Monday, June 24, 2013

Checking SSL certitificate expiry date

SSL certificates, called as digital certificates or X.509 certificates, are used to verify the authenticity of the web server by the browser i.e., is this the server host whom they claim to be(am i connecting to the correct web server). The SSL certificates are authenticated by third party Certificate Authorities.

To view the expiry date of an ssl certificate on a domain, say for example www.facebook.com

$ openssl s_client -connect www.facebook.com:443 | openssl x509 -text | grep -i "Not"
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "Facebook, Inc.", CN = *.facebook.com
verify return:1
            Not Before: Jun 21 00:00:00 2012 GMT
            Not After : Dec 31 23:59:59 2013 GMT

To view the expiry date of an ssl certificate(<server>.crt) in the web server where it is stored

The path of the <server>.crt file shall be available in the directive "SSLCertificateFile" in the httpd.conf file

# openssl x509 -noout -in <server>.crt -dates

Eg : openssl x509 -noout -in /etc/httpd/conf/server.crt -dates
notBefore=Sep 18 15:40:02 2012 GMT

notAfter=Sep 18 15:40:02 2013 GMT


Difference between SSL(Secure Sockets Layer) and TLS(Transport Layer Security)

1) Open version of SSL is referred to as the TLS protocol. So TLS is a open protocol while SSL is not.

2) To use SSL with a particular protocol(say, HTTP), it is necessary to have a different port no.(for https, 443) for communication. This is done in order to avoid affecting other clients who communicate on the default clear-channel port(80). So we have port 80 reserved for HTTP and port 443 for SSL over HTTP. Managing multiple requests under both SSL and clear channel may become complex. 
    TLS, however, allows to access both types of traffic(secure and non-secure) over the same default port. No separate port is needed while using TLS.

How SSL protocol works?

SSL/TLS protocol sits in-between the Application Layer(HTTP) and TCP/IP layer. It handles the encryption & decryption for a secure communication between the client and the server. So, SSL is not a part of HTTP and it is a separate layer.

SSL uses an encryption technique called public key cryptography, where the server end of the connection sends the client a public key for encrypting information, which only the server can decrypt with the private key it holds. The client uses the public key to encrypt and send the server it's own key, identifying it uniquely to the server. This prevents man-in-the-middle attack.

In addition to encrypting the connection, we need to ensure that the client is connecting to the right web server, before setting up an SSL connection. The verification of authenticity of the web server is done using Digital certificates issued for the web server, which is authenticated by third party certificate authorities.
The server sends the digital certificate along with a encrypted random data to the client. The client(browser) verifies the certificate before setting up a SSL session. The certificate verification is done as follows

1) The certificate must be able to decrypt the random data that was sent from the server, which is encrypted by the server's private key.
2) The certificate must have been issued by an accepted CA
3) The name on the certificate must match the host name of the server requested by the client.
4) The certificate must not have expired.

If these criteria are met, the browser will then exchange a session key with the server. The session key is a random bit of data that will be used to encrypt the rest of the session.

In Summary:

  • The server sends the client its public key and certificate.
  • The client checks that the certificate was issued by a trusted party (usually a trusted Certificate Authority) that the certificate is still valid, and that the certificate is related to the contacted site. If the client trusts the server, it sends a message to the server. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  • The client uses the public key to encrypt a random symmetric encryption key and sends it to the server, along with the encrypted URL required and other encrypted HTTP data.
  • The server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.
  • The server sends back the requested HTML document and HTTP data that are encrypted with the symmetric key.
  • The client decrypts the HTTP data and HTML document using the symmetric key and displays the information.
Is SSL really Secure?


Data sent from browser to the server is managed unencrypted in server memory. If the server does a core dump, that it shall be possible to read  all the data sent by the client to the server.

Reference:
http://stackoverflow.com/questions/6241991/how-exactly-https-ssl-works

facter - Puppet tool to get information about a system/host

facter, a Puppet library and a command-line tool (/usr/bin/facter), gives all the information  about a host in key,value format

