Archive
Posts from 2005
StartTLS support for ssl-cert-check
Marco Amrein sent me a StartTLS patch for ssl-cert-check this week. This nifty patch allows ssl-cert-check to query servers that setup the TLS connection after the initial protocol handshake, which can be helpful for checking the certificate expiration on SMTP and POP3 servers: Thanks Marco!
$ read more →Saving bandwidth with mod_deflate
While playing around with mod_deflate this week, I began to wonder how much bandwidth would be saved by enabling mod_deflate on a busy production site. To get a better idea of the bandwidth savings, I developed deflate-stats.pl: If you are paying for each byte of transit, I highly recommend testing out the awesome mod_deflate module. mod_deflate should be able to speed up rendering time for dial-up users, and could lead to a reduction in monthly circuit costs.
$ read more →Using StartTLS with HTTP connections
While catching up with some news groups today, I came across RFC 2817. This RFC describes HTTP protocol extensions to allow a client and server to initiate a TLS session over an existing connection. This has numerous benefits, and could definitely speed up web-based commerce (e.g., a dedicated secure connection is not required, slow start is avoided, etc.) . Now if only the browser developers would implement this…
$ read more →Bizarre SVM Issue
I had a disk drive fail in one of my machines this week, and used the typical drive replacement procedure (cfgadm / metadevadm / devfsadm) to replace the physical disk. Once the drive was replaced, I attempted to run metareplace to re-synchronize the two sub-mirrors: Eh? For some reason d20 refused to re-synchronize and enter the Okay state, and repeated attempts to use metareplace led to the same behavior. This seemed odd, so I decided to detach d20 and re-attach it with metadetach and metattach: These operations completed successfully, and once the re-synchronization completed, the sub-mirror entered the "Okay" state: I am starting to speculate that this is a bug in metareplace, but wasn't able to pinpoint anything specific on sunsolve…
$ read more →Protecting rpcbind with tcp_wrappers
While perusing some of the new features in Solaris 10, I saw that rpcbind is now tcp_wrappers aware. This allows you to limit which services can send RPC requests to a server, and can be used to deny all RPC requests except those originating from the host itself. To enable tcp_wrappers and limit inbound requests to the loopback interface, the svccfg(1m) utility can be run to enter the SMF configuration console: Once in the SMF configuration console, you need to select the rpc/bind service with the 'select' command: Once the service is selected, you can view the service properties using the 'listprop' command: Once the properties have been reviewed, you can enable tcp_wrappers by setting the 'config/enable_tcpwrappers' attribute to 'true': To exit the SMF configuration console, the 'end' keyword can be used: After the SMF service has been configured, the tcp_wrappers hosts.deny and hosts.allow files need to be updated to limit RPC requests to the loopback interface: Once these files are created, you can start using a tcp_wrapped rpcbind by restarting the rpc/bind process with the svcadm utility: After the rpcbind process has been restarted, each non-local connection to TCP port 111 will be RST: I digs me some tcp_wrapper!
$ read more →