Wednesday 21 December 2016

Ah, wonderful health hazards

I can't tell what has been overall worse for my health in the past few weeks. The bathroom connected to my home office directly sits over the complex's "laundromat station". This did not used to bother me. In fact, I was quite okay with this, because it means I have the closest walking distance of any of my neighbours to it. However, for the past two or three weeks, I can smell — from the office, mind — a very strong odour of laundry detergent every time someone does a load. Turns out a lot of people do loads in the 18:00 to 21:00 time slot on weekdays, which happens to be when I am at my most productive in my office. I cannot imagine this is at all healthy for me.

But then I remember I've spent every day since Saturday spending multiple hours trying to set up OpenLDAP for new project. I've always just used Active Directory on the server-side, so my only experience thus far with OpenLDAP has been client-side. It's a great client library with easy configuration and a great debug mode that will tell you exactly what is happening and what is going wrong. Unfortunately, the server part, at least on Debian, uses "dynamic configuration" which means everything is in LDAP.

Now, look, LDIF and LDAP are fine and great for phone book-style records. It makes perfect sense. That is what it was designed to do. Storing regexp in ASN.1 BER is pushing it. But the way they do HDB/MDB grouping feels to me like trying to fit in with all those cool kids with their NoSQL and their MapReduce and their terrible terribly-great performance by using "shards" everywhere. And our leader wants replication so that it's fault tolerant. Now I get to convert decades-old documentation about an "enterprise" feature to this "dynamic configuration" thing. I cannot imagine this is at all healthy for me.

Configuring OpenLDAP to authenticate using X.509 client certificates

This is not meant to be a comprehensive guide by any means, but information on the Web for configuring OpenLDAP to authenticate using X.509 client certificates is lacking. And in some cases, over a decade old! It took me hours to find the documentation I needed, but only minutes to see it working once I had the correct "recipe".

You should probably be running your own Certificate Authority for the purpose of generating client certificates, especially since you need one per user. You can lock it up tightly and only use it for the purposes of LDAP if you like. You can also use a certificate vendor like Thawte or GeoTrust or Comodo. Make sure you pick just one, though, because you will configure OpenLDAP to trust only that single CA to sign all the relevant client certificates. (This ensures that nobody can come in with a forged certificate signed by another vendor, or a self-signed one.)

The Ubuntu guide on making a CA is pretty decent, though unfortunately it uses the inferior GnuTLS package. That's okay, because we are only using it for OpenLDAP. And actually, you can't use OpenSSL generated certificates on Debian's OpenLDAP because they patched it in such a way that the certificates cannot be read. (There are conflicting reports on whether this bug was fixed or not upstream.) Note that you definitely want to set a higher expiration_days than the default 365! 10 or even 15 years isn't unheard of, which is 5475 days if you were wondering.

Once you have either created your CA, or decided on a vendor, you may begin configuring OpenLDAP. Replace authority.pem with the file name for your CA's root certificate, and ldap_cert.pem and ldap_key.pem for the server certificate and its private key. Note that the server certificate must have the FQDN of the LDAP server as its only CN. It may have a wildcard as a subjectAltName (or SAN) but the FQDN (normally something like ldap01.myproject.org) must be the CN.

With slapd.conf

TLSCACertificateFile /etc/ssl/certs/authority.pem
TLSCertificateFile /etc/ssl/certs/ldap_cert.pem
TLSCertificateKeyFile /etc/ssl/private/ldap_key.pem
TLSVerifyCert try

With Dynamic Configuration, aka cn=config, aka "OLC"/on-line configuration, aka ...

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/authority.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_key.pem
-
add: olcTLSVerifyCert
olcTLSVerifyCert: try

Note that if you receive an error such as:

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
 additional info: SASL(-4): no mechanism available: 

then you most likely forgot the olcTLSVerifyCert like I did the first time :) Note that there is nothing printed after "no mechanism available: ". That was the hardest part to debug! Hopefully this can help a few people out.

Also note that for client certificates to work correctly, the DN of the X.509 certificate must exactly match the DN of the LDAP object. If you cannot meet that requirement, you will need to look at authz-regexp: for cn=config, see this mailing list posting, and for standard configuration see the documentation. Note that I was unsuccessful in making this seemingly-useful feature work, but you may have better luck than I did.

References

Wednesday 14 December 2016

Let's Encrypt and why I still pay for TLS certificates

I am asked with alarming regularity why I am not using Let's Encrypt for my personal Web sites, and for Adélie's site, and for my mother's art gallery site, and so on. "Why do you pay money for something you could have for free? And then you aren't giving money to those evil CAs!"

TLS certificates are still very much "you get what you pay for". Let's Encrypt is free, and on paper it seems to be a great solution with roots in freedom and socialism. However, it has a number of large issues in practice that prevent me from being able to adopt it.

The first, and most evident, is the failure of the community to provide a single ACME client that is well-supported and provides configuration options. As of this writing, there are 49 different client implementations on the official site. The problems with them are as numerous as the offerings; my main complaint is that most of them require themselves to run as the root user to automatically write to sensitive certificate files that are owned by the Web server user and are chmod 400.

