Trying to understand SSLKEYLOGFILE environment variable output format - ssl

I have been messing around with the SSLKEYLOGFILE environment variable, and I am trying to understand what everything inside the output that it gives me (the .log file with all the session keys).
Here is a picture of what the output looks like:
I understand that these are keys, but what I notice is a space in the middle of each line, indicating to me that they are separate keys. What exactly are the 2 different keys that they are giving me, and how is WireShark able to use this file to decrypt ssl traffic?

The answer to your question is in a comment from the commmit that added this feature:
* - "CLIENT_RANDOM xxxx yyyy"
* Where xxxx is the client_random from the ClientHello (hex-encoded)
* Where yyy is the cleartext master secret (hex-encoded)
* (This format allows non-RSA SSL connections to be decrypted, i.e.
* ECDHE-RSA.)

Related

How to change the max size for file upload on AOLServer/CentOS 6?

We have a portal for our customers that allow them to start new projects directly on our platform. The problem is that we cannot upload documents bigger than 10MO.
Every time I try to upload a file bigger than 10Mo, I have a "The connection was reset" error. After some research it seems that I need to change the max size for uploads but I don't know where to do it.
I'm on CentOS 6.4/RedHat with AOL Server.
Language: TCL.
Anyone has an idea on how to do it?
EDIT
In the end I could solve the problem with the command ns_limits set default -maxupload 500000000.
In your config.tcl, add the following line to the nssock module section:
set max_file_upload_mb 25
# ...
ns_section ns/server/${server}/module/nssock
# ...
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}]
# ...
It is also advised to constrain the upload times, by setting:
set max_file_upload_min 5
# ...
ns_section ns/server/${server}/module/nssock
# ...
ns_param recvwait [expr {$max_file_upload_min * 60}]
If running on top of nsopenssl, you will have to set those configuration values (maxinput, recvwait) in a different section.
I see that you are running Project Open. As well as setting the maxinput value for AOLserver, as described by mrcalvin, you also need to set 2 parameters in the Site Map:
Attachments package: parameter "MaximumFileSize"
File Storage package: parameter "MaximumFileSize"
These should be set to values in bytes, but not larger than the maxinput value for AOLserver. See the Project Open documentation for more info.
In the case where you are running Project Open using a reverse proxy, check the documentation here for Pound and here for Nginx. Most likely you will need to set a larger file upload limit there too.

How can I calculate the same SSH fingerprint as Putty displays?

When first connecting to a new SSH host in Putty it displays a message asking me to verify the RSA fingerprint:
When viewing this same information on the network (e.g. through Wireshark), the same value is not shown, instead is shown as:
How can I calculate the fingerprint from the information shown in the Packet Capture?
The value shown in wireshark is the full public key from the server. The fingerprint (MD5 Hash value) of this value is shown to the user in putty as it's much easier (shorter) to read that expecting the user to match up the entire key.
To calculate the public key fingerprint it is necessary to first convert the hex stream given by Wireshark to the the byte stream equivilent then to calculate the MD5 hash from this and output in hexadecimal format.
A crude implementation of this in python is below which will take the wireshark value (HEX DH host Key copied as a HEX Stream) on STDIN and output the fingerprint on STDOUT:
import md5
import sys
# Accepts a wireshark encoded string on STDIN an outputs MD5 fingerprint to STDOUT
# The value copied from the 'HEX DH host Key' as a HEX Stream
wireshark_key = sys.stdin.readline()
# Change the HEX value into the raw byte stream, which will include non-printable characters
hex_string = wireshark_key.strip().decode("hex")
# Calculate the MD5 Hash of the byte stream and output in Hexidecimal format
md5_fingerprint = md5.new(hex_string).hexdigest()
# Tidy up the output so it matches what Putty displays
putty_fingerprint = ":".join([md5_fingerprint[i:i+2] for i in range(0, len(md5_fingerprint), 2)])
print(putty_fingerprint)
To run this, save the wireshark value (public key) to a file and then execute:
cat <key.txt> | python scriptname.py
The output should then match what is displayed by Putty on first connect as well as in the Event Log.
The following web pages were very useful in figured this all out:
http://passionateaboutis.blogspot.co.uk/2015/07/ssh-fingerprint-from-pcap.html
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
Whilst this script may be useful for one off cases, if you need to obtain fingerprints for a large number of hosts, nmap and one of it's NSE scripts may be more efficient:
https://nmap.org/nsedoc/scripts/ssh-hostkey.html
Saving the output from NMAP to XML will automatically store the calculated fingerprint for all hsots.

