xiven.com stating the blatantly obvious since 2002

Let's distrust StartCom. Let's encrypt instead

Recently I noticed that the Opera developer browser had started rejecting the SSL certificate used by my server for this website. It worked fine in Opera, Opera beta, Chrome and Firefox on my PC, and Qualsys SSL Labs still reported the domain with an A+ rating, but for some reason the latest Opera Developer builds simply rejected it. As I would discover later, so too did the latest Chrome Canary builds.

Why?

I certainly wondered that, so after initially coming up dry I asked for some help from colleagues at work. One very helpful person soon pinpointed the problem: the StartCom CA that my certificate was issued by has now been distrusted by Google (with good reason). Mozilla had already done this too.

Although initial reports were that certificates issued before October 21st 2016 would not be affected by this distrust, due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance - hence my certificate no longer being accepted.

Despite this distrust being fairly widely reported in the tech press, I had somehow managed to miss this crucial information, and I certainly didn't receive any notifications about it from StartCom themselves either. Regardless, it needed fixing so I had to find a new (ideally also free) SSL CA.

I had heard about the Let's Encrypt project before, but I hadn't really looked into it in depth. It turns out that they really have made it about as painless as it is possible to be to obtain and install SSL certificates. I opted for using the Certbot ACME client in "certonly" mode and configuring Apache manually both for the verification mechanism and installing the certificate, which was a little more work but still very easy. I now have a brand new multi-domain certificate in use by Apache, Dovecot and Postfix on my server. It should get renewed automatically when needed too with a simple cron job.

Then today I wanted to add another subdomain to the certificate. Absolutely no problem - just reissue the command with the new domain added and then reload the services. Literally as simple as that.

Posted: 2017-02-25 22:32:19 UTC by Xiven | Cross-references (0) | Comments (0)

Open sauce

First post since 2013, better be for something good, right?

Well no, not really. But hey it's something: my employer (Opera Software AS) has released as open source one of the projects that I've worked on during my time working here. Find it on GitHub here:

Opera DNS UI

It's probably not much use to you unless you happen to be looking for a user interface to manage a PowerDNS authoritative server (and maybe have a particular desire to have it authenticate with LDAP and allow multiple users to be assigned as admins to specific zones). But if you are, then maybe it could be really useful. Here's the feature list:

Posted: 2017-01-24 12:11:58 UTC by Xiven | Cross-references (0) | Comments (0)

PHP: Invalid UTF-8 characters in XML, revisited

Back in 2008, I wrote a blog post with a function to clean up UTF-8 characters in PHP that were not valid in XML. Some lines of that function no longer work in newer PHP versions due to my use of a blacklist rather than a whitelist, and PHP still doesn't seem to have a proper built-in function for this.

Various proposed solutions to this problem can be found on the net (1, 2, 3, 4), but none of those I found actually do it right (some are in fact quite badly wrong).

Here's one that I believe should handle all cases correctly, and it's a fair bit cleaner than my original one.


<?php
function sanitize_for_xml($v) {
  // Strip invalid UTF-8 byte sequences - this part may not be strictly necessary, could be separated to another function
  $v = mb_convert_encoding(mb_convert_encoding($v, 'UTF-16', 'UTF-8'), 'UTF-8', 'UTF-16');
        
  // Remove various characters not allowed in XML
  $v = preg_replace('/[^\x{0009}\x{000A}\x{000D}\x{0020}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]/u', '�', $v);

  return $v;
}
?>

Posted: 2013-08-30 15:37:40 UTC by Xiven | Cross-references (0) | Comments (2)

It's About Time

Our awesome sysadmin team did some serious overtime over the weekend, thanks to a fun little leap second bug. It took down a scary number of servers, though fortunately our most important external public services escaped largely unscathed (mostly thanks to a high level of redundancy). I too lost a server to this bug and had to spend a little while dealing with the fallout.

Things like this do serve as an important reminder of the sometimes startling effects of invalid assumptions when applied to computers, eg. the assumption that there are always 60 seconds in a minute (though in this particular case the actual kernel bug was far more complicated than that).

Addendum: Bron Gondwana of our FastMail team has now written an excellent write-up of the leap-second incident.

Posted: 2012-07-02 01:16:50 UTC by Xiven | Cross-references (0) | Comments (1)

H₂SO₄

A monumental achievement in web browser technology: Opera Software has now publicly released a development build that finally passes the Acid test!

No, not this Acid test.

Not this one either.

This one!

Posted: 2012-02-28 17:19:10 UTC by Xiven | Cross-references (0) | Comments (0)