The second large issue I've seen is that most of these 'automatic updates' break. This can be due to administrator error - and since there is not one single option, there cannot be a single repository of knowledge. This can also be due to APIs or endpoints changing. I have seen an official Mozilla blog and Void Linux's repository broken in the last week alone, all by botched ACME cron jobs. This solution is sold as "set and forget", but it requires more effort than simply going to a site every year and inputting a CSR and privkey.

Other issues with Let's Encrypt include: Let's Encrypt lacks a "site seal" which is very important on e-commerce sites to foster user trust. Let's Encrypt does not provide OV (let alone EV), which also compromises trust in people who know what to look for.

All in all, I think going forward Let's Encrypt may be suitable for power users and people who run TLS servers off their home servers. It may even be suitable for some personal sites and blogs. But I don't think it is a long-term solution for person who need trust, or those who have a complicated infrastructure (such as a distro, like Adélie).

Wednesday 9 November 2016

Trump and change

The ball is in your court now, American Republicans.

I normally avoid politics and other controversial topics on my blog, because I have always felt it is important to keep my audience focused on the technical. Our common ground is unifying and allows us to look past our differences and learn from one another. I feared that if I started talking about politics, people would look at me differently, and I'd lose some of that audience. They wouldn't trust me and I wouldn't be able to enrich their lives.

I feel like that part of life in America is over now. President-Elect Donald Trump talks outlandishly, without filter or censor. People love him, people hate him, people think he's a joke, people think he's the best non-politician the political world has ever seen. As for myself, I'm somewhere between; but if I have learned a single thing from Mr Trump, it is that the world will not end if you speak up and say what is really on your mind. And perhaps this is a good kind of change. Without open discussion, we can't ever heal the divisiveness that permeates the entire country's political landscape, and indeed, the entire world's. There is a not-too-distant past where the words 'conservative' and 'liberal' were words that describe someone's political views, and were not used as slurs or to denigrate someone. Perhaps now that the precedent has been set, we can have open and honest discussions with one another. I'm not sure if that is where we are headed or not. I can only hope that we can learn to be respectful of each other's differences.

Mr Trump has said some things I agree with; per I Side With, I agree with almost 40% of his policies. It's not perfect, but it isn't exactly a disaster either. (For full disclosure, I only had just over 70% of agreement with Clinton.) He has also said a great deal of very offensive things. He has said things that have made some of my friends sick, depressed, and suicidal now that he has become President Elect of the United States. I urge these people especially to remember that first and foremost, Mr Trump is a showman. He knows how to pull in ratings, and was a reality television star. He may think less of Muslims than he should, but I don't think he will actually have every last one deported back to their homelands — especially since some of them were born and raised in the United States. He may think far less of women than he should, but that thinking is common in men from his generation. His objectification of women and misogyny is of course never acceptable, but women have had much worse oppressors than he ever could be.

I have friends of many classes. I have friends who are very well off — the typical Silicon Valley millionaire. I have friends who are destitute and live pay stub to pay stub, and would likely go homeless if they had even a small hiccup in work. I have friends who are in minority classes: African-American people, transgendered people, people with disabilities. We are all Americans. We all deserve a place in general society. Our society is built on the fact, not opinion, that everyone is created equal. There is room in the United States for the rich and poor, and the different races and religions that comprise this great country. No matter who won the United States election this year, our society has been broken, is broken, and will remain broken until it is healed.

Republicans, Democrats, Libertarians, Greens, other party members, independents, and even those disillusioned with the political system as a whole: society will only begin to be fully inclusive when we all learn to love each other. We have to work together. We have to stand up for what we believe in. Conflicting interests only break people into hate when they do not bend to compromise. I plan on writing letters to my state Senator, who is a Republican, and telling him my concerns going forward. I will have my voice heard. My Senator will, of course, have to balance my voice with others in our great state of Oklahoma. But together, I feel that we can find common ground and be able to find peace and happiness no matter what our political views.

Mr Trump. You promised to make America great again. If you can set an example with moderation and fairness, balancing differing viewpoints to create a clear path forward, you just may be able to succeed. I did not vote for you, but I still wish to work with you to create a common good for all of the United States.

Saturday 6 August 2016

Blogging in general, and a new project

It's been a long time since I wrote here. In the past few months, I have moved across the country, and helped four other people do the same. It is exhausting and tiring but so rewarding to improve not only my own life but the lives of others by sharing in new experiences.

Enough of that, though. I am starting up a new Linux distribution, titled Adélie Linux, aimed at being very fast, very small, and fully POSIX® compliant. It's almost meeting those three goals! Going forward, I think I will be starting a new blog specifically about my adventures with Adélie, which will probably take up a considerable amount of my writing time. This blog will stay around, though, not only for memories past but for non-Adélie related things in my life. I am still interested in Python, writing emulators, music, and other general geekiness; I just now have a new project that is taking up a large amount of my free time.