1) Install facter in centos
 yum install facter

2) [root@dhcppc3 ~]# facter
architecture => x86_64
boardmanufacturer => Intel Corporation
boardproductname => D945GCNL
boardserialnumber => BTNL74300AAE
facterversion => 1.6.18
hardwareisa => x86_64
hardwaremodel => x86_64
hostname => dhcppc3
id => root
interfaces => bond0,eth0,eth1,lo,venet0
ipaddress => 192.168.1.33
ipaddress_bond0 => 192.168.1.33
ipaddress_lo => 127.0.0.1
is_virtual => false
kernel => Linux
kernelmajversion => 2.6
kernelrelease => 2.6.32-042stab076.5
kernelversion => 2.6.32
lsbdistcodename => Final
lsbdistdescription => CentOS release 6.4 (Final)
lsbdistid => CentOS
lsbdistrelease => 6.4
lsbmajdistrelease => 6
lsbrelease => :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
macaddress => 00:1C:C0:3E:4B:7E
macaddress_bond0 => 00:1C:C0:3E:4B:7E
macaddress_eth0 => 00:1C:C0:3E:4B:7E
macaddress_eth1 => 00:19:5B:6B:53:22
memoryfree => 2.37 GB
memorysize => 2.80 GB
memorytotal => 2.80 GB
mtu_bond0 => 1500
mtu_eth0 => 1500
mtu_eth1 => 1500
mtu_lo => 16436
mtu_venet0 => 1500
netmask => 255.255.255.0
netmask_bond0 => 255.255.255.0
netmask_lo => 255.0.0.0
network_bond0 => 192.168.1.0
network_lo => 127.0.0.0
operatingsystem => CentOS
operatingsystemrelease => 6.4
osfamily => RedHat
path => /usr/java/jdk1.7.0_09/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
physicalprocessorcount => 1
processor0 => Intel(R) Pentium(R) Dual  CPU  E2160  @ 1.80GHz
processor1 => Intel(R) Pentium(R) Dual  CPU  E2160  @ 1.80GHz
processorcount => 2
ps => ps -ef
rubysitedir => /usr/lib/ruby/site_ruby/1.8
rubyversion => 1.8.7
selinux => false
sshdsakey => AAAAB3NzaC1kc3MAAACBAKryNPR/FSsHtV0BQrt4kS9PEcYEzy/r8IrVcfPR2JjV4xUOLj8FPHlDGa0vaXeqnt6PF6uKq+v7jyvmTEeHPT8y+Zwd0ldBfWxlNWG/vy1m+nwejpeiWcpZLtZ0Pp4ix/xYqvhgVFk/lSD2VaI4oZDLNvzQUNJcIbUD+HXrLRqtAAAAFQDKCw61lmbXRJFJ1fBSsU6dN2CKNwAAAIBskr0Wy6z6axZhB3sHsONtPZB2lLRyr4IlwSLtsJrEPwbbLxMEYzsLP8hk7O9Bw+ms4vUn4Y/a//8TQ4l8opIqO61dlHPg7RD4+Eh/5Dq52Fs2eZtN7qj1JQUC3Gi8NKQ6FJR+wmndRFZfod4l0EFsrAIeBtOJqVj6u8U60XVQFQAAAIEAgRQQhRzQRGdtJjapID5Kyd9Gq8F1g8KeB0jBoGyEckKtSoZI4l+40nKA6AP6PZ2+AhMtuAHvQEF2QLrThEYuv30vPGmlZerFyBddE4tSo9RB/fCf7Lv2RLnnbAsHooiJRN0az55h10Ry0Belr5+21STGHZB4I2JRKOACzPbeMy4=
sshrsakey => AAAAB3NzaC1yc2EAAAABIwAAAQEAteAWPFoF++NYw0jbQ6dwJjpZrVZrgY85V+1hKDFn+Tjcq64ayDHXEbEhbOXo8PfDpk4S4Qbc+ZBsfdv+4kpAArCW0tCod2AFFDq8fLOtIKUmtF5yel1IjUoqoGqhxTW5JupxRznthtUbFI0/fvf96vVPvmL4bNTGB3Xizo9awc8Hxwf5DHZ+yTXHyLa9JFdKHhupQ127WXniooCke+XM036qN2pwMeCvRwZAKFwdrybP+J4g9jsmDeq2NJBOaFUSkg1zMqg0frjIGvyVNx451AtHeQ/6wXnFLASDQsuuoe4GrKenxtYF9v5YmNxQW5UJahe9HnkJC0gepIgoNH2iew==
swapfree => 4.88 GB
swapsize => 4.88 GB
timezone => IST
type => Unknown
uniqueid => a8c02101
uptime => 1:25 hours
uptime_days => 0
uptime_hours => 1
uptime_seconds => 5136
virtual => openvzhn

3) To get the value for a specific fact, say for example, the OS architechture,

# facter architecture
x86_64

history - shell built in command

In Bash shell, the following three variables help in configuring the history command

  1. HISTFILE - Where the history  of the exited shell is stored
  2. HISTFILESIZE - How many entries are stored there
  3. HISTSIZE - How many entries are kept in the memory while using the shell.
How  to check if history is enabled or disabled for a user?

Run the following command
              set -o | grep history

The output of the above command shall be either history off or history  on

Eg:  $ set -o | grep history
       history         on

How to enable history for a user?

If  set -o | grep history provides the output as history off, then history can be enabled for the user as follows

1) Add the follow line in the file ~/.bashrc

        set -o history

2) Then check the values of the parameters - HISTFILE, HISTSIZE, HISTFILESIZE

          echo $HISTFILE
          echo $HISTSIZE
          echo $HISTFILESIZE

If the value of echo $HISTFILE is blank or /dev/null, add the following line in ~/.bashrc file

          HISTFILE=$HOME/.bash_history

If HISTSIZE or HISTFILESIZE is set to 0, set it to a value of choice in ~/.bashrc file

        HISTFILESIZE=1000
        HISTSIZE=1000

Sunday, June 2, 2013

Sorting Processes by CPU and Memory usage

To identify processes causing high CPU usage

ps aux --sort -pcpu | head
ps -aeo pcpu,pid,user,args | sort -k1 -r | head -10

To identify processes causing memory usage

ps aux --sort -rss | head
top -b -n 1 -d 3 -m
ps -Ao vsz,args | sort -n
ps -e -o pid,vsz,comm= | sort -n -k 2

To find CPU usage of threads in a process like Java(Tomcat)

ps -mo pid,lwp,stime,time,cpu -C java

MTU, Jumbo Frames, MSS

MTU


Physical and link layers mandate a Maximum Transmission Unit, MTU. For Ethernet, MTU standard size is defined as 1500 bytes - this is the maximum size of payload in a Ethernet Frame, including the encapsulated TCP and IP headers. All machines/routers in the route of the packet must agree on the same MTU size. 

