.tax me! [de]

Wer hätte gedacht, dass in der Finanzverwaltung jemand mit einem Fünkchen Witz sitzt? Ich habe mich gerade für Elster-Online registriert, und habe mich doch einigermaßen über die Datei-Endungen gefreut, die sie dort durchgehend in Ihren URL-Pfaden verwenden. Hier z.B.:

https://www.elsteronline.de/eportal/eop/auth/Registrierung.tax

Und, dass die Leute dort überhaupt genug Englisch beherrschen? Das ist schon mal einen Oettinger wert! Da zahl doch fast gerne meine Steuern – bzw. hole mir welche zurück.

Aber mal ernsthaft: auf den ersten Blick macht diese Seite, und deren Sicherheitskonzept, einen durchaus ausgereiften Eindruck. Nicht mal externe Tracking-Codes oder sonstige Skripte sind drin. Bin mal gespannt was mich noch so erwartet…

Allvais wis ze Görmaans: Edward Snowden Edition [en]

So the NDR (a branch of Germany’s public broadcasting service ARD) got to interview Edward Snowden — exclusive stuff apparently. And whom do they send to talk to him? Some nitwit called Hubert Seipel, whose English sounds like a combination of the Simpsons’ Rainier Wolfcastle and Bond-villain Maximilian Largo.

I don’t know much about that man’s eligibility otherwise, but just trying to listen to the first 3 minutes of the interview made me grind my teeth. Harsh stuff. Seriously.

Would I do better myself? Hell no! But neither would I dare to take upon me such a task. Doesn’t the ARD have any qualified staff at all? What am I paying my mandatory fees for, anyway?

Ranting about superficial bullshit aside, I hear the actual contents of the interview are rather disappointing themselves. Well, I guess I’ll have to bite the bullet and watch the whole interview, if I want to find out for myself…

Savage [en]

I’m more and more becoming a fan of Dan Savage. He’s one of these guys, who constantly manage to point out the nuisance of religion, without being a total dick about it.

That may be, because instead of just weighing in on abstract, philosophical questions, he actually does something good for society. He’s an LGBT activist and initiator of the It Gets Better Project, an organization that helps prevent suicide among young people with “non-traditional” sexuality. Also, he is the guy who brought us Santorum.

Last night, Dan Savage was on Bill Maher’s show, and the two were talking about the recent legalization of gay marriage in Hawaii:

Maher:
Their catholic bishop there […] says something about how children who are […] adopted by gay parents have a greater chance of committing suicide. That must be bullshit, right?

Savage:
That’s total bullshit. He’s confusing children with gay parents, with children who where raped by catholic priests.

Maher:
Uuuuuh!

Savage:
Sorry, I’m just done being lectured about children and their safety by catholic fucking bishops, priests, cardinals, …

[…]

Savage:
I hate to always go there, but they don’t have moral high-ground when they talk about the welfare and safety of children. They just don’t! They have squandered that on the tips of their dicks.

Here comes Gentrification [en]

Just stumbled upon an old NY-Times article about good old Glockenbachviertel in Munich. The article is from 2006, and I must say that the foreign autor grasped the essence of this quarter quite well.

Of course, things have changed since back then. Cool places have moved away (X-cess) or even shut down completely (KuK). Others, like Trachtenvogel or Netzer, have been mutilated by bourgeois neighbors and consecutive municipal restrictions.

Moreover, the Glockenbachviertel has been over-run by hoards of zombie hipsters – and rich IT-folks like myself have been taking over the residential properties. There goes the neighborhood!

OpenSSL CLI-Cheat-Sheet [en]

The OpenSSL library is utilized by a wide range of other open-source projects, like web-servers, mail-servers, VPN-servers, etc. When dealing with such software and SSL, it often proves useful to be familiar with the openssl command-line tools.

Of course, OpenSSL does have great man-pages, and a quick web-search reveals plenty of usage examples. However, OpenSSL is packed with features, and I often struggle to find just the information I need. Hence this cheat-sheet of openssl calls that I personally find useful…

Displaying Certificate Information

Once you have a certificate file (e.g. downloaded from a HTTPS website or created with the commands described below) you’ll likely want to check what it says. You can display it in human-friendly form and check its fingerprints with the following commands:

openssl x509 -noout -text -in meeque.crt
openssl x509 -noout -fingerprint -sha1 -in meeque.crt
openssl x509 -noout -fingerprint -md5 -in meeque.crt

This corresponds to the certificate information displayed by popular web-browsers, when you ask them to display details of an SSL-connection.

Likewise you can display the contents of a certificate-signing-request (CSR):

openssl req -noout -text -in meeque.csr

Creating a Certificate Signing Request

To obtain an SSL-Certificate you first need a certificate-signing-request (CSR), which you can then submit to a certification authority, like CAcert. Create a new CSR and a matching private-key like so:

openssl req -newkey rsa:4096 -keyout meeque.key.enc -out meeque.csr

By default, this command asks for all the information you want to include into the certificate along the way. (E.g. it asks for stuff like domain-name or distinguished-name, orgaisation-name, etc.)

It also asks for a passphrase to protect the private-key with. You can later remove such a passphrase with the following command:

openssl rsa -in meeque.key.enc -out meeque.key

(Depending on one’s security needs, this can be useful, since it facilitates server-restarts without user-interaction. However, keep non-encrypted private-keys extra safe!)

Creating a Self-Signed Certificate

When you need a certificate for test-purposes only, you probably don’t want to involve a certification authority. Instead, you want to sign the certificate yourself. Based on above CSR and private-key it works like this:

openssl x509 -req -days 365 -extensions v3_req -in meeque.csr -signkey meeque.key -out meeuqe.self.crt

Tackling Multi-Domain-Certificates

One aspect, which cannot be handled on the command-line easily, is creation of a multi-domain certificate. More precisely the creation of a respective CSR. Here, you’ll need to create a custom OpenSSL configuration file, with an subjectAltName entry for all additional domains. Just start with one of the sample config-files, and add the following lines:

[ v3_req ]
subjectAltName = DNS:meeque.de,DNS:meeque.org,DNS:foo.example.net

When creating your CSR, you pass your config-file to the command described above:

openssl req -config meeque.openssl.cnf -newkey rsa:4096 -keyout meeque.key.enc -out meeque.csr

Dealing with Ciphers

Once certificates are in place, you might want to tweak other properties of your SSL connections, e.g. enable or disable certain ciphers. The OpenSSL library provides a rather peculiar cipher list format, which is also utilized in the config-files of various SSL-enabled servers. (E.g. Apache’s mod_ssl.) Luckily the openssl command helps you to test such cipher lists. The following command takes a textual cipher list, and tells you to which actual ciphers it resolves:

openssl ciphers '!ADH:!AECDH:!MD5:HIGH'

Testing SSL-Connections

Which leaves us with my new personal favorite: the SSL client command that comes with OpenSSL. It lets you initiate an SSL connection to a given server and port, and dumps plenty of info regarding certificate validation, SSL-handshake, SSL-session, etc. Usage is as simple as this:

openssl s_client -connect meeque.de:443

OpenSSL is also used by the small SSLScan tool. It provides a quick way to check, which ciphers a given server supports: 

sslscan --no-failed meeque.de:443