Monday, August 19, 2019

awesome Kubernetes Best Practices videos



there is a whole series, all same good

Wednesday, August 14, 2019

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:

at sun.security.ssl.SSLSessionContextImpl.remove(SSLSessionContextImpl.java:132)

at sun.security.ssl.SSLSessionImpl.invalidate(SSLSessionImpl.java:673)

at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(SSLConfigUtils.java:27)

at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:135)

at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:354)

at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:976)

at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:917)

at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599)

at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563)

at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)

at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)


the code responsible is:


public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)

 {

   if (!IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET)

   {

     if ((sslEngine != null) && (!sslEngine.getUseClientMode()))

     {

       if (!clientInitSecureRenegotiation) {

         sslEngine.getSession().invalidate();

       }

       sslEngine.setEnableSessionCreation(clientInitSecureRenegotiation);

       if (isLoggable()) {

         SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");

       }

     }

   }

   else if (isLoggable()) {

     SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");

   }

 }


so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE





in JSSESocketFactory:
  JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

    throws IOException

  {

    SSLEngine sslEngine = getSSLEngine(host, port);

    return new JSSEFilterImpl(connectedSocket, sslEngine, true);

  }

in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

    throws IOException

  {

    this(sock, engine, clientMode, false);  // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE

  }

   

  public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted)  // this constructor is ultimately invoked

    throws IOException

  {


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)


Thanks to Carlo for the excellent analysis.





Sunday, August 11, 2019

Audit the content of a series of folders against a file

the audit.txt contains the list of original files:

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir01/file01_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir01/file02_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir02
/media/sf_shared/bashtests/dirtoaudit/dir02/file01_02.txt
/media/sf_shared/bashtests/dirtoaudit/dir02/file02_02.txt

this script checks that in the folders

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir02

there are no extra files or folders:




Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced