Category Archives: English

SNI bug fix for ssl-cert-check, now on Github

Recently I found some new bug in ssl-cert-check, my tool for checking the expiry dates of local and remote SSL certificates. The tool has worked fine for me over the years, but I used to have expiry dates that were very close to another, so I never noticed that it did not work for web servers using SNI to serve multiple domains with virtual hosts from the same IP address. I am sorry I did not think of this earlier. I fixed the bug now and in case you have such a setup, I encourage you to get the new release.

I also noticed it becomes cumbersome to maintain the updates with blog posts and downloads here. Therefore, ssl-cert-check is now on Github and I will continue to make releases from there.

You can get the latest release tagged 2014-08-20 either as a local download or from github.com.

Distrusting StartSSL

Heartbleed

Heartbleed

After the HeartBleed bug in OpenSSL, a lot of SSL certificates must be considered compromised now. This means that a huge amount of SSL certificates needs to be reissued. The security scheme we are using relies on trust. You have to trust that the CA only signs certificates after verifying the requester and that nobody else knows the private key for the SSL certificate. CloudFlare demonstrated now that it really is possible to get the private key through this vulnerability. If you don’t trust your own SSL certificate any more because its private key has been compromised, you have to get a new one and revoke the old one.

Going through this process alone is bad enough already. However, many people I know and also myself are using free SSL certificates issued by StartSSL.

StartSSL

I always thought StartCom, the company behind the StartSSL brand, is doing the right thing by providing free SSL certificates. I trusted them because I thought they would advance the use of crypto on the internet by giving everyone access to SSL certificates in order to secure their personal web server, mail server, or anything else that uses SSL.
Continue reading

Tiny LEDs for a tiny microcontroller

Version 2.0 of the #ATtiny9 board setup with LEDs. SMD makes this so much smaller.
Originally published at https://twitter.com/raimue/status/433353488043499520

Compared to the ATtiny9 on this board, my previous setup with 10mm LEDs took way too much space. So I miniaturized it with some spare SMD components I still had from previous projects.

This LED bar is breadboard compatible and fits directly onto the board. I deliberately chose to make it a bit larger than it had to be, now taking 5 pin columns of space. This size allows to use it on either side of the breadboard, as the Vcc and GND bus strips are switched on the other side. I also decided to leave out two pins on the GND pin header to make it fit in more different positions on the board, which was necessary due to pin grouping. Besides that I had to solve alignment issues, as the pins on the GND strip and the rest are a little bit shifted. I had to use a little bit force by pushing it into its position and then solder it as it was plugged onto the breadboard.

Actually this was not only for the ATtiny9 thing, but I think this device will be helpful in the future in general. From now on I will always have some LEDs available for the breadboard without fiddling around with wires and resistors.

Tinkering with ATtiny9

In June 2013 I attended a workshop on SMD soldering at the Gulaschprogrammiernacht 2013 (GPN13), a German hacker event organized by the regional CCC group in Karlsruhe. The result of a workshop organized by DrLuke was this small board with an ATtiny9 microcontroller and a 74HCT595 shift register.

Result of the SMD soldering workshop at #gpn13
(Originally published at https://twitter.com/raimue/statuses/340191330959519745)

The image shows my finished board with pin headers soldered. Later I changed the pin header for the 8 output pins again to make them point to the bottom. Now the board can easily be used on a breadboard for prototyping.

Continue reading

Checking expiry dates of local and remote SSL certificates

A few years ago I already covered how to check the expiry date of a SSL certificate using OpenSSL. When the recent global outage of Windows Azure was caused by an expired SSL certificate, this got me thinking about this topic once again.

In my previous post, I presented a mechanism to check the remaining lifetime of an SSL certificate using the PEM certificate file locally on disk. However, in the case with Azure recently, customers were dependent on the actions by Microsoft and had no access to the actual file. Thus, there might be a need to check remote certificates of services you use, e.g. your off-site backup provider. As you want to ensure you can always use this service, why not check this for expiring certificates once in a while? Maybe it’s your notification to the sysadmins who saves yourself and all other customers from being locked out.

Here is the updated script ssl-cert-check that now not only handles x509 certificate files, but also remote addresses for various forms and protocols. For simplicity, here are the usage instruction from inside this script:

Continue reading