X Leopard has outdated

SSL certificates.

This can cause problems when running commands that use Git to fetch over HTTPS.

You can force Git to ignore these errors by setting GIT_SSL_NO_VERIFY.

export GIT_SSL_NO_VERIFY=1

Quick and dirty, what have work out for me before the Certification fix:

Option 1
Execute
echo insecure >> ~/.curlrc
if the above mentioned errors occurs in any of the installation steps.

Option 2:

$ curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer > foo.sh
$ chmod 755 foo.sh

Add -k to the curl command as in this:

if curl -Lk https://github.com/${_repo}/rvm/tarball/${_branch} -o ${rvm_archives_path}/${_repo}-rvm-${_branch}.tgz

Then run the script:

$ ./foo.sh --branch stable

Pages

Friday, December 6, 2013

Thursday, November 21, 2013

Sunday, August 25, 2013

To publish the CRL

Saturday, August 24, 2013

Sunday, June 16, 2013

Wednesday, May 22, 2013

Monday, May 6, 2013

Tuesday, April 30, 2013

Tuesday, April 9, 2013

Sunday, April 7, 2013

Friday, March 15, 2013

Wednesday, March 13, 2013

Tuesday, March 12, 2013

Monday, March 11, 2013

Friday, March 1, 2013

Thursday, February 28, 2013

Wednesday, February 27, 2013

Thursday, February 21, 2013

Certification fix # 1:

Certification fix # 2:

Certification fix # 3

Quick and dirty, what have work out for me before the Certification fix:

Social Profiles

Categories

Blog Archive

Bookshelf