Command in expect for grep keyword

Expect script query:
In one of my expect script I have to pick keyword from output of send command and store in a file, could some one help me.
send "me\n"
output :
EM/X Nmis Ssh Session/2; Userid =
Impact = ; Scope = ; CustomerId = 0
Here I want to pick keyword : Nmis Ssh Session/2
and my target is to create new command in expect script is :
send "set Nmis Ssh Session/2 \n"
so this value : Nmis Ssh Session/2 should store in a variable. Could some one help me.
I'm not quite sure exactly what information is produced by which side, but maybe something like this will do:
expect -re {EM/X ([^;]+);}
set theVariable $expect_out(1,string)
The key is that we use the -re option to pass a regular expression to the expect command. That makes the text that matches what is in the parentheses (a sequence of non-semicolon characters) be stored in the variable expect_out(1,string) (there are many other things stored in the expect_out array; see the documentation). Copying it from there to a named variable for the purpose of storage and further manipulation is trivial.
I do not know if the RE is the right one; there's something of an art in choosing the right one, and it takes quite a lot of knowledge about what the possible output of the other side could be.

Generate a ZMK Component only

I have seen the command that generates and also prints the ZMK component. The command is : Generate and Print a ZMK Component for which the Command Code is 'OC'.
But I don't want it to be printed. But in 'OC' command it seems mandatory:
Question:
Is there any way i can tweek this? Or any other command which just generates ZMK without the need to print it? I'm using Thales HSM 9000
from 1270A546-016 Host Command Reference v2.3bNotes:This command is superseded by host command 'A2'.
A printer must be attached to one of the USB ports on the payShield 9000. Serial-to-USB and parallel-to-USB cables are available from Thales, on request.
I believe that there is no way to use the Generate and Print a ZMK Component (OC) command without using a printer.
Follow up
Check the command Generate a Key (A0).
Mode = 0 (Generate key)
Key Type = 000 (Zone Master Key,ZMK)
This is the A0 response using the Thales Test LMK
HEADA100U6809C450D3F68AC78E80BA0C80E1D071F5EE20U6809C450D3F68AC78E80BA0C80E1D071F5EE20

H2 - Split file option in server mode

Using H2 database, is it possible to use the split file option while in (SSL) server mode and using encryption? If so, how can I do it?
I created a split database using this JDBC string:
jdbc:h2:split:28:/g:/db_split;CIPHER=AES
It is stated that a split database always needs the :split option afterwards, which seems true because I get errors about corrupted files when connecting with
jdbc:h2:ssl://g:/db_split;CIPHER=AES
General error: "java.lang.NumberFormatException: Zero length string" [50000-170] HY000/50000
But when I attach the appropriate option, another error follows:
jdbc:h2:split:ssl://g:/db_split;CIPHER=AES
IO Exception: "java.io.IOException: A sintaxe do nome do arquivo, do nome do diretório ou do rótulo do volume está incorreta"; "ssl://g:/db_split.h2.db" [90031-170] 90031/90031 (Error message localized in Portuguese - something like "The syntax for file name, folder name or volume label is incorrect")
Is there a way to make these options coexist? I am considering AUTO_SERVER, but it would be a lousy option.
For the server mode, use:
jdbc:h2:tcp://localhost/split:28:/g:/db_split;CIPHER=AES
When using SSL:
jdbc:h2:ssl://localhost/split:28:/g:/db_split;CIPHER=AES
For embedded mode, use:
jdbc:h2:split:28:/g:/db_split;CIPHER=AES