Thursday 26 May 2016

Going IPv6 native without IPv4

Now that I have finally moved in to my new apartment (which requires a long blog of its own), I have new routing equipment and a new network infrastructure. The native IPv6 on Cox Communications seems to be a bit better than the native IPv6 offered by Comcast Business; namely, Cox seems to be peered more widely and therefore ping times are much lower. Of course, this could be specific to the market I'm in - eastern Oklahoma - so YMMV.

However, because DHCP is a terrible protocol, it is constantly flaking, leaving me with IPv6-only access to the Internet. That is, no access to IPv4 whatsoever. Surprisingly, it's nearly usable. However, I am highly disappointed in a few surprises I've found that do not work over IPv6:

  • EVERY SINGLE CODE HOSTING SERVICE ON THE INTERNET. This really, really, really, really upsets me. Luckily, I don't have to care any more, because I run my own now.
  • DuckDuckGo. I am incredulous that a modern search engine is not accessible over IPv6.
  • eBay and PayPal. This isn't really surprising, I suppose, since eBay were running Windows NT 4 as recently as 2006... they always have been a decade off of the current technologies.
  • Any news Web site I tried: Bloomberg, BBC, New York Times, Washington Post.
  • The entire StackExchange family of properties, five YEARS after being asked for even a trial of IPv6 access. This is entirely unacceptable. I expect news organisations and e-commerce conglomerates to be woefully behind the times, but a company designed from the ground up for computer scientists by computer scientists? I can't believe this is real.
  • Weather.gov. The US government actually has an IPv6 project with real time online completion progress, even available itself via IPv6; however, while NOAA's flashy Web 3.0 marketing pages are available over IPv6, the important research, life-saving data, and forecast information made by the National Weather Service are entirely IPv4-only. I understand that internally, their infrastructure is not entirely ready for IPv6, but they should be able to run the main radar and warning information over IPv6 at least. Americans need not feel singled out, though; the UK's Met Office is also unavailable over IPv6.

At least Wikipedia and the Google properties are usable, so I have music, videos, and a reference library.

Wednesday 20 January 2016

How trans-people are really people, like all of us

Having spent a considerable and unfortunate amount of time around bigoted people, I came to a rather interesting train of thought that I want to share widely.

Let me start by asking you a simple question: would you treat a woman differently based on whether or not she had an appendectomy performed? What about a man who was born with six toes; would it change your opinion of him whether or not he had it removed? For the vast majority of people, and even the bigoted crowd that inspired this train of thought, the answer would be a resounding no: who are we to judge someone based on a corrective procedure they had to repair a defect with their body?

Okay, now here's a similar and still simple question: would you treat a woman differently based on whether or not she had her penis removed?

"Stop," I hear some of you calling. "That is a completely separate subject," you ration. Why?

What makes the correction of a birth defect involving sex organs any different from correcting birth defects or ailments with any other organ? Are we, as a culture and society, so hyperfocused on sexuality that we can't accept some people have congenital genital defects?

I have begun to wonder why trans equality and trans rights are even being discussed or even exist; that is like stating we need kidney failure equality or diabetic rights. They are all life-long conditions, involve a part of the body being defective, and often require surgery. What is so offensive, so different, so awful about a person having incorrect sex organs? The fault lies with those people who 'other' people who suffer from transsexuality, labelling them and saying they are different or somehow less of a person due to a birth defect.

There have been numerous studies that have proven beyond a reasonable doubt that the brain can develop independently of primary sex organs, and that the brain can and does sometimes end up with the wiring of the gender opposite that with which a person is born. It is not a "mental disorder" in that there is no psychological problem; the brain is that of a man or woman, in a woman or man's body. Why should it matter what organs they have?

You can argue that reproduction is a factor, and you may even be right for a few years; but there are numerous research programmes being done as you read this to find a way to reproduction for people with all manner of reproductive organ troubles. Transsexuality is a subset of that; but some women are born without ovaries, some men are born with undescended testes, and so on. Why should we treat people who were born with the wrong set of organs any different from people born with any other problem?

The way I see it, the labelling itself - the fact that people who have this condition are considered a different kind of person - is the problem. It is a medical disorder akin to spina bifida or cleft palette, not a label or category of people. I would be hard-pressed to find anyone who would discriminate against a person for having cleft palette; after all, it isn't their fault, they were born that way. Why should we treat transsexuals any differently?

To a final point, some may also claim that you must have the surgery performed to count as a "true" transsexual. This belief is wrong for a number of reasons. In the same way some people cannot have cleft palette corrected - their body may not be capable of undergoing surgery; they may be allergic to anaesthesia; they may not be able to afford the cost of surgery; and in some communities where healthcare is not readily accessible, they may not even know that a treatment even exists. The same factors can apply to a man with a vagina or a woman with a penis. Some of these people are still able to use hormonal therapy (also known as HRT) to correct at least some of their attributes to more correctly fit with their gender and feel better, while others are unable to obtain even that small amount of help. Instead of ostracising them, we should be embracing them. We must begin to acknowledge that we as a society should be caring for those who have real, physical ailments instead of antagonising them.

After all, wouldn't you want compassion if you had a birth defect? What about a birth defect that perhaps even persisted in to adulthood or even beyond? Open your heart and mind, and show your fellow people dignity and respect.