# ip link show | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 state DOWN qlen 1000
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP qlen 1000
4: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP

If the packet arriving at a router is too big for the MTU of the next hop network, it may do any of the following


  1. Router splits the packet into fragments sized for that MTU, or
  2. Router uses ICMP to alert senders when fragmentation is needed, and
  3. Sender adjusts frame size appropriately.


Path MTU Discovery(pMTU):


One approach to solve the fragmentation problem is to find the smallest MTU size supported by routers on a path in adavance. This helps in avoiding fragmentation by not sending packets larger than the smallest MTU size supported by routers in the path/link. In Path MTU discovery, an initial packet is sent with "Don't Fragment" flag set. Router that would fragment the packet, drops it and responds to the sender with ICMP "fragmentation needed" error packet marked with the MTU of the next hop. The kernel can cache the path MTU(pMTU) information for a connection locally in the routing cache(/proc/net/rt_cache) and resend smaller packets.

Path MTU discovery is enabled on by default and can be verified by checking the sysctl setting - net.ipv4.ip_no_pmtu_disc

# sysctl -a | grep pmtu
net.ipv4.ip_no_pmtu_disc = 0

This can be turned off with syctl by setting net.ipv4.ip_no_pmtu_disc to 1.

A tool for simulating the Path MTU discovery is tracepath.

However, if a router in the path filters all the ICMP traffic, Path MTU discovery(pMTU) gets broken and therefore affects performance by either

  1. Causing intermediate fragmentation at routers, or
  2. Causing hosts to assume that the minimum path MTU allowed is that of the IP(576 bytes) when higher MTUs are possible.

Note:

  1. Filtering of all UDP, ICMP 'time-exceeded', ICMP 'dest-unreach/port-unreach' breaks the tracepath and traceroute.
  2. traceroute -I and mtr commands break if ICMP 'time-exceeded' and ICMP 'echo-request'/'echo-reply' are filtered.


Jumbo Frames:

Standard payload size(MTU) is defined as 1500 bytes. To increase performance, payload size(MTU) can be increased. By increasing the packet size,

  1. Number of packets transmitted is reduced
  2. Less packets means number of interrupts to be handled is also reduced(CPU service time), thus smaller CPU load
  3. Less space on an average is needed for headers

Jumbo frames are Ethernet frames with more than 1,500 bytes of payload (MTU). Conventionally, jumbo frames can carry up to 9,000 bytes of payload. Using a larger MTU value (jumbo frames) can significantly speed up network transfers. All the networking hardware in the route of a jumbo frame must support jumbo frames.

Why jumbo frames cannot exceeed 9000 bytes?

Because the CRC field isn’t long enough to guarantee detection of errors for frames larger than 9000 bytes.

How to set MTU size greater than 1500 bytes for a NIC?

1) ip link set ethX mtu Y

               or

     ifconfig ethX mtu Y

where,
ethX is the ethernet adapter (eth0, eth1, etc.) and
Y is the MTU size of the frame(1500, 4000, 9000).

2) Disable path MTU discovery, as follows

net.ipv4.ip_no_pmtu_disc = 1

MSS

MSS is the Maximum Segment Size. This is usually the local MTU minus TCP/IP headers.
For example, if MTU is 1500 bytes, MSS is usually 1460 bytes(1500 - TCP header 20 bytes - IP header 20 bytes).

Saturday, June 1, 2013

screen command in Linux

Using screen command, we can create a session and run multiple windows in it.
First we create a screen session and there we create & run multiple windows.

Commands related to session


1) Create a screen session

screen
screen <command> E.g. screen top

2) Naming a screen session while starting a new session

           screen -S <sessionname>

3) Renaming the current screen session

           a) Ctrl + a

           b) Then type
               :<current_sessionname>  <new_SessionName>

4) Renaming without attaching the screen session
   screen -X  <old_sessionname>   <new_sessionname>

5) Detaching from a current screen session

         Ctrl+a d

6) Detaching from a screen session using screen command

        screen -d <sessionname>

7) Reattaching a screen session

        screen -r <sessionname>

Commands related to windows in screen session


1) Create a new window

          Ctrl+a c

2) To navigate between windows in a screen session

            Ctrl+a p  or Ctrl+a n

3) To list all the windows in a screen session

            Ctrl+a "

4) To name current window in a screen session

             Ctrl+a A

5) To kill a window

              Ctrl+a k
 
  A [y/n] option will be prompted. Typing y will kill the window.

  Else, typing exit from the windows shell shall kill the window.