Patched ejabberd (erlang-p1-tls) to support multiple ECDH curves #free software #programming
After the upgrade to Debian 9 (stretch) yesterday I hit this problem where my ejabberd would not talk a Prosody server.
The problem seems to be that the two servers each support exactly one ECDH curve, and it is not the same one.
There is an ejabberd issue from May 5 on the subject: TLS ECDH curve selection.
Reading that lead me to an issue on the tls package used by ejabberd from November 9, 2015: Allow specification of ECC named curve used in ECDH key exchange.
Hm, couldn't I just patch my erlang-p1-tls package, to fix the problem? I tried:
--- erlang-p1-tls-1.0.7.orig/c_src/fast_tls_drv.c
+++ erlang-p1-tls-1.0.7/c_src/fast_tls_drv.c
@@ -384,16 +384,15 @@ static int verify_callback(int preverify
static void setup_ecdh(SSL_CTX *ctx)
{
EC_KEY *ecdh;
+ static int curves[] = {NID_X9_62_prime256v1, NID_secp384r1};
if (SSLeay() < 0x1000005fL) {
return;
}
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set1_curves(ctx, curves, 2);
+ SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
- EC_KEY_free(ecdh);
}
#endif
The result? It works, my ejabberd can now talk to the Prosody server! - I hope it can talk to other ejabberd's as well.
Free software - software you can fix yourself!
Upgraded server to Debian 9 (stretch) #debian
I upgraded my home server to Debian 9 (stretch) today - as stretch was released during the weekend.
The upgrade was uneventful - just the way I like it.
Only two things broke severely:
- A website originally from 2006, implemented in Perl using Catalyst and Mason, which refuses to run, due to
-Tand insecure require, whatever that suddenly means in this context. - ejabberd won't talk ECDSA any more, and thus can't connect to one of the XMPP-servers I federate with. We have tried tweaking both ends, but to no avail. Annoying.
And then there were a couple of hickups with older websites, and I had to upgrade the website of Feedbase to Spock 0.12.0, which took a little fiddling.
But overall I think this is the smoothest Debian upgrade yet. Kudos!
Haskell WAI middleware to remove a header #feedbase #haskell #programming
The website of Feedbase is a Haskell application, built using the Spock framework. It's my first Haskell program that does something non-trivial in the "real" world.
Recently I was mucking about with cookies in another context, and noticed that the Feedbase website sets a cookie, spockcookie.
This is part of Spock's built-in session handling. I don't use sessions, so I'd rather not set the cookie (given the EU's weird cookie rules and what have you).
You can't turn them off in Spock easily, so I started thinking that maybe some "middleware" could be used.
After some searching I found a StackOverflow question, and combined with looking at the source code of the Network.WAI.Middleware.Gzip module I cobbled together my own little "NoCookies" module:
{-# LANGUAGE OverloadedStrings #-}
module NoCookies where
-- Remove all Set-Cookie headers on responses.
import Network.Wai (Middleware)
import Network.Wai.Internal (Response(..))
import Network.HTTP.Types (Header)
-- Function to hook into middleware:
nocookies :: Middleware
nocookies application request sendResponse = application request $ sendResponse . removeHeader
-- Handle all the various kinds of responses:
removeHeader :: Response -> Response
removeHeader (ResponseFile s h b1 b2) = ResponseFile s (filterSetCookie h) b1 b2
removeHeader (ResponseBuilder s h b) = ResponseBuilder s (filterSetCookie h) b
removeHeader (ResponseStream s h b) = ResponseStream s (filterSetCookie h) b
removeHeader r@(ResponseRaw _ _) = r
-- Remove Set-Cookie from headers:
filterSetCookie :: [Header] -> [Header]
filterSetCookie hs = filter notSetCookie hs
where
notSetCookie (x, _) = x /= "Set-Cookie"
A couple of odd things: the Network.HTTP.Types module defines a bunch of constants for headers, but not hSetCookie.
As you can see, most of my module consists of lines pattern matching the Response type - it seems odd that there should be no smarter way of doing this.
As usual in Haskell the reader of documentation is assumed to always know how to put things together. Unfortunately I don't always know that. So here's how I added my module to the Main.hs of my application:
...
import NoCookies
app :: SpockCtxM ctx Pg.Connection session state ()
app = do
logger <- liftIO $ mkRequestLogger def { outputFormat = Apache FromFallback }
middleware logger
middleware $ gzip def
middleware (staticPolicy (addBase "static"))
middleware nocookies
...
EBR-I tour
This series of 5 "home videos" from a tour of one of the first nuclear reactors in the world, EBR-I, is fascinating:
- EBR1 Haroldsen Tour Part 1
- EBR1 Haroldsen Tour Part 2
- EBR1 Haroldsen Tour Part 3
- EBR1 Haroldsen Tour Part 4
- EBR1 Haroldsen Tour Part 5
Via Atlas Obscura.
Feedbase documentation #feedbase
Last year I created Feedbase, providing Atom/RSS-feeds via nntp.
Today I finally got my act together and updated the documentation-page with a short section on how to set up Gnus, a screencast on how to use Feedbase in Thunderbird and a section on using slrn to access Feedbase.
I hope this will help anyone interested to get started. I'm enjoying Feedbase a lot.
Dear New York Times #email
This email address is perfectly valid - '+' is allowed in the local-part, i.e. before the '@' sign.
I ♥ Free Software #free software #ilovefs
Debian, GNU Emacs, Linux, Gnus, XMonad, Perl, Python, Apache, jabber.el, PostgreSQL, Xorg, git, GHC, LaTeX, Gimp, mpd, vlc, Firefox, etc. etc.
