How do I get a Twitter feed using Pharo? - ssl

Since Twitter changed their website design, I cannot get a set of tweets from any account by using built-in Zinc classes. It throws an error that says: ConnectionClosed: Connection closed while waiting for data
I am using Pharo 5, and I don't know how to tweak the ZnClient settings in order to keep the connection open or something to the purpose of getting the data.
testTwitter
| client |
self ensureSocketStreamFactory.
self isNativeSSLPluginPresent ifFalse: [ ^ self ].
(client := ZnClient new)
get: 'https://www.twitter.com/pharoproject'.
self assert: client isSuccess.
self assert: (client contents includesSubstring: 'Twitter').
client close
That's the test I have in place, it never passes, and throws the error mentioned above. What's missing here? I did a Ruby script using open-uri, openssl and Nokogiri and it fetched the tweets just fine. Perhaps it's a problem with the SSL connection itself?

The issue here is quite easy to answer, but you won't like it. Your issue is connected to the fact that the Twitter has deprecated support for TLS 1.0, TLS 1.1 on July 15/2019. Your pharo is using the deprecated TLS to connect. That is the reason why you are getting the timeout.
The solution?
You have to compile the new SSL/TLS support yourself which is not an easy task to do. You have to compile in at least TLS 1.2 to be able to connect again. There is lack of Pharo documentation how to compile support for new libraries. My guess is that you are using TLS 1.0 (see a note below) - since Pharo 6.1 (so your Pharo 5.x will have same or older libraries) has libgit2.so compiled against libssl.so.1.0.0 (which has dependency libcurl-gnutls.so.4) - If you update the libraries you can see that those support >= TLS 1.2.
Note:
This is connected to the issue which I have posted some time ago. Nobody upvoted it or answered so it got automatically deleted - you can vote to undelete it: https://stackoverflow.com/questions/51399321/getting-error-when-adding-ossubprocess-to-my-pharo-6-1-on-centos-7-4x (see the bottom of the post for the question). I don't have an answer for that as I have dedicated time to my Smalltalk/X project.

Or just switch to a newer Pharo. Adding your method to ZnHTTPSTest in Pharo 8 just works (tested on Pharo 8 build 686, Ubuntu 18.04.02 LTS with the stable vm in PharoLauncher)

Related

log4shell POC : no HTTP redirect

I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec.
To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an ubuntu VM, along with java 1.8 (as stated in POC), and loaded the Poc + marshalsec snapshot.
Tried to start Ghidra, it said java 11 was needed, so although I've installed java 1.8 I still downloaded java 11 and, when you start ghidra, it says the installed version is not good enough and ask for the path to a java11 version; so I just gave him path to the jdk11 directory and it seems happy with it. Ghidra starts alright.
Then set up my listener and launched the poc, got the payload string to copy/paste in ghidra, and got a response in the ldap listener saying it'll send it to HTTP. But nothing more. The end.
Since the HTTP server is set up by the same POC, I thought maybe I just couldn't see the redirection, so I started the http server myself, started the ldap server myself with marshalsec, and retried (see pics below for exact commands/outputs).
Setting http server:
Set listener:
Setting LDAP server:
Send payload string in Ghidra (in the help/search part, as shown in kozmer POC); immediately got an answer:
I still receive a response on the LDAP listener (two, in fact, which seems weird), but nothing on the HTTP. The the Exploit class is never loaded in ghidra (it directly sends me a pop-up saying search not found, I think it is supposed to wait for the server answer to do that?), and I get nothing back in my listener.
Note that I don't really understand this Marshalsec/LDAP thing so I'm not sure what's happening here. If anyone have time to explain it will be nice. I've read lot of stuff about the vuln but it rarely goes deeply into details (most is like: the payload string send a request to LDAP server, which redirect to HTTP server, which will upload the Exploit class on the vulnerable app and gives you a shell).
Note: I've checked, the http server is up and accessible, the Exploit.class file is here and can be downloaded.
Solved it.
Turned out for log4shell to work you need a vulnerable app and a vulnerable version of Java; which I thought I had, but nope. I had Java 11.0.15, and needed Java 11 (Ghidra need Java 11 minimum, only vulnerable version of Java 11 is the first one).
Downloaded and installed Java 11, POC working perfectly.

How to switch off TLSv1.3 in gatling?

I recently migrated from Gatling 3.3.1 to Gatling 3.4.0.
As a result, everything works fine in my local machine, but crashes in k8s because of the following error:
Couldn't execute warm up request https://gatling.io
java.lang.IllegalArgumentException: TLSv1.3
at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2081)
...
I migrated back to the working version.
I assumed from here, that TLSv1.3 is switched on by default.
I searched for the appropriate setting in gatling-defaults.conf, but did not succeed.
I use Java 1.8 both locally and on remote k8s
Please help me to resolve this issue!
Thanks in advance!
In order to support TLSv3, Gatling needs:
either to be able to load netty-tcnative (basically BoringSSL)
or run on Java 11+ where TLSv3 is available
We can see in the logs that the former fails. We can also see that netty_transport_native_epoll_x86_64 can't be loaded while netty_transport_native_epoll_x86 can. This means you're running on a 32-bit Linux. netty-tcnative/BoringSSL is only available on 64-bit.
The latter fails as you stated running on Java 8.
We can probably improve things on our side, but you should switch to a 64-bit host.
Otherwise, you can enforce the list of supported protocols in gatling.conf, see https://github.com/gatling/gatling/blob/master/gatling-core/src/main/resources/gatling-defaults.conf#L57

