Android 4.x TLS v1.2 built-in browser secure connection issues

    09 March 2017

    Recently at Fastly we have been gradually turning off TLS v1.0 and v1.1 support due to PCI mandate to deprecate them. You can read about the deprecation policy here.

    We also recently received couple reports from customers about some of the Android 4.x users not being able to access some of these end points. During the investigation I found following SSLLabs issue

    https://github.com/ssllabs/ssllabs-scan/issues/258

    which had a pointer to this post about different vendors packaging a version of Google Chrome as their own built in browser

    http://www.quirksmode.org/blog/archives/2015/02/chrome_continue.html

    Unfortunately it appears that some vendors notably Samsung standardized on version of Chrome which did not have TLS v1.2 support e.g. Chrome 28. Can I Use site has a nice table of TLS v1.2 support

    http://caniuse.com/#search=tls%201.2

    This is clearly a major hassle as it may force you to keep TLS 1.0/1.1 around for longer than you’d like or educate users to install latest Google Chrome from the Play Store. To get a better understanding what the experience may look like is I tested it on my Android 4.2 table and this is what it it looks like

    This is what the built-in browser capabilities are

    Android 4.2 Built-in Browser capabilities

    Unfortunately this will result in a very nasty error that says secure connection cannot be established

    Android 4.2 Built-in Browser error

    Same device with Google Chrome installed passes the capability test with flying colors

    Android 4.2 Chrome browser capabilities


    Setup Minecraft Server on Google Cloud Engine with terraform

    11 May 2016

    My children like to play Minecraft and they often like to play with their friends and cousins who are remote. To do so in the past I would set up my laptop at the house, set up port forwarding on the router, etc. This would often not work as the router would not accept the changes, my laptop firewall was on etc. Instead I decided to shift all this to the cloud. In this particular example I will be using Google Cloud Engine since it allows you to have persistent disks. To minimize costs I will automate creation and destruction of minecraft server(s) using Hashicorp’s Terraform.

    All the terraform template and files can be found in this specific Github Repo

    https://github.com/vvuksan/terraform-playground

    You will need to sign up for a Google Cloud account. You may also optionally buy a domain name from a registrar so that you don’t need to enter IP addresses in your minecraft client. If you do so rename dns.tf.disabled to dns.tf and change this section

    variable "domain_name" {
      description = "Domain Name"
      default     = "change_to_the_domain_name_you_bought.xyz"
    }
    

    As described in the README what this set of templates will do is create a persistent disk where you will store your gameplay and spin up a minecraft server just for that time being. When you want to play you will need to type

    make create
    

    and when you are done playing you will type

    make destroy
    

    Cost of this should be minimal. In the TF template I’m setting a persistent disk of size of 10 GB (change that in main.tf if you need to). That will cost you approximately $0.40 per month. On top of it you’d be paying for g1.small instance cost which is about $0.02 per hour. You can certainly opt for a faster instance by adjusting the instance size in main.tf file. Also if you are using DNS there will be DNS query costs but those should be minimal.

    Have fun.


    Rsyslog server TLS termination

    10 May 2016

    I was working with a customer trying to configure Fastly’s Log Streaming and ship logs to their Rsyslog server. Fastly supports sending Syslog over TLS however it appeared that TLS handshake was not succeeding as we would end up with gibberish in the logs e.g.

    May  3 13:22:08 192.168.0.10 #001#000#000M#033#000#020#023#000#001#000#000#016log.domain.com#000#002#000#005#001#000#000#000#000 
    

    I looked over a number of different guides with no luck. After trying a number of different things I ended up with a following configuration. This was tested on RSyslog 7 and 8.

    auth,authpriv.*                 /var/log/auth.log
    *.*;auth,authpriv.none          -/var/log/openandclick.log
    kern.*                          -/var/log/kern.log
    mail.*                          -/var/log/mail.log
    
    #
    # Emergencies are sent to everybody logged in.
    #
    *.emerg                                :omusrmsg:*
    
    # Setup disk assisted queues
    $WorkDirectory /var/log/spool # where to place spool files
    $ActionQueueFileName fwdRule1     # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
    $ActionQueueType LinkedList       # run asynchronously
    $ActionResumeRetryCount -1        # infinite retries if host is down
    
    #RsyslogGnuTLS
    # CA certificate store. Uses generic Debian/Ubuntu CA store
    $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
    $DefaultNetstreamDriverCertFile /etc/letsencrypt/archive/log.domain.com/fullchain1.pem
    $DefaultNetstreamDriverKeyFile /etc/letsencrypt/archive/log.domain.com/privkey1.pem
    $DefaultNetstreamDriver gtls
    
    module(load="imtcp"
    streamdriver.mode="1"
    streamdriver.authmode="anon")
    input(type="imtcp" port="5144" name="tcp-tls")
    

    It will use the TLS certificate from /etc/letsencrypt and listen to TLS requests on port 5144. There is no client authentication ie. authmode=anon. If you want to authenticate clients you will need to change authmode to e.g.

    streamdriver.authMode="name" 
    streamdriver.permittedpeer=["test1.example.net", "test.example.net"]
    

    Ganglia Web frontend in Ubuntu 16.04 install issue

    03 May 2016

    Ubuntu 16.04 Xenial comes with Ganglia Web Front end 3.6.1 included however doesn’t pull in all the dependencies. If you get an error like this

    Sorry, you do not have access to this resource. "); } try { $dwoo = new Dwoo($conf['dwoo_compiled_dir'], $conf['dwoo_cache_dir']); } catch (Exception $e) { print "
    

    You are missing Mod PHP and PHP7-XML module. To correct that you need to do execute following commands

    sudo apt-get install libapache2-mod-php7.0 php7.0-xml ; sudo /etc/init.d/apache2 restart
    

    If you don’t have Ganglia web frontend enabled all you need to do is type

    sudo ln -s /etc/ganglia-webfrontend/apache.conf /etc/apache2/sites-enabled/001-ganglia.conf
    sudo /etc/init.d/apache2 restart
    

    Ganglia Web frontend in Ubuntu 16.04 install issue

    03 May 2016

    Ubuntu 16.04 Xenial comes with Ganglia Web Front end 3.6.1 included however doesn’t pull in all the dependencies. If you get an error like this

    Sorry, you do not have access to this resource. "); } try { $dwoo = new Dwoo($conf['dwoo_compiled_dir'], $conf['dwoo_cache_dir']); } catch (Exception $e) { print "
    

    You are missing Mod PHP and PHP7-XML module. To correct that you need to do execute following commands

    sudo apt-get install libapache2-mod-php7.0 php7.0-xml ; sudo /etc/init.d/apache2 restart
    

    If you don’t have Ganglia web frontend enabled all you need to do is type

    sudo ln -s /etc/ganglia-webfrontend/apache.conf /etc/apache2/sites-enabled/001-ganglia.conf
    sudo /etc/init.d/apache2 restart