how to use tls protocol on nodemcu lua

I 'm working on esp8266 module these days.
The firmware on this module is nodemcu 0.9.6 and its language is lua.
I use mqtt protocol for my project and it works well.But TLS is necessary.
I don't know how to set tls on this firmware. I 've searched but documents about TLS on nodemcu website is not enough for me.
I know that I should use this instruction at connection time to broker:
m:connect(BROKER, 8883, 1 , function ( connection ) ... end )
and to put the CA file on module i should use something like this:
enter image description here
that 's what i read from nodemcu website --> https://nodemcu.readthedocs.io/en/master/en/modules/net/#netcertverify
but the problem is when i use this on my code the module doesn't understand it and gives error at upload time and runtime.
is this problem because of the version of my firmware? Upgrading will make it? Or I am just doing something wrong on my code?
I haven't seen sample code about putting CA file on module in other project so I guess my work is wrong.
if you have worked on TLS ( on nodemcu firmware ) I would be happy by your helps.
Build a recent firmware with SSL/TLS enabled.
Flash the binary to upgrade. Make sure all flashing parameters are exactly as documented and include the init data binary.
The rest of your code seems fine.
Take a look at this question and read through comments of the answer.
You may have to get esp_init_data_default.bin from latest sdk.
I used esptool.
esptool.py --port <PORT> write_flash -fm dio -fs 32m 0x00000 <BIN_PATH_AND_FILENAME> 0x3fc000 <PATH\>esp_init_data_default.bin
Please do upvote this post if you find it is useful. Thumbs up for #MarcelStör.

Can WINE handle ECC certificates?

I have an application that supposedly runs well under Mono, but is having some problems on my system. In the meantime, I tried running it through WINE after using winetricks to install the proper version of .NET (winetricks dotnet452).
This worked great! The application hits Github to check for updates and manages the SSL/TLS connection flawlessly. Elsewhere while using it, it attempts to access another website, https://themoose.co.uk, but fails with an SSL/TLS error. The only reasonable difference I could find between that site and Github was that it uses an ECC cert as opposed to Github's more traditional RSA cert.
I also saw these lines in WINE's console output:
fixme:secur32:schan_get_cipher_algid Don't know CALG for encryption algorithm 2, returning 0
fixme:secur32:schan_imp_get_max_message_size Returning 1 << 14.
fixme:secur32:schan_get_cipher_algid Don't know CALG for encryption algorithm 2, returning 0
Googling these messages doesn't return anything useful.
The conclusion I am drawn to is that WINE doesn't support new ECC certificates, but I do not see that limitation documented anywhere! Am I going crazy, or is this an oversight in the documentation somewhere?

InvalidSessionDescriptionError: Invalid description, no ice-ufrag attribute

I'm trying to get asterisk 11.20.0 running with WebRTC (sip.js 0.72 which I believe is a fork of jssip), but I'm seeing the following (and the called party rings, but when the phone is answered the call gets hung up).
This is my setup:
What I see:
In the CLI:
[2015-11-24 01:01:53] NOTICE[43619][C-00000002]: res_rtp_asterisk.c:4441 ast_rtp_read: Unknown RTP codec 95 received from '(null)'
In Firefox:
InvalidSessionDescriptionError: Invalid description, no ice-ufrag attribute
Attachments:
SIP Dialogue (Asterisk CLI)
Webphone Log
Config Files (httpd.conf, sip.conf, rtp.conf)
Asterisk Compiled with Libuuid & Friends
What I've tried so far:
Changed webRTC implementations (tried chrome and firefox both with SIPML and SIP.JS)
Set the STUN server to null on the client side (stunServers: ['stun:null'])
Configured properly (I hope) my sip.conf and rtp.conf and httpd.conf
Made sure I have libuuid, uuid and their -devel companions and after i've recompiled asterisk.
What I've read:
http://forums.asterisk.org/viewtopic.php?p=201702
https://wiki.asterisk.org/wiki/display/AST/Asterisk+WebRTC+Support
https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5
http://jssip.net/documentation/misc/interoperability/asterisk/
http://sipjs.com/guides/server-configuration/asterisk/
https://kunjans.wordpress.com/2015/01/09/web-sip-client-sipml5-with-asterisk-13-on-centos-6-6/
http://forums.digium.com/viewtopic.php?f=1&t=89798
Please, if you can, give me a hand. I'm about to smash my box with a sledge hammer.
Faced same issue and followed instruction in http://forums.digium.com/viewtopic.php?f=1&t=90167 realise that:
This issue is caused because you asterisk don't have ICE support, you can solve that by installing the uuid/libuuid and uuid-devel/libuuid-devel packages on your system. Then recompile asterisk(be sure to rerun the configure script before the make command).
I did recompile my Astersik 11.16.0 with patch for ECDH support and fallback to prime256v1 https://issues.asterisk.org/jira/browse/ASTERISK-25265 and looks like lost uuid support at that time. Reverting back to non-patched version (with uuid support, use to be compiled before) resolved my issue with "no ice-ufrag attribute" error in Firefox console and calls are going well now from WebRTC client SIPML5 based to asterisk, but not in opposit direction